Does Adding A Domain With Mail Require Manual DNS Setup?

If I add a domain and add email addresses using that domain, must I manually create the DNS records needed to get mail to the mailbox of that domain?
An MX record? An SOA record? A PTR record, etc.
I'm new to ISPConfig. I imagine the answer is self-evident, but . . . .

 

yes and no..

the records obviously need to exist. and you don't say if you're using ispconfig for dns, or an external dns service.

for an external dns service, you will need to create all the dns records for every domain you use with them, probably manually.

with ispconfig, you will still need to create all those records, but not necessarily manually.

and not SOA or PTR, SOA will be created when you create the dns zone. PTR will need to be created by your hosting provider, or telecoms provider if you use your own line, either one might provide an interface where you can do this through them, otherwise you'll have to ask them to do it for you.

you can create dns zone templates in ispconfig, so you can create different templates dependant on domains not using mail, or using particular mx servers.
so you can add relevant mx / spf records to the templates, they will then get created automatically when you create a new dns zone using those templates via the wizard.
DMARC is also possible via the templates, although you'd have to know in advance that a specific mailforward/mailbox will exist on that domain, or if you're using a different email domain to receive all DMARC reports, you'll have to manually create a DMARC record on the recipient domains dns to authorise receiving DMARC reports for that domain, or create a wildcard *._report._dmarc entry in the recipient domains dns to allow receiving DMARC reports for any (literally every) domain.
if you're using BIMI, you'll need to create those records, and encode the logo in a .pem file and host that file somewhere (you can use SVG files, but gmail / outlook.com won't display those, probably other large email service providers won't either), most likely you/clients won't be using BIMI, so this can all be ignored.

if you don't configure them in the templates, then you'll need to create all these records manually.

DKIM will be automatically added to the dns in ispconfig when you enable it on the mail domain, otherwise you'll need to add it manually if you use an external dns service, using the info shown in the boxes where you enabled it.

all of PTR, DKIM, SPF and DMARC records will need to exist. most other mailservers will not accept any mail from your mailserver if the PTR record doesn't exist, or doesn't match your mailservers name/ip.
google and outlook/hotmail have recently blocked accepting mail if there's no SPF records, and are getting stricter on DKIM and DMARC.

 

Thanks for the long, detailed, and helpful reply! I appreciate it.

I intended to enter the Hetzner (my new host) nameservers at my domain registrar (Namecheap) as nameservers for both the main hosting domain, and the hosted domains that I add in ispconfig.

As you helped me understand, I added a dns zone for one of the hosted domains, using ispconfig, with all the needed mail records for one of the hosted domains. (This was what I asked about. Thanks!)

Unfortunately, although mail worked (ie postfix, roundcube, etc.), it worked for mail sent through the Hetzner server. Nothing else could find the hosted domain until I added a zone for the hosted site at Hetzner. Then, the website at the hosted domain was findable.

I just cannot tell whether any part of the ispconfig dns zone is working. (The subdomains I added in ispconfig also seem to be unfindable.)
I'm not sure what the best practice is here, but I believe I shall delete the ispconfig zone and add all the hosted records to the Hetzner zone.

Ultimately, this isn't what I want, since I have a couple "clients" who are "reseller." (Quotes because those are accurate roles, but there's no payment or sales involved.) I can't constantly adjust the zones at Hetzner when those folks add and change their domains around.

 

your ispconfig dns zones are quite likely to be fine.

if you are hosting nameservers on the same domain that the dns zone is for, then you need to not only set those nameservers for the domain with your domain registrar, you'll also need to create glue (ip) records for them with your registrar as well.
ie if your domain is myowndomain.com, and your nameservers are ns1.myowndomain.com and ns2.myowndomain.com.
you have to set the nameservers for the domain to these with your domain registrar, but you also have to tell them what ip's these two nameservers use (both ip4 and ip6 for each nameserver if both ip4 and ip6 are used) otherwise nothing will know how to find your nameservers..
you're effectively asking where ns1.myowndomain.com is by trying to look up ns1.myowndomain.com and asking it what it's own ip is so you can find it to ask it where ns1.myowndomain.com is. a circular problem, you can't find out where to find it without already knowing where to find it, so the ip's need to be registered a bit higher up the dns chain, hence the glue records at your registrar.

your main domain's zone in ispconfig should look something like:

Code:

servername  3600    A   ***.***.***.***
mail 3600      A          ***.***.***.***
ns1 3600      A          ***.***.***.***
ns2 3600      A          ***.***.***.***
domain.tld. 3600      A          ***.***.***.***
www 3600      A          ***.***.***.***
servername 3600      AAAA       ****:***:***:****::1
mail 3600      AAAA       ****:***:***:****::1
ns1 3600      AAAA       ****:***:***:****::1
ns2 3600      AAAA       ****:***:***:****::1
www 3600      AAAA       ****:***:***:a84e::1
domain.tld. 3600      CAA        0 issue "letsencrypt.org"
domain.tld. 3600      MX     10  mail.domain.tld.
domain.tld. 3600      NS         ns1.domain.tld.
domain.tld. 3600      NS         ns2.domain.tld.
default._domainkey.domain.tld. 3600      TXT        "v=DKIM1; t=s; p=<DKIM KEY STRING>
domain.tld. 3600      TXT        "v=spf1 mx a -all"
_dmarc.domain.tld. 3600      TXT        "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1"

replacing *'s with the correct ip4 / ip6 addresses and servername with the actual hostname of the ispconfig server, and domain.tld with your own domain name.
this is also assuming you are also using domain.tld and the www subdomain to host a website for your own domain.


