DNS personal account (DNS). Mail: Configuring DNS records for Yandex.Mail - Timeweb Help Center

DNS is a network of digital and household appliances, which is widely represented in Russia. The stores have a wide variety of products. On the official DNS website, you can choose and purchase any product from the comfort of your home. The purchase can be picked up at the selected store (the purchase will be prepared by the store manager by the specified time) or you can order delivery. To use all the possibilities of the resource, there is a convenient service "personal account". There is a customer support service, which can be contacted through a special form for ordering a call back.

Possibilities of a personal DNS account

The service operates around the clock. It allows you to place orders for goods presented on the site, track them. also in personal account you can activate the card to become a member bonus program. To receive a card, you must provide a number mobile phone an employee in any of the stores of the network (it is issued free of charge, valid for 5 years). At any time in the account, you can see the number of bonus points, the history of their accrual. Also, the owners of personal accounts can see all promotions and other profitable offers, company news. Up-to-date information comes to the phone or email that are linked to the account.

Through the service, you can ask a question to the technical support service in an online chat. The history of orders and payments is saved. On its basis, a company employee forms profitable individual offers for registered users

For the mail server to work properly, it is important to have a properly configured DNS zone. We have already touched on some aspects related to the DNS system, today we will dwell on this issue in more detail. Setting up the DNS zone refers to the preparatory operations before deploying the mail server and the health of the e-mail system directly depends on it.

Wrong settings can cause mail to be undeliverable to your mail server or recipient servers to reject your mail. Indeed, if your zone records do not contain information about the mail server, where should mail be sent? To the grandfather's village? You can, of course, ask your provider to configure the DNS zone, but it's better to do it yourself.

What do we need? A dedicated IP address (let's say 11.22.33.44) that you must obtain from your ISP. Domain name (for example example.com), it can be registered with any registrar or their partner. When registering with a partner, check whether it provides access to DNS zone management, otherwise you will have to spend Extra time, nerves and money to transfer the domain to the registrar.

If you already have a domain and, most likely, a site is functioning on it, check whether it is possible to manage the DNS zone from the hosting provider's panel, otherwise it is better to transfer the domain to the registrar, for this contact the provider's support.

So, we have a domain. What records does its DNS zone contain? First, it is a SOA record - a description of the zone. We will not analyze all the entries in detail, this is beyond the scope of our article, but it is necessary to have a general idea of ​​​​them. There should also be two NS records pointing to nameservers ( DNS servers) serving this domain, these will be the registrar's servers or the hosting provider.

The first entry you need to add will be the A entry, or name entry. It should point to the IP address of your server if you decide to serve all requests to the domain on your own or to the IP address of the hosting provider if you decide to host your site. When hosting a site, the domain is usually delegated to its DNS servers (corresponding NS records are registered) and an A record will be made automatically when the domain is parked.

This option is most common, but if necessary, you can always create an A record yourself. This record looks like

example.com. IN A 22.11.33.44

In our example, 22.11.33.44 is the address of our hosting provider, where the site is located. Pay attention to the dot at the end of the name, this indicates that the name is absolute, if there is no dot, the name is considered relative and the domain name from SOA is added to it. You can check the entry with the command nslookup.

For the mail server to work, you need to create an MX record, which should point to our mail server. Let's create an entry for this:

example.com. IN MX 10 mail.example.com.

You can also just write:

example.com. IN MX 10 mail

To this name (without a dot at the end) example.com will be added automatically. The number 10 determines the priority of the server, the lower it is, the higher the priority. By the way, the DNS zone may already contain an MX record of the form:

example.com. IN MX 0 example.com.

Usually this entry is automatically created by the hosting provider when hosting the site, it must be removed.

Now let's create an A record for mail.example.com

Mail.example.com. IN A 11.22.33.44

Now all mail for the example.com domain will be directed to the mail host with the address 11.22.33.44, i.e. your mail server, while the site example.com will continue to work on the provider's server at 22.11.33.44.
The question may arise, why can't you immediately specify the IP address of the mail server in the MX record? In principle, it is possible, some do, but it does not comply with the DNS specifications.

