DIY Email setup

From DIYWiki
Jump to navigation Jump to search

It sounds like a trivial question, but how do you setup an email address?

In some cases you might get email bundled as a service from your Internet Service Provider (ISP) who you buy your broadband from. Alternatively many people will opt to use one of the many web based email platforms like gmail, yahoo, or Outlook etc. Or you might even do both.

Both these routes can work well, and are very simple to setup. They are often also "free" (at least in the sense it is less obvious how you are paying for them!)

Why DIY?

While using web mail or your ISPs default mail service may seem like the "path of least" resistance, there are some down sides getting your email service like this.

ISP bundled email

Using the ISP service usually means that the ISPs name is included in the "domain" bit (i.e. what comes after the "@") of your email address. That means that "your" email address is tied to the ISP domain name. If you change ISP, then you potentially lose access to your email address as well.

ISP bundled email services might only have limited storage capacity, limiting how many messages you can hold in your mailbox at one time. An ISP service may also not allow creation of multiple email addresses.

Webmail

Email accounts with webmail providers, probably have more storage capacity than one included from your ISP, but again they will often include the name of the provider in the domain - meaning that you don't "own" the address and can run into the same problem losing the address if you move to a new provider.

The anatomy of an email address and sub domains
We are all familiar with the standard format of an email address like "info@acompany.co.uk", but sometimes there is more going on there than you might expect with the "domain" part of the address (i.e. the bit that comes after the "@").

When you use an email service provided by your ISP, they will own the domain part of the email address, and you can't change that. However some ISPs will create a "subdomain" for each customer which can offer more flexibility. A subdomain is a unique part of the domain name that is appended to the front of it. E.g. www.acompany.co.uk - the "www" bit is a subdomain.

Some UK ISPs allow each customer to create a unique account name, that is then included in their email address as a subdomain. For example if you use the ISP Plusnet, and have chosen the account name "snazzy", your email address could be "archie@snazzy.plus.net". However this structure makes it easier to create several related email addresses like "sales@snazzy.plus.net", and "marketing@snazzy.plus.net" that are still obviously related to your account. It also saves needing to mess with the name part of the address to create different email addresses: john@splurge.aisp.com and dave@splurge.aisp.com look more readable than john-splurge@aisp.com and dave-splurge@aisp.com

Alternative ways to get email?

A popular way to get an email service is to register your own internet domain name, and the add a service to that.This article explains why you might want to do that, and then goes through step by step what you need to do.

Advantages of using your own domain

Using your own domain means that you "own" the name - you still need to rent the domain, and renew it every year or so - but generally you can keep it for as long as you want, and not risk losing your address. You can also change email providers at will, but still retain the same email addresses, and create email solutions that exactly match your needs.

You also get to present a more professional, or a more personal "brand" to the world...

"enquiries@rapidplumbers.com" will present a more professional image than "rapidplumbers4@aol.com", and "joe@theretiredfisherman.co.uk" might be more relatable to your friends than "joebloggs243@gmail.com"

Having your own hosted email can also be a little bit more secure - since it is less obvious to the casual viewer where they can go to try and login to your email!

You will likely be able to get large mailboxes, multiple mailboxes, and also some handy extras like creating address aliases (i.e. new email addresses that forward to one or more mailboxes). This can be handy for handing out a unique address to a contact or business without using your actual email address. When mail is sent to it, it will be delivered to your mailbox. Adding a layer of indirection like this also means that if an address starts getting lots of spam because a company sold your address to a data broker, you can just change the alias to block it!

How to setup an email system

What you will need

You will need a domain name. Typically you would register this at any one of many domain registrars. They will then give you access to a control panel that will let you administer the domain, and in particular make changes to the records held in the Domain Name System (DNS). The DNS records are what tells the outside world where to direct things like email, or how to find a web site (if you have one) etc.

You will need a mailbox provider. This may be a service also offered by the domain registrar, but it does not need to be - it can be a third party, and often it is better when it is (see comments about bundled services above!)

Lastly you will probably want some email software to run on your computer or phone that will let you access your email - although there are webmail options even with your own domain.

Step by Step

For this example we will walk though setting up a mail system. We are going to take the slightly harder path and assume that your domain registrar, your mailbox provider, and your internet service provider are all separate companies. This means we need to address each of the steps ourselves. In reality it might be simpler if, say for example, your mailbox provider and domain registrar are the same company.

  • So, lets use the fictitious registrar niftydomains.com to register our domain: diyloopy.com (no doubt some bright spark will go register this!).
  • We have a DNS control panel on niftydomains.com
  • and a mail hosting company we will call emailcavern.co.uk and they will also give you access to a control panel to configure and setup your email for diyloopy.com as well as to create mailboxes.

