Editing Futotemporarywikipage (section)

== Step 4: Setting up DNS Records in your domain registrar ==

<span id="introduction-to-domain-registrars"></span>
=== Introduction to domain registrars ===

<span id="what-is-a-domain-registrar"></span>
==== What is a domain registrar? ====

This is who you buy your website name from. If you don’t know what this is… for the love of god skip the self-hosted email section.

<span id="namecheap.com-as-an-example"></span>
==== Namecheap.com as an example ====

Namecheap is a cheap &amp; easy way to register a domain name. I will use them as an example. Their interface for DNS configuration is similar to 99% of the available providers out there.

If you have any trouble setting up these records, contact the support staff of your domain name provider who will happily provide you tech support commensurate with the fifteen dollars per year you pay them. No really, you’re on your own here… do you ''really'' want to do this??

I would love to show you how to do this on every provider, but at this time this manual is 605 pages, the video is 12+ hours, and I would like to return to my life. You will be able to find similar settings, menus, and fields in your DNS registrar if your provider isn’t horrible.

<span id="configuring-dns-records-in-namecheap"></span>
=== Configuring DNS records in Namecheap ===

<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_2c3c94e.png
</gallery>

</div>
<div class="figure">

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_703091b1.png
</gallery>

</div>
<span id="find-the-dkim-thing-for-your-domain"></span>
==== 4.1. Find the DKIM thing for your domain ====

# Go to '''Email → Configuration''' on the top menu.
# Go to the '''Domains''' tab.
# In the '''Domains''' tab, click '''edit''' on the domain you created (in my case, stevesavers.com).
# Scroll down to the DKIM section. Keep this tab open for now; we will come back to it later.
# We’re not changing anything here, so there’s no need to save changes or make any changes. We just want that DKIM thing.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_ffbba2cb.png
</gallery>

<span id="configure-dns-records-in-namecheap"></span>
==== 4.2 Configure DNS records in Namecheap ====

# Log into your Namecheap.com account.
# Go to Domain List and click '''Manage''' next to your domain.
# Navigate to the '''Advanced DNS''' tab.
# Here are the DNS records I added: you will fill them according to your specific setup. <gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_39fbaebb.png
</gallery>

<span id="cname-record"></span>
===== CNAME Record =====

* '''Host''': <code>pm-bounces</code> (Keep this exactly the same)
* '''Value''': <code>pm.mtasv.net.</code> (Keep this exactly the same)
* '''TTL''': Automatic (Keep this the same unless your DNS provider requires a different TTL setting)

This CNAME record is used by Postmark for handling email bounces. When an email bounces, it will be sent to <code>pm-bounces.[yourdomain]</code>, which forwards the bounce to Postmark’s servers. No changes are needed unless you are using a different bounce-handling service.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_22a6cdb4.png
</gallery>

<span id="dmarc-record-txt"></span>
===== DMARC Record (TXT) =====

* '''Host''': <code>_dmarc</code> (Keep this exactly the same)
* '''Value''': <code>v=DMARC1; p=none; rua=mailto:dmarc@stevesavers.com</code> ''(Change only the email address after <code>rua=mailto:</code> to your own)''

Here’s what stays the same and what changes:

* <code>v=DMARC1</code>: (Keep this exactly the same)
* <code>p=none</code>: (Keep this exactly the same for monitoring; change to <code>p=quarantine</code> or <code>p=reject</code> once you’re ready to enforce DMARC)
* <code>rua=mailto:</code> [mailto:dmarc@stevesavers.com '''dmarc@stevesavers.com''']: Change <code>stevesavers.com</code> to your own domain and use an email where you want to receive DMARC reports.

This DMARC record helps protect your domain from email spoofing. For now, it’s in monitoring mode, so keep <code>p=none</code> if you want to monitor. If you’re ready to enforce policy, change <code>p=none</code> to <code>p=quarantine</code> or <code>p=reject</code>.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_aa66e26f.png
File:lu55028jxdmy_tmp_257280e5.png
File:lu55028jxdmy_tmp_edea6316.png
File:lu55028jxdmy_tmp_65dc145a.png
File:lu55028jxdmy_tmp_7c22f73c.png
File:lu55028jxdmy_tmp_93ecca45.png
File:lu55028jxdmy_tmp_62fd886c.png
File:lu55028jxdmy_tmp_2a58b7ee.png
</gallery>

<span id="postmark-dkim-record-txt"></span>
===== Postmark DKIM Record (TXT) =====

This you are going to get by doing as follows:

# Go to postmark.com and log in
# Go to your domain interface, go to '''Sender Signatures''', click '''Add Domain or Signature''', then '''Add Sender Signature'''.
# Once you’re done it’ll present you with a DKIM record and a return path. I’ll show you what we’re doing with these below &amp; in the attached pictures:

<blockquote>'''Note:''' When adding your domain, choose to send from any email address on the domain, not just a single one.
</blockquote>
* '''Host''': <code>20241012215824pm._domainkey</code> (Postmark generates this value, so keep it exactly as provided by Postmark)
* '''Value''': <code>k=rsa; p=MIGfMA0GCSq...</code> (You will replace the long key string <code>p=</code> with the public key provided by Postmark)