You can also make aliases for the mail server like pop.example.ru And smtp.example.ru. Why is it necessary? This will allow the client not to depend on the features of your infrastructure, once setting the settings. Let's say that your company has grown and allocated a separate mail server to serve external clients. mail1, all you need to do is change two DNS records, clients will not notice that they are working with a new server. To create aliases, CNAME type records are used:

Pop IN CNAME mail.example.com.
smtp IN CNAME mail.example.com.

At this point, the forward DNS zone setup can be considered complete, the most interesting thing remains - the reverse zone. The reverse zone is managed by the provider that issued you the IP address and you cannot manage it yourself (unless you are the owner of the block of IP addresses). But you must add at least one record to the reverse zone. As we wrote in the last article, many mail servers check PTR records (reverse zone records) for the sending server, and if they are absent or do not match the sender's domain, such a letter will be rejected. So ask your provider to add an entry like this for you:

44.33.22.11.in-addr.arpa. IN PTR mail.example.com.

A bit strange looking, isn't it? Let's analyze the structure of the PTR record in more detail. A special domain is used to reverse name resolution top level in-addr.arpa. This is done in order to use the same programming mechanisms for forward and reverse name resolution. The fact is that mnemonic names are written from left to right, and IP addresses are written from right to left. So mail.example.com. means that host mail is in the domain example, which is in the top-level domain com., 11.22.33.44 means that host 44 is in subnet 33, which is part of subnet 22, which belongs to network 11. To maintain a uniform order, PTR records contain the IP address " backwards" completed with a top-level domain in-addr.arpa.

You can also check MX and PTR records with the command nslookup using additional parameter -type=MX or -type=PTR

And of course, you should not forget that any changes in DNS zones do not occur instantly, but within a few hours or even days, necessary for the distribution of changes in the global DNS system. This means that despite the fact that your mail server will start working 2 hours after the changes are made, your partner may not send mail to you for a longer time.

It is a mystery to me why deploying even a primitive mail server configuration for many system administrators is such a big problem. However, it is. It would never have occurred to me to write a whole article about this, but judging by the inexhaustible number of questions, it is still necessary to do this. The most difficult are the basic DNS records for the mail server, and we'll talk about them.

If you are interested in the topic of mail servers, I recommend that you refer to the corresponding tags on my blog - and.

The article discusses the basic records that are either necessary or highly desirable for the normal functioning of the mail server.

Well, now let's start to figure out what needs to be done before creating records.

Buying a domain name

You need to start by buying a domain name. It is not as difficult as it seems and not as expensive. New domain in the .ru zone can cost no more than 100-200 rubles.

Once the domain is purchased, you can start creating records. All registrars have different admin panels, but knowing the theory, it’s easy to figure out the specifics of adding records.

Note: when you specify an A-record referenced by a CNAME when it is created, some registrars may need to write the entire A-record with a dot (for example, record.bissquit.com.), while others just need to enter just the part up to the domain (just record without everything, as in the previous example).

I want to warn you right away that the distribution of newly created records takes some time, usually from 15 minutes to several hours (or in theory even a day, but I have not seen this).

A

First, create a master A record that will point to the external address of your mail server. Any options are acceptable, but usually choose something similar to mail.domain.tld or mx1.domain.tld. If you are using your own bind DNS server, then the A-record inside the zone might look like this:

Shell

mail IN A 1.2.3.4

This record will later be pointed to by MX.

MX

This entry translates as mail-exchanger and, in fact, it is the main one for mail servers. There can be several such records, and each of them necessarily has a priority value - the lower it is, the higher the priority. What is it used for? Mainly to determine the order in which MX records are accessed, if there are several.

It is common for multiple MX records for the same domain to have the same priority. In this case, incoming traffic will be evenly balanced between servers.

Note: strictly speaking, having an associated MX record for your sending server is not really necessary. You can send mail without problems and the servers of the target domain will even receive it. But, on the receiving servers, mail will probably instantly go to spam, since sending domains without MX are immediately marked as suspicious. There may also be problems with receiving mail, although in theory the delivery of a letter in the absence of an MX record should be performed on the main A-record of the domain (according to RFC 5321).