Using separate providers for each bit of the service may introduce extra steps - we will highlight those below. We will assume you are setting up a "normal" mailbox that can be accessed via SMTP (Simple Mail Transfer Protocol - usually used for sending email from a computer), and IMAP (Internet Mail Access Protocol), used for reading mail. IMAP typically stores all the mail on the server, so that it can be accessed by multiple devices while keeping them all in sync.

Setup the email domain with the mail host

(This step will probably not be required if using a mailbox provided by your domain registrar, but here niftydomains.com and emailcavern.co.uk are different companies)

There are typically two parts to this - adding the domain to the mail system, and then updating the DNS to point incoming email toward the mail system:

  1. You will need to find the admin section on emailcavern.co.uk, and select the option to add your domain name. Enter your domain diyloopy.com. You may be given some options about the size and type of mailbox.
  2. Create your first mailbox. Let's say it is for Albert, and his address will be albert@diyloopy.com (email addresses are not case sensitive, but the email address is often used as a user name when connecting to a mail server, and that *might* be case sensitive. So it is better to enter email addresses in all lower case to save later confusion).
  3. Now you need to tell the outside world how to reach your mail system. This done by adding Mail eXchanger (MX) records to your domain. The MX records will be used by systems sending email to albert@diyloopy.com. They can do a DNS lookup to get the MX records for the diyloopy.com domain. That way they will know which mail system to forward the email to. You will need to check with your mail provider what MX records are required. Many will offer two servers, so that there is a fallback for the system to try if the first does not respond. Let's say the mail system wants MX records for mx1.loopyserver.com and mx2.loopyserver.com, you will need to create a new MX records that point to "mx1.loopyserver.com." and "mx2.loopyserver.com.". You will need to go to the control panel for niftydomains.com, and add the MX records that emailcavern.co.uk gave you. Typically you will be asked for a Host Name - normally you leave this blank, or you might need to enter "@" to indicate that you are setting up mail for the main diyloopy.com domain. You will be asked for the address that points to the mail server (note that extra "." on the end of the MX record pointer is intentional), and you might be asked for a "Priority". This is just a number to indicate the order of precedence if there are multiple servers to choose from. The one with the lowest Priority number will be tried first. Give the first one a precedence of 10, and the next 20 etc. Save the DNS changes.

You now have the basics of a mail system configured.

Setup your mailbox in an email client

So you can test your new account you can setup your new mailbox in an email client like Thunderbird. You will need the email address and password you setup above, and the names of the mail hosts SMTP and IMAP. Many modern mail hosts will only accept connections to the mail servers that use a secure encrypted connection. This prevents anyone snooping on the connection to the mail server. The help pages or tech support people for your mail provider should be able to give you all the details you need to setup your system.

Once you have your email software setup, go ahead and send yourself a test email!

Improve the security and resilience of your mail system

Now there was a time where the setup done so far would have been "enough" to send and receive email reliably. However there are weaknesses in this very basic setup which enables bad actors to easily send email and claim it originates from your domain, and there would be no easy way for a mail system receiving an email to check if it is legitimate. Alas more than 99% of the billions of emails sent each day are spam or worse; phishing, scamming, and any number of other malicious communications. So over the years the internet engineering task force has conceived of technical solutions to some of these problems, and email service providers have slowly adopted more and more of them as "required" to try and stop abuse of mail systems.

Sender Policy Framework

How can a mail system tell if a mail it is being sent actually comes from the sender that it claims to be from? If it knew this is would be batter able to decide whether to deliver the message, or mark is as spam or even just delete it. A Sender Policy Framework (SPF) record indicates the only mail servers that are "allowed" to send email for your domain (it does not actually stop someone spoofing an email from another server - but it makes it clearer when this happens). So if a receiving server gets an incoming mail from a server than claims to be sending a message from your domain, but it is not coming from a server you have listed in your SPF record, it knows to treat it with greater suspicion! You can also indicate the action you would prefer the receiving server to take if it does get an email claiming from a rogue system.

(note that if you are using a package of mailboxes from your domain registrar, this setup might have already have been done - see how to check your SPF record)

All mail systems should have a SPF record published.

So how do you know what needs to go in your SPF record? Easy answer is usually to ask your mail provider or look at their help pages, they will often have one ready to go that you can paste into your DNS record.

Failing that there are a number of SPF generators about that will help craft one for you, or, you can work out what your need, and make your own.

More info for the curious (you can skip this bit!)

What it comes down to is a simple "TXT" record in the DNS. A mail server receiving a message that says it comes from albert@diyloopy.com will do a DNS lookup to get the SPF record. It will then check that the server that is sending the email, is on the list of allowed ones in the SPF record.

