Abstract

Learning to run and maintain an email system can be a daunting task, especially for a young IT professional that potentially did not use email before starting their career (me). That are a lot of prerequisite skills that are required to get the service to run at all, then there are more pieces of knowledge that must be sprinkled in to make the service actually useful (by getting mail delivered and blocking spam). I did a write-up on getting email setup on a previous blog post, however, that post did not really explain any of the logic that went into setting up an email server. This article intends to provide that basic overview of how the various pieces of email fit together to make a working system. It is also worth noting that this post will not go in-depth on configurations for anything as this is supposed to be a general overview; many of the configuration items that are required can be found online for the platform you are using. Additionally, I will have more resources that go more in-depth on email at the end of this post.

Prerequisite Skills

As eluded to in the intro paragraph, email is built on various other skills that are critical to being able to run a successful mail service. These skills are:

• System Administration for relevant operating system(s)
• Domain Name System (DNS)
• Networking
• Understanding SSL/TLS (and which one you should be using) is a plus

Basic Requirements for Email Server

In earlier days of the Internet, the list of requirements for running an email server was pretty short. You basically just needed a server, a domain name, and some software to send and receive email (SMTP and POP3/IMAP server). Once that is setup, then you can be on your way sending all the email that you want. Technically that is still the case; however in practice, the requirements are a bit higher today for emails to actually be received by major providers such as Gmail, Yahoo, and Outlook/Hotmail.

Hard Requirements

This list is a minimal list of requirements to have the technical capability to send and receive email.

• Domain Name: The server that is receiving the email should have a domain name that is available on the hosts that will be sending email to the server. The domain is probably not a “hard” requirement if email is only being send internally, but then you are forced to use IP addresses as the domain, which is terrible to work with. This is even less practical on the open Internet, as not only would people have to type your public IP to send anything to you, you also couldn’t do any of the soft requirements in the next section. Without those, email will likely be blocked by a large group of people you may want to send messages to. Specifically, you want an MX record for your domain.
• IMAP Server: An Internet Message Access Protocol (IMAP) server. This is what will actually be receiving the mail that is sent to your server; without it, the email server will effectively be deaf, and not able to actually receive any messages. There are quite a few IMAP servers out there, but one of the most popular IMAP servers for Linux/*BSD is Dovecot. In Microsoft world, the IMAP and SMTP server will almost certainly be Exchange, which can be hosted locally (though they are attempting to move everyone into the cloud).
• SMTP: Simple Mail Transfer Protocol (SMTP). This is what is responsible for sending email. Traditionally Sendmail was the tool of choice for Unix admins, however, much like IMAP, there are a variety of options to choose from. And again, like IMAP, in the land of Microsoft the only choice is Exchange.

Soft Requirements

While these items are not technically required to have mail sent to another email server, for the mail to actually be accepted and received by other email servers on the Internet, these requirements must be met.

• TLS: Transport Layer Security (TLS), specifically TLS 1.2 or higher as other versions are deprecated because of weak cryptography. Thanks to Let’s Encrypt, there is absolutely no reason to not have TLS on your website, your email, and anything else that might benefit from it.
• SPF: Sender Policy Framework (SPF) is a DNS authentication protocol that declares a list of valid senders for a particular email domain. SPF can also give hints to remote servers what should be done if the email domain in question does not pass SPF. Some explanation on creating an SPF record with some examples can be found here.
• DKIM: DomainKeys Identified Mail (DKIM) is another DNS authentication protocol that cryptographically authenticates the domain’s emails via public/private key pairs. Some explanation on creating DKIM records with examples can be found here.
• DMARC: Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication protocol that works in conjunction with DKIM and SPF to help prevent email domain spoofing. It does this by instructing remote mail servers what to do if the received email does not pass DKIM or SPF, as well as what to do if there is a misalignment of either. A bit more explanation on how DMARC works and how it can be configured for your domain can be found here.

Checking your records

Once you think your records are setup for your email domain, it is then time to check it using online tools. This Email health tool from MX Toolbox is a very solid one that will show a lot of information about your email domain and point out issues that should be addressed. Example output from my mail server:

It is highly recommend to make sure the checks on this health check tool pass before changing SPF to hard-fail and DMARC to reject or quarantine as improper configuration of DNS records can affect mail deliverability. If something is not setup correctly on the DNS records, MX Toolbox will very helpfully offer some additionally info to clear up what the problem might be.

Handling Spam

Most people hate email spam; and the reasons for this are two fold. The obvious reason is because you have to deal with the spam in your email box. However, the second reason is that email spam has been a huge driving force to make email the headache that it is today. The idea was that by having email providers declare where email will come from and showing some validation that it was really sent from their email server (SPF and DKIM) it would cut down on spoofing and spam. The ironic thing, is that spammers tend to have the best SPF, DKIM, and DMARC records, and will generally allow anyone to send email on their behalf, and will actively tell other email server to ignore DKIM.