If you delve into the architecture of mail solutions, then very often the MX record points to a mail-relay or anti-spam server (spamassasin, for example, or Exchange Server Edge), and not to the final mail server that stores incoming / outgoing mail. This is a perfectly reasonable approach, when a separate server acts as an edge gateway, and another - with business-critical data - is a kind of backend. I will say more - this is even best practice.

How much MX do you need to be happy

A savvy reader may come up with a very interesting thought: “Which is better - two MX records or one MX record, but referring to two identical A-records?”. Visually it looks like this:

When b. It turns out a kind of Round Robin. But, if we discard the nuances, option a. similar! After all, the same priority of MX records provides the same function.

However, in this case, many have doubts. They are mainly driven by the notion that in case b., if the sending server hits an idle server in the first attempt to send, it will delay the send and try again after a timeout. But this is fundamentally wrong - he will try to send to the second server from the RR issue immediately. This is demonstrated by an illustrative experiment.

When both servers from option b. respond to requests, we see the following entry in the smtp session when we try to send email to them ( Queued mail for delivery- the letter is accepted for delivery):

Shell

If, for some reason, one of the servers went down and the sending party got into the first attempt on it, the second attempt will immediately go to send mail to the second server from the issuance (after Connection timed out the first time there is a successful second attempt):

Shell

Feb 14 14:02:16 mail postfix/smtp: connect to mail.domain.tld:25: Connection timed out Feb 14 14:02:17 mail postfix/smtp: 35E8F140073: to=

Note: if someone is interested in the dilemma of choosing the “correct” MX hierarchy, I advise you to refer to the topic DNS - MX, A, TLL and mail server on the Technet forums. The example with the send logs was taken from there, but I am also its author.

And now let's return from theory to practice and see how things are with large public mail services:

Shell

# dig -t MX mail.ru +short 10 mxs.mail.ru. # dig -t A mxs.mail.ru +short 94.100.180.104 94.100.180.31 # # # dig -t MX yandex.ru +short 10 mx.yandex.ru. # dig -t A mx.yandex.ru + short 213.180.204.89 77.88.21.89 213.180.193.89 87.250.250.89 93.158.134.89

Mail and Yandex use the RR option for A-records for their services, but Google does not:

Shell

# dig -t MX gmail.com +short 5 gmail-smtp-in.l.google.com. 20 alt2.gmail-smtp-in.l.google.com. 30 alt3.gmail-smtp-in.l.google.com. 40 alt4.gmail-smtp-in.l.google.com. 10 alt1.gmail-smtp-in.l.google.com.

Therefore, it is up to you to decide which option to choose.

PTR

With PTR, there is no such space for creativity as in the case of MX, and this only makes it easier. The PTR record belongs to the reverse zone and is designed to map an ip address to a DNS name (that is, the address must resolve to a name).

In the most ideal case, there should be a "circular" resolution of records. What it is is easy to understand with an example: from MX we get an A-record, from an A-record we get an ip-address, from this address we take a PTR-record, which ideally should resolve into the A-record that MX originally pointed to. And so in a circle:

But in reality, this is clearly excessive perfectionism. Besides, what will you do if your server will serve several domains at the same time (and this is a very common situation)?

Note: hypothetically, you can create several PTRs for one ip-address, because the RFC does not directly prohibit this. However, the software on the client side usually does not know how to correctly handle such a situation and will simply pull out the first record that comes across from the search results. This entry may not be exactly what you need. Beyond that, most providers will simply refuse your request to create multiple PTRs. So use one entry for one address, and make sure that the mail server in the HELO greeting is the name that the server's address resolves to, that's all.

For the sake of interest, let's check the same public providers:

Shell

# dig -t MX mail.ru +short 10 mxs.mail.ru. # dig -t A mxs.mail.ru +short 94.100.180.104 94.100.180.31 # dig -x 94.100.180.104 +short mxs.mail.ru.

And, of course, their addresses will have a PTR that is absolutely unrelated to the name, for example, bk.ru. So essentially hard matching is not necessary and you can use PTR with any of your domain name. The main thing is that the record exists, because a lot of servers check for the presence of a PTR and, if it is not there, dramatically increase the spam rating of your messages.

Currently, the use of mail on a domain in Yandex is available as part of the Yandex.Connect service.