So what does a SPF look like?: 

"v=spf1 a ip4:37.244.88.92 ip4:85.133.123.0/24 include:emailsrvr.com include:_spf.google.com ~all"

What the bits mean:

  • The "v=spf1" indicates that this TXT record is a SPF record, and it is a "version 1" record. Nearly all SPF records will start like this.
  • The "a" indicates that what follows in a address (or list of addresses) of mail servers.
  • the "ip4:" indicates that the address that follows is that of a mail server in IPv4 format. (you may also use IPv6 format addresses if you want by using the "IP6:" tag)
  • the "37.244.88.92" is the first email server address.
  • the "85.133.123.0/24" specifies a group of IP addresses. The IP addresses ending in "0" indicates that this is a network address and not that of an actual device. The /24 is a "netmask" and it indicates how many of the bits of the address make up the network part of the address. In this case the /24 means the first 24 bits of the 32 available in an IPv4 address indicate the network part of it, and the remainder (in this case 32 - 24 = 8 bits) indicate the part of the address that can refer to an actual device on the network. So in this case it means "85.133.123" identifies a part of the internet (the sub network or "subnet"), and the last 8 bits indicate a machine on the subnet. So it is telling the receiving mail server than and server with an address from "85.133.123.1" right up to "85.133.123.254" would be permitted to send email for diyloopy.com. (".0" is reserved for network addresses, and ".255" is a broadcast address)
  • The "include:" bit indicates that the system needs to go and do another DNS lookup using the address domain name that follows. It is quite common for mail providers to have many many machines devoted to sending email for customers. So rather than force customers to list them all out in the mother of all SPF records, they list them all for you in one (or more) DNS records. That way, all you need to is "include" that DNS entry they have provided, and the mail recipient can get them all via another lookup. So in this case it is pulling in details from emailsrvr.com, and _spf.google.com (if you want you can go query those and see what that SPF record looks like). The included SPF lookups can in turn include further records to be looked up!
  • Lastly the "~all" indicates what you suggest the receiving mail system does with messages that do not come from a server permitted by the SPF record. The symbol before the "all" is the important bit (the "all" bit must be there). "-all" indicates that you want a hard "fail" if the server is not on the list - bin the email right now! "~all" is a soft fail, the received server has more latitude - it might still accept the message, but mark it as spam. "+all" is pretty much useless - it indicates that any mail server is allowed to send email for the domain - kind of defeating the whole point of SPF in the first place. TLDR - if in doubt, use "~all"

There are other fields that can go in there, but this is probably not the place for that level of detail.

Domain Keys Identified Mail

DKIM is another step to help show that email you send is legitimate. It is now used by many of the larger mail system operators like Microsoft, Google, Yahoo, Outlook, Hotmail etc as a primary verification method. So if you want messages successfully delivered to users on these platforms you should really have DKIM setup.

What DKIM allows a system receiving an email to verify that it has not been tampered with in any way, basically that the header of the email legitimate and un-altered. It does this using what is called "Public Key Cryptography". Public key cryptography generates two security "keys". These are very long numbers that are different, but related to each other. You can encode a message using one of the keys, but only then decode it with the other one. This means that a mail server can generate a "signature" for the header of an email it is sending using its private key, and then add that to the email on the way out. The receiver can then decode that signature to check the validity of the message. All it needs is the other key. Since that is "public" it can be published in open sight in a DNS record. Since only the legitimate email server for the domain has access to the private part of they key pair, the signature can't be created by anyone else.

Setting up DKIM is actually easy:

  1. Go to the emailcavern.co.uk control panel, and turn on DKIM for the diyloopy.com domain. It will then give you a long text record, and a unique name to refer to it by, that you need to add to the DNS for the domain.
  2. Go to niftydomains.com and use their DNS control panel to add a TXT record.

More info for the curious

A DKIM record might look like: 

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQzRmEbb8y2nOgK4jzXXZO0B/e5/2n2k9e1D0G0FsTj8KNU1Q8HfuvHV8+Y3HY84Xs3NPeJoUiwzFH1lGh+HZ2F73mDbL8Xa7+E1uJTiTnO4sHdE5x5U04OFgk2jWXt6RF/hyCWe6JwhF1MzskKIP5mjqZ5fDwJKTafLDvd5h/vYqGweVXO+N8t3+bHrK+XmdlkFj1t3A9JKMeLHQFn6XRoA6Bi6BPPe+ka5MK7+cGqBlPn+JHo3FL9rQIDAQAB"

The DKIM record will specify what this TXT record must be called - this is know as the "Selector". It would look something like "selector1._domainkey.diyloopy.com" (note that you normally would only enter the "selector1._domainkey" part in the niftydomains.com DNS editor - all records will default to being part of the diyloopy.com domain name.

