Hello, so I have been using ISP config 3 for a few days. The IP immediately got blocked by live mail. I was curious to how others deal with their IP reputation? I usually add SPF records but I usually set up mail servers for one customer with 1 IP. I am not sure how to add records suitable for all customers on the platform? Does anyone how any advise on how they handle their mail reputation? I can confirm I sent no spam during this period but still live mail decided to block the IP. I will request an unblock once I found a solution? I would appreciate any feedback.
Microsoft mail services are a bit crazy, I guess they block everyone in advance, no matter if you ever had sent a single spam mail The best option is to use dkim (see Florians Dkim plugin fpr ISPConfig) plus SPF records for all domains that send trough your server.
An SPF record per customer then I guess, if it's possible? as there is a 255 character limit. Thanks for the quick reply, I will install DKIM and apply to be removed form Microsoft. I wonder how mail companies handle this, as spf records per client can't be easily managed. I am not sure if it's even possible. Is there a URL for this plugin, I am only finding stuff in a different language and the page fails to load
Are you familiar with spf "include:" ? See https://www.howtoforge.com/communit...dns-record-for-all-domains.72058/#post-339105 for an example that makes managing/updating many SPF records pretty maintainable. SPF records are set per-domain and per-host (anything with an A record in dns), though you may of course have common needs per client and could implement that as well. A typical client with no special needs can use something like this (mx records point to a host, not CNAME, so add an SPF record for it, too): Code: yourclient.com TXT "v=spf1 +a:www.yourclient.com include:spf.yourcompany.com -all" mx.yourclient.com TXT "v=spf1 ip4:mx.ip.ad.dr a -all" Say another client has their own ip space that needs allowed and a couple domains: Code: client2.com TXT "v=spf1 +a:www.client2.com +ip4:aa.bb.cc.dd/26 include:spf.yourcompany.com -all" mx.client2.com TXT "v=spf1 ip4:mx.ip.ad.dr a -all" mx2.client2.com TXT "v=spf1 ip4:mx2.ip.ad.dr a -all" client2-dom2.com TXT "v=spf1 include:client2.com -all" mx.client2-dom2.com TXT "v=spf1 ip4:mx.ip.ad.dr a -all" You maintain the spf.yourcompany.com record according to your hosting needs, and the client maintains the client2.com spf record according to theirs.
That is very useful, thank you for that. I will do something similar with this. I will test this with my private domain. Do you have any examples for an SPF record for the company? I'm currently using v=spf1 mx a ip4:46.101.88.xxx32 ?all Edit: just to clarify, I added these 2 records to my domain (which hosts ispconfig) * 3600 TXTv=spf1 +a:host.com include:spf.host.com-all spf 3600 TXT v=spf1 +a +mx +a:host.com +a:web.host.com -all Then on the domain * 3600 TXT v=spf1 +a:www.domain.me.uk include:spf.host.com -all
From that other comment/link: Code: spf.yourdomain.com TXT "v=spf1 +a +mx +a:mail.yourcompany.com +a:webmail.yourcompany.com +a:web1.yourcompany.com +a:web2.yourcompany.com include:mail.relay.company -all" yourcompany.com TXT "v=spf1 +a:www.yourcompany.com include:spf.yourcompany.com -all" yourclient.com TXT "v=spf1 +a:www.yourclient.com include:spf.yourcompany.com -all" Is that what you mean, or just a live domain setup this way?
Sorry I updated my original request, does this make more sense now? ---------- just to clarify, I added these 2 records to my domain (which hosts ispconfig) * 3600 TXTv=spf1 +a:host.com include:spf.host.com-all spf 3600 TXT v=spf1 +a +mx +a:host.com +a:web.host.com -all Then on the domain * 3600 TXT v=spf1 +a:www.domain.me.uk include:spf.host.com -all OR does it need to be set to this this only on the hosting domain (host.com) host.com 3600 TXT v=spf1 +a:host.com include:spf.host.com-all spf 3600 TXT v=spf1 +a +mx +a:host.com +a:web.host.com include:mail.host.com -all domain.me.uk 3600 TXT v=spf1 +a:www.domain.me.uk include:spf.host.com -all
You would create a record at spf.host.com to cover your hosting infrastructure, ie. ip addrs of your mail and web servers (any place your customer's email would be sent from). Then include that in the SPF record for both your own host.com domain and in your customer's domain. You can use wildcard entries to cover unknown hostnames, but any name that is known has to have its own record (eg. mx hosts, and anything else with an A record). I think my example is bad in that the spf record to be included shouldn't have '+a +mx', as there won't be an A or MX record for spf.host.com, just the TXT. Maybe more like: spf.host.com: v=spf1 +a:mail1.host.com +a:webmail.host.com +a:web1.host.com +a:web2.host.com -all host.com: v=spf1 +a +mx +a:www.host.com include:spf.host.com -all mail1.host.com: v=spf1 +a -all webmail.host.com: v=spf1 +a -all web1.host.com: v=spf1 +a -all web2.host.com: v=spf1 +a -all ftp.host.com: v=spf1 -all db1.host.com: v=spf1 +a -all db2.host.com: v=spf1 +a -all *.host.com: v=spf1 +a -all And add SPF records for any other names which have an A (note ftp shouldn't be used in HELO hostname in this example). domain.me.uk: v=spf1 +a +mx +a:www.domain.me.uk include:spf.host.com -all mail.domain.me.uk: v=spf1 -all *.domain.me.uk: v=spf1 -all Here the mx record would point to "mail.domain.me.uk", but that server (ie. your mail server) would never identify as that, so not allowed. You could maybe improve that first spf.host.com record by listing ip addresses instead of using hostnames, and it would require fewer dns lookups (although it would then require more maintenance when your servers change/add addresses)..
I understand, however this caused confusion. Do you mean I should leave out mail.domain.me.uk: v=spf1 -all Or no? Thank you for the help by the way.
What do you use as an MX record for domain.me.uk? If it's something like mx.host.com, you don't need an spf record for mail.domain.me.uk. If you set the MX record to something like mail.domain.me.uk, and simply give that host an A record the same ip address(es) of your hosting mail server, you would add that spf record. Unless you've gone out of your way to configure them differently, your hosting mail servers will never identify themselves as mail.domain.me.uk in smtp (eg. "EHLO mail.domain.me.uk"), so you can safely create an spf record that doesn't let anyone else identify as that name, either.
I don`t know if you really need dkim / spf to avoid backlistening by microsoft. imho the best option is to join the "smart network data services" and check your ip periodical. i have seen blocks because the did not receive mails within the last x days from the ip (so: no mail is spam) and they usually block subnets and not only single ips. don`t use includes with spf as long as you don`t know what you are doing. "v=spf1 mx a -all" is working in the most setus.
All the help was great, I am not no longer black listed. Smart network data was also great. Many thanks.