Yandex DNS hosting. DNS and email

I think many will be interested to finally know how mail works. In several articles I will try as much as possible in simple language describe all the main issues related to the operation of e-mail in general and the necessary settings- in particular.

For simplicity and to reduce the number of letters, we will consider the simplest (and most common) situation:

1 Domain name(example.com).
1 mail domain(*@example.com).
1 mail server(mail.example.com).
1 IP address (127.127.127.127).

Regarding mail, in DNS we are interested in four types of records.

The second one is desirable, without it the mail will be sent to the A record. In principle, you can do without the rest, but the chances that your letter will be rejected as spam increase significantly - the same mail.ru rejects almost all mail whose IP addresses do not have a PTR, or the PTR refers to dial-up providers. And it is right.

A-record

A (Address) - a record indicating the IP address of the domain name we need. For correct operation mail requires an A record from the mail server (mail.example.com). In our case, it will look like this:

mail IN A 127.127.127.127

Where:
mail - domain.
IN A - record type.
127.127.127.127 - IP of our mail server.

MX records.

MX (Mail eXchange) is the main DNS record for email. It indicates which servers process mail for our domain.

We have one email domain - @example.com. And one mail server - mail.example.com. Accordingly, the entry will look like this:

example.com. IN MX 10 mail.example.com

Where:
example.com is the domain for which mail is processed.
IN MX - record type.
10 - recording priority (More details below).
mail.example.com - A is the name of the mail server.

The MX record must point specifically to the A record of the mail server. Putting MX as a pointer to IP or CNAME is not correct.

MX record priority is needed when there is more than one mail server for one domain (for example, Google Mail there are six of them). It indicates which server is being contacted first, second, and so on (if the first (second, tenth) server is unavailable or overloaded or for other reasons cannot accept the letter). The logic is simple - the one whose number is lower has priority. The order of numbers is not limited, even 10-20-30, even 1000-2000-3000.

If the domain does not have any MX records, or none of the MX servers are available, the sending server will try to deliver mail to the IP specified in the domain's A record. This is called A-delivery, but in principle it is not kosher and is not used by many servers - you need to specify MX, even if there is only one.

PTR record.

PTR (PoinTeR) - the so-called “record back”. She allows reverse resolution(reverse resolving) IP addresses to FQDN host.

Our reverse IP will look like this: 127.127.127.127.in-addr.arpa. IN in this example It’s hard to see, but the address is inverted in the reverse zone. Those. IP 192.168.0.1 will look like 1.0.168.192.in-addr.arpa.

For correct host recognition, the record of the IP address from which the message is sent must match the hostname of the mail server sent in HELO\EHLO.

PTR record in our case, respectively:

127.127.127.127.in-addr.arpa IN PTR mail.example.com.

The owner of the IP address block can register this entry (Read my article about address space distribution). If you are not one and received addresses from your provider, contact your provider or data center so that they can set up the record.

TXT record and SPF.

TXT (TeXT) - text DNS record. It is interesting to us only because it can (and in modern world- must) contain SPF.

SPF (Sender Policy Framework) is a record that allows you to specify which servers have the right to send mail on behalf of your domain (posing as your server, or with a return address in your domain).

If this entry is not there and someone tries to send an email (usually spam) with a return address in your domain, it will be rejected by most servers. Or it won't and you will get big problems with your own data center or provider and a reputation as a spammer :)

The SPF record looks like this:

v=spf1 ip4:1.1.1.1 +a +mx -all (example).

v=spf1 - protocol version.
(+\-)a - allows or prohibits sending mail from the IP corresponding to the A-record of the domain.
(+\-)mx - allow or prohibit sending mail from the IP corresponding to the MX record of the domain.
ip4:IP - an explicit indication of the IP from which mail can be received on behalf of the domain.
(~\-all) - reject or accept mail from IPs not listed or explicitly specified.

In our case, the TXT SPF record will be like this:

example.com. IN TXT "v=spf1 +mx +a -all"

Thus, we have allowed receiving mail on behalf of a domain with an IP corresponding to A or MX records and prohibited receiving from other addresses - no one will be able to spam pretending to be us or deceive our users by sending a phishing link on behalf of those. support.

One of the main stages of setting up domain binding to postal system Yandex is creating special records in the DNS zone of your domain. To simplify and automate as much as possible this procedure, you can delegate the domain to Yandex NS servers, that is, in fact, use another free serviceYandex DNS hosting .

In this note, we will step-by-step consider the procedure for connecting domain mail to Yandex mail servers, as well as delegating a domain to Yandex servers using our domain IT-KB.RU as an example.

Register an account on Yandex

To work with Mail for a domain, you need a Yandex account, using which we will manage mail in the future. On this moment You can connect up to 50 domains to each account.Let's register and get a Yandex account, if this has not been done before.

Connecting the domain to Yandex

After we have logged in to the Yandex website using the created account, we will opendomain adding page , indicate the name of our domain and click the button Connect domain.

After adding the domain, we will need to confirm that we are its owner. The web page will display the status Domain not verified and you will be offered three options of action with which we can confirm ownership of the domain.

Of the three proposed options, I chose the first option with placing the file in root directory site. After specified file placed, click the button Check domain ownership.

After successful verification we will be redirected to the setup page MX-records for our domain. You can make these changes in the DNS zone of our domain either independently or automatically if you delegate the domain to Yandex. Considering that in addition to the MX record in our domain, in order to fully support Yandex mail, we will need to add several more service SRV records, the easiest way is to delegate the domain, as a result of which everything necessary records in the DNS zone of our domain will be created automatically.