  • v=DKIM1: Indicates the version of DKIM.
  • k=rsa: Specifies the key type (RSA in this case - a public key crypto system named after the pioneers of public key cryptography: Ron Rivest, Adi Shamir, and Len Adleman).
  • p=: This is the public key that will be used by mail servers to verify the signature.

Domain-based Message Authentication, Reporting, and Conformance

Or DMARC to its friends. This is the final bit of the email puzzle. In many cases this can be omitted, but it does add that final bit of "polish" to a proper email setup. DMARC builds on SPF and DKIM and allows a recipient to not only get proper instructions on what to do with questionable emails, it also allows for a feedback mechanism so the mail server can notify the owner of a domain when someone is attempting to pass off a spoofed email on the system.

The simplest DMARC record would look like: 

"v=DMARC1; p=none;"

You would typically use this to show willing, but not actually have it do much! (the "p=none" bit means no enforcement)

A more detailed DMARC record might look like: 

"v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@diyloopy.com; ruf=mailto:dmarc-failures@diyloopy.com; adkim=s; aspf=s; pct=100"

You would use niftydomains DNS editor to create a TXT record called "_dmarc" on the diyloopy.com domain, and paste the record in to it.

More info for the curious

  • v=DMARC1: Indicates the version of the DMARC protocol.
  • p=quarantine: Specifies the policy for handling emails that fail DMARC checks:
    • none: No action is taken (monitor only).
    • quarantine: Suspicious emails should be quarantined (e.g., sent to spam).
    • reject: Suspicious emails are rejected outright.
  • rua=mailto:dmarc-reports@diyloopy.com: Defines the email address where aggregate reports (summary of DMARC activity) will be sent.
  • ruf=mailto:dmarc-failures@diyloopy.com: Defines the email address for forensic reports (detailed information about specific message failures).
  • adkim=s: Aligns DKIM checks strictly (s = strict alignment, r = relaxed alignment).
  • aspf=s: Aligns SPF checks strictly (s = strict alignment, r = relaxed alignment).
  • pct=100: Specifies that the policy applies to 100% of messages. You can adjust this value (e.g., pct=50) during initial testing.

About alignment

Alignment ensures that the domain in the From: header (which users see) is directly associated with the domains authenticated by SPF or DKIM. This prevents malicious actors from spoofing the From address and sending emails that look like they came from your domain.

  • Without alignment, a domain could pass SPF or DKIM checks while pretending to be another domain in the From field.
  • By enforcing strict or relaxed alignment, DMARC ensures that only authenticated emails claiming to be from your domain are delivered.

During the initial testing phase, you might use relaxed alignment to minimize the risk of legitimate emails failing authentication. Once everything is working properly, you can switch to strict alignment for stronger security.

Examples

SPF Alignment:

SPF alignment checks whether the domain in the Return-Path (or "envelope sender") matches the domain in the From: header.

  • Strict Alignment (aspf=s) The domains must exactly match. For example:
    • Return-Path: mail.diyloopy.com
    • From: info.diyloopy.com
    • Result: Fail (the domains are not identical).
    • Return-Path: diyloopy.com
    • From: diyloopy.com
    • Result: Pass (the domains are identical).
  • Relaxed Alignment (aspf=r) The domains must be in the same organizational domain. Subdomains are acceptable. For example:
    • Return-Path: mail.diyloopy.com
    • From: info.diyloopy.com
    • Result: Pass (both are subdomains of diyloopy.com).
    • Return-Path: otherdomain.com
    • From: diyloopy.com
    • Result: Fail (domains do not share the same organizational domain).


DKIM Alignment:

DKIM alignment checks whether the domain in the d= tag of the DKIM signature matches the domain in the From: header.

  • Strict Alignment (adkim=s) The domain in the DKIM signature must exactly match the domain in the From header. For example:
    • DKIM Signature (d=): mail.diyloopy.com
    • From: info.diyloopy.com
    • Result: Fail (domains are not identical).
    • DKIM Signature (d=): diyloopy.com
    • From: diyloopy.com
    • Result: Pass (domains are identical).
  • Relaxed Alignment (adkim=r) The domains must be in the same organizational domain. Subdomains are acceptable. For example:
    • DKIM Signature (d=): mail.diyloopy.com
    • From: info.diyloopy.com
    • Result: Pass (both are subdomains of diyloopy.com).
    • DKIM Signature (d=): otherdomain.com
    • From: diyloopy.com
    • Result: Fail (domains do not share the same organizational domain).
Retrieved from "https://wiki.diyfaq.org.uk/index.php?title=DIY_Email_setup&oldid=24177"