<blockquote>'''IMPORTANT:''' The Host (<code>20241012215824pm._domainkey</code>) and <code>k=rsa</code> are specific to Postmark and should stay the same. You need to copy and paste this key exactly as Postmark provides it '''FROM POSTMARK, NOT FROM THIS GUIDE!'''
</blockquote>
<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_ab1378ba.png
File:lu55028jxdmy_tmp_ba775df9.png
File:lu55028jxdmy_tmp_3ba69113.png
File:lu55028jxdmy_tmp_d073948d.png
File:lu55028jxdmy_tmp_72c9d18.png
File:lu55028jxdmy_tmp_ccb1f143.png
File:lu55028jxdmy_tmp_d4f449eb.png
</gallery>

<span id="dkim-record-for-your-domain-txt"></span>
===== DKIM Record for Your Domain (TXT) =====

# Log into mailcow’s administration interface.
# Go to '''Email → Configuration''' on the top menu.
# Go to the '''Domains''' tab.
# In the '''Domains''' tab, click '''edit''' on the domain you created (in my case, stevesavers.com).
# Scroll down to the DKIM section.
# Insert the record as follows:
#* '''Host''': <code>dkim._domainkey</code> (Keep this exactly the same unless mailcow email provider tells you to use a different prefix)
#* '''Value''': <code>v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANB...</code> (Replace this with the figure)

<blockquote>The Host should be <code>dkim._domainkey</code> unless your email provider asks for a different format. For the Value, keep <code>v=DKIM1; k=rsa; t=s; s=email</code> exactly the same. The part you need to change is the long public key string after <code>p=</code>, which will be provided by your email provider or mail server (like Mailcow). Copy and paste it carefully.
</blockquote>
<span id="spf-record-txt"></span>
===== SPF Record (TXT) =====

* '''Host''': <code>@</code> (Keep this exactly the same)
* '''Value''': <code>v=spf1 mx a include:spf.mtasv.net ~all</code> (Enter this as it is: change the include value if using a different SMTP service than postmark or if [https://postmarkapp.com/glossary/sender-policy-framework postmark changes this in the future])

Here’s what stays the same and what you need to change:

* '''Host''': Always use <code>@</code> for your main domain.
* '''Value''':
** <code>v=spf1 mx a</code>: Keep this exactly the same; it tells servers to check your MX and A records.
* <code>include:spf.mtasv.net</code>: You will need to change this if you’re using a different mail service than Postmark. Replace <code>spf.mtasv.net</code> with the SPF record provided by your SMTP service (e.g., if using a different relay like SendGrid or Amazon SES, they will give you a different include value).
* <code>~all</code>: Keep this the same unless you want stricter enforcement. You can replace <code>~all</code> with <code>-all</code> for stricter failure rules.

<span id="mail-cname-record"></span>
===== Mail CNAME Record =====

* '''Host''': mail (Keep this exactly the same)
* '''Value''': <code>louishomeserver.chickenkiller.com.</code> (Change this to the domain or subdomain that hosts your mail server, '''this is what you set when you created a dynamic DNS domain at freedns!''')

<blockquote>The Host mail stays the same. What you will change is the value after <code>Value:</code>, which should point to the domain or subdomain that hosts your mail server. Replace <code>louishomeserver.chickenkiller.com</code> with your actual mail server’s domain or subdomain.
</blockquote>
<span id="email-client-configuration-cname-records"></span>
===== Email Client Configuration CNAME Records =====

* '''Host''': autoconfig (Keep this exactly the same)
* '''Value''': <code>mail.stevesavers.com.</code> (Change this to the domain of your mail server)
* '''Host''': autodiscover (Keep this exactly the same)
* '''Value''': <code>mail.stevesavers.com.</code> (Change this to the domain of your mail server)

<blockquote>Both Host fields (autoconfig and autodiscover) stay the same, as they are used for automatic email client configuration. You will change the Value to point to your mail server’s domain or subdomain (in this case, <code>mail.stevesavers.com</code>). Replace this with your own mail server domain.
</blockquote>
<span id="mx-record"></span>
===== MX Record =====

* '''Host''': @ (Keep this exactly the same)
* '''Value''': <code>mail.stevesavers.com.</code> (Change this to the domain of your mail server)
* '''TTL''': Automatic (Keep this the same unless your DNS provider requires a specific TTL)

The Host @ stays the same to apply to your root domain. What you need to change is the value after <code>Value:</code>, which should point to the domain that handles incoming mail for your domain. Replace <code>mail.stevesavers.com</code> with your own mail server domain.

These DNS records set up email services for your domain. For the third time, here’s what stays the same and what needs changing:

* '''SPF, DKIM, and DMARC''': Most parts of these records remain the same, but you’ll need to customize the DKIM public keys and the domain-specific parts (like email addresses for DMARC reports or SPF includes).
* '''MX and CNAME records''': The basic structure stays the same, but you’ll need to update the domain values to point to your own mail server.

By carefully adjusting the fields noted for customization, you can provide the DNS setup matches your unique mail and web infrastructure.

<gallery mode="packed-hover" heights=250 widths=400 perrow=2>
File:lu55028jxdmy_tmp_3e7d5187.png
File:lu55028jxdmy_tmp_841a3e85.png
File:lu55028jxdmy_tmp_6d09e55d.png
File:lu55028jxdmy_tmp_3abfd2ad.png
</gallery>

<span id="go-back-to-postmark-verify-your-dns-records."></span>
==== 4.3 Go back to Postmark &amp; verify your DNS records. ====

# Go to postmark.com and log in.
# Go to your domain interface, go to '''Sender Signatures'''.
# Click onto the ones you just created.
# Click '''VERIFY''' next to both '''DKIM''' and '''Return Path.'''
# If it doesn’t work yet, no big deal, DNS changes can take time to propagate.

<span id="step-5-pfsense-firewall-introduction"></span>