4. Find the domain for which you want to make changes, click on the gear icon and select "DNS Settings".

5. Click "Add DNS record", select "TXT" and specify the record received in Yandex.Connect.

As a rule, it takes 10-15 minutes for the changes to take effect.

7. After the changes are applied, click "Start verification" in Yandex.Connect. Wait for domain confirmation (usually very fast).

8. Configure DNS records for the domain following the instructions below.

MX record

SPF record

2. Find the domain for which you want to make changes, click on the gear icon and select "DNS Settings".

3. Delete existing TXT records (copy the value of the SPF record beforehand if you plan to send mail from the servers specified in it as well).

V=spf1 ip4:IP1 ip4:IP2 ip4:IP3 include:_spf.yandex.net ~all

where IP1, IP2, IP3 - IP addresses of additional servers.

6. Save your changes using the "Add" button.

DKIM signature

1. Get a TXT record with a public key in Yandex.Connect:

• Open the Mail administration page.
• Click the DKIM Signatures tab.
• Copy the DKIM signature for the desired domain.

2. Find the domain for which you want to make changes, click on the gear icon and select "DNS Settings".

3. Remove existing MX records.

4. Click on "Add DNS record", select "MX" and check "Yandex.Mail" in the window that opens:

5. Save the changes using the "Add" button.

6. Wait for the DNS changes to take effect. This process can take up to 72 hours.

SPF record

2. Find the domain for which you want to make changes, click on the gear icon and select "DNS Settings".

3. Delete the existing TXT records (copy the value of the spf record beforehand if you plan to send mail from the servers specified in it as well).

4. Click on "Add DNS Record", select "TXT" and in the window that opens, place the following value:

V=spf1 redirect=_spf.yandex.net

5. If you want to send emails not only from Yandex servers, specify additional servers in the following format:

V=spf1 ip4:IP-1 ip4:IP-2 ip4:IP-3 include:_spf.yandex.net ~all

where IP-1, IP-2, IP-3 - IP addresses of additional servers.

6. Save your changes using the "Add" button.

7. Wait for the DNS changes to take effect. This process can take up to 72 hours.

DKIM signature

2. Find the domain for which you want to make changes, click on the gear icon and select "DNS Settings".

3. Click on "Add DNS Record" and select "TXT".

4. In the settings window, specify "mail._domainkey" in the "Host" field and enter the DKIM parameters with the public key obtained in Yandex.Mail for Domain in the "Value" field. For example, "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSEBtaCOteH4EBqJlKpe..."

5. Save the changes using the "Add" button.

6. Wait for the DNS changes to take effect. This process can take up to 72 hours.

CNAME record

2. Find or create a mail.your_domain subdomain and click the gear icon.

3. Click on "Add DNS Record" and select "CNAME".

4. In the settings window, enter the value "domain.mail.yandex.net":

5. Save the changes using the "Add" button.

6. Wait for the DNS changes to take effect. This process can take up to 72 hours.

• No tags

3. Remove existing MX records.

4. Click on "Add DNS record", select "MX" and in the window that opens, check the box Mail.ru:

5. Save the changes using the "Add" button.

6. Wait for the DNS changes to take effect. This process can take up to 72 hours.

SPF record

2. Find the desired domain, click on the gear icon and select "DNS Settings".

3. Delete the existing TXT records beginning with v=spf1 (copy the value of the spf record beforehand if you plan to send mail from the servers specified in it as well).

4. Click on "Add DNS Record", select "TXT" and in the window that opens, place the following value:

V=spf1 redirect=_spf.mail.ru

5. If you want to send messages not only from Mail.ru servers, specify additional servers in the following format:

V=spf1 ip4:IP1 ip4:IP2 ip4:IP3 include:_spf.mail.ru ~all

where IP-1, IP-2, IP-3 - IP addresses of additional servers.

6. Save your changes using the "Add" button.

7. Wait for the DNS changes to take effect. This process can take up to 72 hours.

DKIM signature

2. Find the desired domain, click on the gear icon and select "DNS Settings".

3. Click on "Add DNS Record" and select "TXT".

4. In the settings window that opens:

• in the "Host" field, enter mailru._domainkey
• in the "Value" field, enter the DKIM parameters received in your personal account https://biz.mail.ru/ in the " " section.