and a hosted clients dns should look like:

Code:

hosteddomain.tld. 3600      A          ***.***.***.***
www 3600      A          ***.***.***.***
hosteddomain.tld. 3600      AAAA       ****:***:***:****::1
www 3600      AAAA       ****:***:***:****::1
hosteddomain.tld. 3600      CAA        0 issue "letsencrypt.org"
hosteddomain.tld. 3600      MX     10  mail.domain.tld.
hosteddomain.tld. 3600      NS         ns1.domain.tld.
hosteddomain.tld. 3600      NS         ns2.domain.tld.
hosteddomain.tld. 3600      TXT        "v=spf1 mx a -all"
default._domainkey.hosteddomain.tld. 3600      TXT        "v=DKIM1; t=s; p=<DKIM KEY STRING>
_dmarc.hosteddomain.tld. 3600      TXT        "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0:1"

note that the hosted domains ns records point the fqdn of the ns servers on your own domain, as does the mx record for the MX server.
you do not need to specify A records for the MX server, the NS servers on a hosted domain

you had to create the dns zone in hetzner's own control panel? this means the nameservers asigned to the domain at the domain registrar are hetzners own nameservers, not your ispconfig nameservers.

 

Thanks, once more, for the detailed and very helpful response. I haven't had to set up DNS on a server for at least a decade, and your reply has set me on the proper track.

I decided to start with getting the Hetzner server findable by all things DNS. So, I deleted the DNS records at Hetzner:


I added the records for the server at Hetzner in ispconfig following the template in your first box:

Then I added the glue records connecting the nameservers to the IP address at my name registrar, namecheap, and pointed the domain name to those name servers

After 48 hours, dig gives me this -- which seems right:

Code:

# dig +norecurse ns @a.gtld-servers.net theansw3r.net

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> +norecurse ns @a.gtld-servers.net theansw3r.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4724
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;theansw3r.net.            IN    NS

;; AUTHORITY SECTION:
theansw3r.net.        172800    IN    NS    ns1.theansw3r.net.
theansw3r.net.        172800    IN    NS    ns2.theansw3r.net.

;; ADDITIONAL SECTION:
ns1.theansw3r.net.    172800    IN    A    135.181.149.168
ns2.theansw3r.net.    172800    IN    A    135.181.149.168

;; Query time: 40 msec
;; SERVER: 2001:503:a83e::2:30#53(a.gtld-servers.net) (UDP)
;; WHEN: Mon Feb 17 18:41:17 UTC 2025
;; MSG SIZE  rcvd: 110

But also this - which doesn't:

Code:

dig ns ns1.theansw3r.net

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> ns ns1.theansw3r.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29448
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ns1.theansw3r.net.        IN    NS

;; Query time: 585 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Feb 17 18:27:04 UTC 2025
;; MSG SIZE  rcvd: 46

root@checkerspot:~# dig ns ns1.theansw3r.net +all

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> ns ns1.theansw3r.net +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24131
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ns1.theansw3r.net.        IN    NS

;; Query time: 622 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Feb 17 18:36:20 UTC 2025
;; MSG SIZE  rcvd: 46

And then, there's this:

So, as should be clear, I don't know what I'm doing, though after your replies, I thought I did.
I think what I shall try next is to use Hetzner's DNS and add theansw3r.net nameservers there, at the same time, removing the glue records at namecheap.

 

Yes.
When things weren't working originally, I worked through that. With help from nhybgtvfr, I THINK I've worked through the steps in that tutorial. (Admittedly, I may have done something obviously stupid or wrong.)
The process isn't completely new -- cwp and cpanel have similar functions -- but I haven't changed hosting companies for a long time. At least part of the time, I used the host's dns and nameservers for the main host site, in this case, theansw3r.net and once or twice for mail. I'd love to have ispconfig do it all.

 

the dns records in ispconfig. use just the subdomain, or use a . at the end of a full domain name,

eg for eg, an A record, use 'ns1' or 'ns1.theansw3r.net.' not 'ns1.theansw3r.net'
the trailing . indicates the absolute end of the hostname, without the trailing . dns appends the zones name to the record, so if you use ns1.theansw3r.net bind is seeing the hostname as ns1.theansw3r.net.theansw3r.net

 

Aha! I see this now, both in your comments and in the examples in the tutorial! Duh.
I'll give it a try.

 

Worked instantly! Thank you so much! I really, really appreciate all your help! I never would have caught my errors, though now those errors seem obvious.