Spam filters

Since SPF, DKIM, and DMARC do little to prevent spam, the option is an email spam filter. While this isn’t required per se, in reality this is something you will likely want sooner or later, especially if your email domain is associated with a business. Spam filters come in software form or a hardware appliance; each of the different options for a spam filter will work slightly differently, however, in general spam filters will analyze incoming email and give it a spam score. This score will determine whether the email will be considered spam by the filter; in addition to this, actions can be setup on a tier system, so an email with a lower score could be handled differently than an email with a higher score.

To determine the spam score of the incoming emails, various parts of the email will be analyzed including:

• SPF records, missing records or failing SPF will negatively impact score
• Email headers (will explain more in next section)
• The language of subject and body of the message
• Some filters also aggregate data to determine bad actors en mass for lots of customers

The last point is the one that can be really difficult to get around if you run your own mail server. Specifically, entire IP ranges can get blocked because too much spam was being sent; this will affect the entire IP block’s ability to send email. Microsoft did this to Linode, and was not very helpful in resolving the issue until much, much later. And, even when they did fix it, it was only silently.

Dissecting Email Headers

Many spam filters look at email headers for information about the emails to attempt to determine whether they are spam or not. Unfortunately, email headers are roughly as readable as compiler output and can look like a wall of information if you haven’t worked with them before. Here is an example email header that we will be working with:

From 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com Fri Dec  6 07:30:08 2024
Delivered-To: person@email.com
Received: by 2002:aa6:c561:0:b0:2ac:443d:529e with SMTP id z1csp807162lkp;
        Fri, 6 Dec 2024 04:30:09 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGGzFj9rG8DAig1r5R5L5v4J0hhtWtnpjSTxXCTgWwNr2/+2Z/kUANsVLg/AwSqXtLz4Ksi
X-Received: by 2002:a05:6214:5086:b0:6d8:9abb:3c28 with SMTP id 6a1803df08f44-6d8e71ad0abmr48222746d6.29.1733488208169;
        Fri, 06 Dec 2024 04:30:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1733488208; cv=none;
        d=google.com; s=arc-20240605;
        b=I1tzm9YUP3Ow+AtYga97dUCaUscPCFS4+Ghqgd0MPVNl/cUU8bWx5kWVtv1gLTNYot
         5NLiqCaNvxoXOwbYMGBtO/4nkoZ1Wml4Mtm1PyA3LsnjIUnCkdikjaevpXlSHzzr70/+
         Wf2EnzBykF0oGUyWGZKTZdvZgDHnh1aY9PZG5qEiIDT5YFmO86szXO5MGPfZSqHFDZxe
         TjKvhopvfhFH+Q6rEbXXemHjEYl1YG7IINGJ40DNVZpLwZzc7zIU9w8dbGZEbu8A7aRc
         VhIze0e0eYugkCHYBEO0R7x2mHtc1EHe9M18VaUP7HXV8ePLLB1/gJ9IUEA8WL0LauyT
         RWkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=feedback-id:date:message-id:list-unsubscribe-post:list-unsubscribe
         :reply-to:subject:to:from:mime-version:dkim-signature:dkim-signature;
        bh=UbDnVmK+d3a5KWc8tc7jzr3yiQ1VTsl2vRyjB3oX5YE=;
        fh=cYhEvxUJVCrPuHhuhnYjrlZs1arjc/bcOjCL+MocS9Y=;
        b=U1t7XlEIb2HYPoHqDlfMkM5oynMZDQJKj56UN52F+ymAN5+GShWXIn3kyXdzgHhT4v
         GV/nlt075V17N+5/i+lOdUEnkjdQfGKWS11qtqLQhAYLFVWo5PApv5LdHolbPHuciM9w
         9bCxduC5qFsRBtmnR7JRg912F2yU9iml4vQxg5goUMPbJqtcv492ZHclERm+wWAM36f8
         39MqrjWuOjrSyu0+JhrJZeJio0t1f6PKppslQz7NM88LJUFtaha8QKyyjSZk1q0/KJr2
         dsrlqNkeaqVN/s6ri9V2QZU2upjaIj7MfGwtlVuCKm2D/eiufH5wYuku8aTxexLjsVKV
         N6lw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@duolingo.com header.s=nrqmk37y4yzwsm3xc6vb7hxfdn5ugmwd header.b=n3+GQSgE;
       dkim=pass header.i=@amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=Hwmiz7tQ;
       spf=pass (google.com: domain of 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com designates 54.240.10.133 as permitted sender) smtp.mailfrom=010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=duolingo.com
Return-Path: <010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com>
Received: from a10-133.smtp-out.amazonses.com (a10-133.smtp-out.amazonses.com. [54.240.10.133])
        by mx.google.com with ESMTPS id 6a1803df08f44-6d8dac0949esi42739666d6.346.2024.12.06.04.30.07
        for <person@email.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 06 Dec 2024 04:30:08 -0800 (PST)
Received-SPF: pass (google.com: domain of 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com designates 54.240.10.133 as permitted sender) client-ip=54.240.10.133;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@duolingo.com header.s=nrqmk37y4yzwsm3xc6vb7hxfdn5ugmwd header.b=n3+GQSgE;
       dkim=pass header.i=@amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=Hwmiz7tQ;
       spf=pass (google.com: domain of 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com designates 54.240.10.133 as permitted sender) smtp.mailfrom=010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=duolingo.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=nrqmk37y4yzwsm3xc6vb7hxfdn5ugmwd; d=duolingo.com; t=1733488207;
    h=Content-Type:MIME-Version:From:To:Subject:Reply-to:List-Unsubscribe:List-Unsubscribe-Post:Message-ID:Date;
    bh=UbDnVmK+d3a5KWc8tc7jzr3yiQ1VTsl2vRyjB3oX5YE=;
    b=n3+GQSgE3I9a8CN9baF2Qic3u+4XWRMKMtXumZpBi2x6E5W5LQbrz8JazcbP2Pk8
    stEVgA9hym6Uoj0PeVdjFKSXCxqLVw8R6dTyE3ab1Gvbx6A5j+IYUq1bkwLyG57YngQ
    oFX5uSARMoT7w5aKlM+0NcsF3tXXePz0b0L2TVRY=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1733488207;
    h=Content-Type:MIME-Version:From:To:Subject:Reply-to:List-Unsubscribe:List-Unsubscribe-Post:Message-ID:Date:Feedback-ID;
    bh=UbDnVmK+d3a5KWc8tc7jzr3yiQ1VTsl2vRyjB3oX5YE=;
    b=Hwmiz7tQUR/YIbVr4rhu2ecJ/d1KJdvvSqospSf7JElz8cRQAJSh+09Jyg38RJYO
    /e8yIMWvnLI+zsWD5wHZ+NGTKGWrOHyg4qr4Og06KAZyEgOeksu3nCahR6SfSBI2l0f
    PuxaO7Pu0EuR97IPfsLQQWb3Y9E5MZGxavfDA7Zw=
Content-Type: multipart/alternative; boundary="===============0697970980562405415=="
MIME-Version: 1.0
From: Duolingo <no-reply@duolingo.com>
To: person@email.com
Subject: =?utf-8?q?=F0=9F=98=B2_Your_Year_in_Review_is_here=2E?=
Reply-to: Duolingo <no-reply@duolingo.com>
List-Unsubscribe: <https://blast.duolingo.com/web-redirect/200567?from_email=16715badf50216a7b0f662868d27190658681a0eImZhY2VwbGFudDM2QGdtYWlsLmNvbSI=&user_id=cdcde602db5914665fd0d6917a97c8faa53d4f23NTMxMTU5OQ==&email=16715badf50216a7b0f662868d27190658681a0eImZhY2VwbGFudDM2QGdtYWlsLmNvbSI=&sample_id=8603&target=aHR0cHM6Ly93d3cuZHVvbGluZ28uY29tL3Vuc3Vic2NyaWJlP3R5cGU9bm90aWZ5X2Fubm91bmNlbWVudCZlbWFpbD1bRW5jb2RlZEVtYWlsXSZ1dG1>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Message-ID: <010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@email.amazonses.com>
Date: Fri, 6 Dec 2024 12:30:07 +0000
Feedback-ID: ::1.us-east-1.RpxhJRmOpL41XzJPFX+GBBQj4+ioASSIVb8HK9KAN9A=:AmazonSES
X-SES-Outgoing: 2024.12.06-54.240.10.133

Again, massive wall of barely parsable (by a human) text. So, let’s look for our basic information and go from there.

