Question on spf/dkim/dmarc for sent mails through relay

We send mails through an external mailserver. We also have a locally configured domain for our neth-mailserver. For the local domain I configured the corresponding dns entries and connectors for each user so our imapserver pulls the mails from the external imap server and they are scanned by rspamd for our users.

Do we need to add any (mx,dkim,spf,dmarc) entries for the external domain also pointing to to our nethserver? I am asking as we do not send mails of the external domain directly but exclusively through the authorized external mailserver, and this mostly works. It works 100% wenn mailclients are configured with external smtp server. But recently we changed this and as said send mails through relay/smarthost function. That means that in the mailheader of mails sent the ip address of our mailserver is visible thus it can be that a mail gets blocked because of that ip.

I therefore tested with mxtoolbox email deliverability tool and the report said that there is no spf/dmarc record for our own neth-mailserver ip (only responsible for the internal domain) for the external domain.

I don’t understand why dkim/spf and dmarc entries for the external domain could be needed pointing to our nethserver, as we do not use it to send mails for the external domain directly. Those mails are relayed to an external mailserver. Is my understanding not correct that the dkim/spf records only need to point to the external mailserver then?

Thanks for clarification.

If you use a smarthost, spf/dkim/dmarc has to be configured on the smarthost.

If you plan to use a smarthost to send your email, the ‘I am not a spammer’ chapter is not necessary because the authentication and reputation methods are handle by your smarthost sender. But some of smarthost are tagged as spam senders, and your email won’t be delivered. It is the IP reputation of your smtp smarthost sender, bad or good you can do nothing, hence the interest to send yourself your email.

1 Like

Hi mrmarkuz,

I will read through. If I understand you correctly in the dns zone lets call it (where I have configured spf/dkim/dmarc for our nethserver). I will also have to configure the same records for the domain for which our external mailserver is responsible and to which our mailserver sends mails through?

If the above is true, then it would be a small step to configure our nethserver to send mails directly for our external domain, right? All it would need is that in the dns tool for the zone we add our nethserver’s IP and maybe also the corresponding dkim/spf/dmarc entries, right?

I started to doubt if the mails are sent through the external mailserver anyway. Can I send you a pm with a mailheader to be sure? I also will have to check the maillog to confirm that its working as designed.

As far as I understand it you have to either configure your smarthost/external mailserver or your Nethserver for spf/dkim/dmarc.
Yes, just send the mailheader…

1 Like