Let's follow the reference linkdelegate domain to Yandex and get acquainted with information on how to delegate a DNS domain to Yandex NS servers. Everything here is extremely simple. We switch to the DNS hosting where our domain is currently located and edit the NS server records. Let's change the current NS servers to dns1.yandex.net Anddns2.yandex.net

We wait some time (it can take from several hours to two days) for the changes to be distributed across the Internet name servers and check the result, for example, using the utility nslookup

As you can see, now the name servers of our domain are Yandex servers, and we can return to setting up mail for the domain. Let's go back todomain mail management console and we will see that now the domain status has changed to The domain is connected and delegated to Yandex.

Let's open the link DNS Editor and look at the records automatically added and configured after domain delegation to support Yandex services - MX,CNAME entries to specify the mail server, SRV (SPF, DKIM) records to support mail services and messaging systems via XMPP.

Let's create a new one Mailbox for our domain and get acquainted with available opportunities for box management

For proper operation mail server, it is important to have a correctly configured DNS zone. We have already touched on some aspects related to the DNS system, today we will dwell on this issue in more detail. DNS Settings zone refers to preparatory operations before deploying a mail server and the performance of the e-mail system directly depends on it.

Incorrect settings may result in mail being unable to be delivered to your mail server or recipient servers rejecting your mail. Indeed, if your zone records do not contain information about the mail server, where should mail be sent? To the village for grandfather? You can, of course, ask your provider to configure the DNS zone, but it is better to do it yourself.

What do we need? A dedicated IP address (let's say 11.22.33.44), which you must obtain from your provider. A domain name (for example example.com) can be registered with any registrar or their partner. When registering with a partner, check whether he provides access to DNS zone management, otherwise you will have to spend Extra time, nerves and money to transfer the domain to the registrar.

If you already have a domain and, most likely, a website operates on it, check if it is possible DNS management zone from the hosting provider's panel, otherwise it is better to transfer the domain to the registrar; to do this, contact the provider's support.

So, we have a domain. What records does its DNS zone contain? Firstly, this is an SOA record - a description of the zone. We will not analyze all the records in detail, this is beyond the scope of our article, but have general idea about them is necessary. There should also be two NS records pointing to name servers ( DNS servers) serving this domain, these will be the registrar's servers or the hosting provider.

The first record to be added will be the A record or name record. It should point to the IP address of your server if you decide to serve all requests to the domain yourself or to the IP address of the hosting provider if you decide to host your website. When hosting a website with a hoster, the domain is usually delegated to its DNS server (the corresponding NS records are registered) and an A record will be created automatically when parking the domain.

This option is most common, but if necessary, you can always create an A record yourself. This entry looks like

Example.com. IN A 22.11.33.44

In our example, 22.11.33.44 is the address of our hosting provider where the site is located. Pay attention to the dot at the end of the name, this indicates that the name is absolute; in the absence of a dot, the name is considered relative and the domain name from SOA is added to it. You can check the entry with the command nslookup.

For the mail server to work, you need to create an MX record, which should point to our mail server. To do this, let's create a record:

Example.com. IN MX 10 mail.example.com.

You can also simply write:

Example.com. IN MX 10 mail

Example.com will be automatically added to this name (without a dot at the end). The number 10 determines the server priority; the lower it is, the higher the priority. By the way, the DNS zone may already contain an MX record like:

Example.com. IN MX 0 example.com.

Typically, this entry is automatically created by the hosting provider when hosting the site; it needs to be deleted.

Now let's create an A record for mail.example.com

Mail.example.com. IN A 11.22.33.44

Now all mail for the example.com domain will be sent to the mail host with the address 11.22.33.44, i.e. your mail server, while at the same time the example.com site will continue to work on the provider’s server at 22.11.33.44.
The question may arise: why can’t you immediately specify the IP address of the mail server in the MX record? In principle it is possible, some people do it, but it does not comply with DNS specifications.

You can also make aliases for a mail server like pop.example.ru And smtp.example.ru. Why is this necessary? This will allow the client not to depend on the features of your infrastructure, having specified the settings once. Let's say that your company has grown and allocated a separate mail server to serve external clients. mail1, all you need to do is change two DNS records, clients will not even notice that they are working with a new server. To create aliases, CNAME type records are used:

Pop IN CNAME mail.example.com.
smtp IN CNAME mail.example.com.

This is the setting direct DNS zones can be considered completed, the most interesting thing remains - the reverse zone. The reverse zone is managed by the provider that issued you the IP address and you cannot manage it yourself (unless you are the owner of a block of IP addresses). But you need to add at least one entry to the reverse zone. As we wrote in the previous article, many mail servers check PTR records (reverse zone records) for the sending server, and if they are absent or do not match the sender’s domain, the letter will be rejected. Therefore, ask your provider to add an entry like this for you:

44.33.22.11.in-addr.arpa. IN PTR mail.example.com.

A bit strange looking, isn't it? Let's look at the PTR record structure in more detail. A special domain is used to reverse name conversion top level in-addr.arpa. This is done in order to use the same software mechanisms for forward and reverse name conversion. The fact is that mnemonic names are written from left to right, and IP addresses are written from right to left. So mail.example.com. means that host mail is in the domain example, which is in the top-level domain com., 11.22.33.44 means that host 44 is in subnet 33, which is part of subnet 22, belonging to the network 11. To save uniform order PTR records contain a backwards IP address appended with a top-level domain in-addr.arpa.

You can also check MX and PTR records with the command nslookup using additional parameter -type=MX or -type=PTR

And of course, we should not forget that any changes in DNS zones do not occur instantly, but within several hours or even days, which are necessary for the changes to propagate throughout the global DNS system. This means that although your mail server will start working 2 hours after making changes, your partner may not send mail to you for a longer time.