From 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com Fri Dec  6 07:30:08 2024
Delivered-To: person@email.com
Received: by 2002:aa6:c561:0:b0:2ac:443d:529e with SMTP id z1csp807162lkp;
        Fri, 6 Dec 2024 04:30:09 -0800 (PST)
Received: from a10-133.smtp-out.amazonses.com (a10-133.smtp-out.amazonses.com. [54.240.10.133])
        by mx.google.com with ESMTPS id 6a1803df08f44-6d8dac0949esi42739666d6.346.2024.12.06.04.30.07
        for <person@email.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 06 Dec 2024 04:30:08 -0800 (PST)
Received-SPF: pass (google.com: domain of 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com designates 54.240.10.133 as permitted sender) client-ip=54.240.10.133;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@duolingo.com header.s=nrqmk37y4yzwsm3xc6vb7hxfdn5ugmwd header.b=n3+GQSgE;
       dkim=pass header.i=@amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug header.b=Hwmiz7tQ;
       spf=pass (google.com: domain of 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com designates 54.240.10.133 as permitted sender) smtp.mailfrom=010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=duolingo.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=nrqmk37y4yzwsm3xc6vb7hxfdn5ugmwd; d=duolingo.com; t=1733488207;
    h=Content-Type:MIME-Version:From:To:Subject:Reply-to:List-Unsubscribe:List-Unsubscribe-Post:Message-ID:Date;
    bh=UbDnVmK+d3a5KWc8tc7jzr3yiQ1VTsl2vRyjB3oX5YE=;
    b=n3+GQSgE3I9a8CN9baF2Qic3u+4XWRMKMtXumZpBi2x6E5W5LQbrz8JazcbP2Pk8
    stEVgA9hym6Uoj0PeVdjFKSXCxqLVw8R6dTyE3ab1Gvbx6A5j+IYUq1bkwLyG57YngQ
    oFX5uSARMoT7w5aKlM+0NcsF3tXXePz0b0L2TVRY=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1733488207;
    h=Content-Type:MIME-Version:From:To:Subject:Reply-to:List-Unsubscribe:List-Unsubscribe-Post:Message-ID:Date:Feedback-ID;
    bh=UbDnVmK+d3a5KWc8tc7jzr3yiQ1VTsl2vRyjB3oX5YE=;
    b=Hwmiz7tQUR/YIbVr4rhu2ecJ/d1KJdvvSqospSf7JElz8cRQAJSh+09Jyg38RJYO
    /e8yIMWvnLI+zsWD5wHZ+NGTKGWrOHyg4qr4Og06KAZyEgOeksu3nCahR6SfSBI2l0f
    PuxaO7Pu0EuR97IPfsLQQWb3Y9E5MZGxavfDA7Zw=
From: Duolingo <no-reply@duolingo.com>
To: person@email.com
Subject: =?utf-8?q?=F0=9F=98=B2_Your_Year_in_Review_is_here=2E?=
Reply-to: Duolingo <no-reply@duolingo.com>
Message-ID: <010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@email.amazonses.com>
Date: Fri, 6 Dec 2024 12:30:07 +0000

There is still a lot of information there, but it should look a bit less intimidating and some of the fields may even look obvious. For example, Delivered-To, is the email address that the email was delivered too. The subject, is the subject of the email, etc. Some of the things that might look slightly less straightforward are going to be things like the Received-SPF and DKIM-Signature. In the case of the Received-SPF:

Received-SPF: pass (google.com: domain of 010001939bf2e76b-c528bc30-1748-4eba-9ca2-91507276373b-000000@bounces.duolingo.com designates 54.240.10.133 as permitted sender) client-ip=54.240.10.133;

We can tell that the message passed SPF because of the pass toward the beginning of the line. That is auto echoed in the section for Authentication-Results. That section also shows that DKIM was passed as well, Then at the bottom of the Authentication-Results we see the line dmarc=pass then some more information on what the email is supposed to do if DMARC is not passed. This means that this email has passed the three main email authentication requirements. Past that, we also get a specific time stamp the email was received, along with a Message-ID to better track down the email if we need to look for it.

Great, but what was the other stuff that got removed? Some of it was junk that doesn’t really affect anything. That is pretty much any line that starts with X-. Those headers are not standardized, and thus can kind of be made up by the email composer. The other interesting section is the ARC-Authentication-Results. Authenticated Received Chain (ARC) is a method of validating email that could be changed by a spam filter. Some spam filters will modify an email’s headers, and this modification can cause the email to fail DKIM when it gets through to the user. ARC fixes this by allowing intermediate servers to sign off on the original validation results. This helps prevent authentication issues, and increases deliverability.

Resources

Email is a topic that has a lot happening all at once, and is not really something for people just getting started with IT. It has a lot of concepts that you really should know before jumping in, and there are a lot of things that must be done correctly for it to actually work. Unfortunately, it is also a moving target. What works today, may not work tomorrow if the big mail providers change their mind on something. This blog post is not intended to be an in-depth tutorial on anything, rather, just a primer to get familiar with some of the different aspects of email and a general idea of how they fit together. If you are interested in running your own mail server, I have included some resources that I highly recommend checking out before doing so:

• Solene: Setting Up Open BSD as an Email Server
• Michael W Lucas: The State of Email NYC*BUG
• Michael W Lucas: Run Your Own Mail Server
• MailerCheck: How to Read and Understand Email Headers
• MXToolbox Email Header Parser