Serving Email Part 2: Subdomains and DNS

This is part three of a six part series on setting up an email server. It covers subdomains you may want to setup and the DNS records that tell others where to find your servers and services.

This series:

Sub-Domains

Given a main domain named example.com, here are two configurations I will not be handling:

  • Your ISP handles the mail: example.com DNS entries point to the ISP's mail handlers. See your ISP's documentation.
  • You handle someone else's mail: their DNS entries and configuration files point to your servers. Do mail for yourself first, then worry about getting it right for third parties.

Here are some common configurations I will be covering:

  • All in one: everything is handled on example.com. If you setup all your DNS records correctly and support autoconfiguration, then this should work fine.
  • A single separate mail subdomain, usually mail.example.com. Sometimes with a separate autoconfig subdomain, but usually not.
  • Separate servers for each protocol: pop.example.com, imap.example.com, smtp.example.com, plus usually separate autoconfig servers autoconfig.example.com, and/or autodiscover.example.com.

Some email clients will automatically check for the specific subdomains, either before or after checking DNS records for the subdomains. If your ability to make DNS records is limited in some ways and/or if your subdomains and their appropriate certificates are cheap, then you may want to go with option 2 or 3 above. Most small-operations will probably want to go with option 1, in which case you can skip straight to your DNS records.

Otherwise:

Creating a Subdomain in Plesk

If you are using Plesk, you should create your subdomains in their interface. it will take care of creating the DNS entry linking the subdomain to the IP-address and creating the necessary entries in Apache.

In Plesk, in the "Websites & Domains" section (the main section), there is a button near the top:

Plesk Desktop with 'Add Subdomain' button circled

Press the "Add Subdomain" button, then fill in the subdomain and main domain. One can also change the sub-directory, and I usually do: the directory is usually created below the main domain anyway, so using the full domain name again: "softwareschmiede-herndon.de/mail.softwareschmiede-herndon.de" seems a bit of overkill to me. Then you click OK and it takes care of it.

You can then place the files you need below the directories you created for the respective subdomain(s).

cPanel logo

Creating a Subdomain in cPanel

The documentation for creating a subdomain in cPanel is here. It is analogous to Plesk - automatically creating the necessary DNS records, changing the Apache config file and creating the base directory of the new subdomain.

You then place the files you need below the directories you created for the respective subdomain(s).

Apache logo

Creating a Subdomain with no panel (with Apache)

If you're not using a panel to control your subdomains, you may still want to "roll your own". You will need to make the entries in the DNS linking the subdomain to your IP-address, which you may want to do first.

Then you will need to add <VirtualHost> sections to your Apache configuration file. On my current version of Ubuntu that is "/etc/apache2/apache2.conf". You can find examples on the Apache website here, documentation here.

Creating a domain under Windows

In order to create a domain under Windows without a VPS panel, you will need Windows Server (2003, 2008, 2012) and Active Directory. When installing Active Directory you will also want to install the DNS Manager. Then you can start "dcpromo" from the command line or from the "run" command under Start. If no parameters are given, it will start a Wizard that will guide you through the process. It is also possible to do everything from the command line.

Once you have created the (sub-)domain, you still have to let IIS "know" about the domain: open the Internet Information Services (IIS) Manager, found in the "Administrative Tools" section of the Control Panel.

Open the tree below the server that should receive the subdomain (on the left of the screen). Right-click on the subsection "Sites". From the menu choose "Add Website...". Fill out the fields as needed and confirm.

telephone book

Your DNS Records.

DNS is the Domain Name System. It is basically a distributed "telephone book", linking names to IP-Addresses and services. Your server is responsible for its own records, which get propagated to a higher level server (usually at your provider) and thence to the rest of the internet.

If you are creating subdomains or changing other DNS records, please remember that it may take up to several days for DNS records to propagate so that others can see the new subdomains or other changes.

Each DNS record has a short (1-3) letter Record Type that specifies what kind of info is in the record.

Basic DNS Records

Below are the basic DNS records on pretty much all servers. If you are creating subdomain without a panel, you will need to create an A record for each subdomain, the other basic records should already be correct, but are included for completeness.

letter with arrow to address
A Record - Address Record

The A Record is the most essential record: it maps a (sub)domain name to an IP-address. Here are some entries from my own DNS records:

HostRecord TypeValue
softwareschmiede-herndon.de.A5.35.246.86
blog.softwareschmiede-herndon.de.A5.35.246.86
mail.softwareschmiede-herndon.de.A5.35.246.86

Note the trailing dot: that is not a mistake. That is actually part of a fully-qualified domain name. Most panels will automatically take care of the dot for you.

If you are creating subdomains without one of the panels that takes care of DNS for you, then you will need to make an A record for each of your subdomains. And don't forget the dot at the end.

Dog of breed Pointer
German Shorthair Pointer
PTR Record - Pointer Record

The PTR Record is a reverse lookup. Someone wants to know a domain name from the IP-Address. There's only one of these per Server. If you're sharing a server, you won't be able to change this. The PTR record from my server:

HostRecord TypeValue
5.35.246.86 / 24PTRsoftwareschmiede-herndon.de.
NS Record - Name Server Record

The NS Record delegates your server's DNS-Zone to the specified name servers. This is DNS Bookkeeping: don't touch these unless you know what you're doing. These are my records, which probably won't mean much to you, but are essential for DNS lookups of my domains to work correctly.

HostRecord TypeValue
softwareschmiede-herndon.de.NSlvps5-35-246-86.dedicated.hosteurope.de.
softwareschmiede-herndon.de.NSns2.hans.hosteurope.de.
CNAME Record - Canonical Name Record

The CNAME Record specifies an alias. It is optional, but most servers have one or more. If a CNAME record is found while looking up a name, then a retry will be done with the new name. An example from my server, aliasing "www." to the main domain:

HostRecord TypeValue
www.softwareschmiede-herndon.de.CNAMEsoftwareschmiede-herndon.de.
TXT Record - Text Record

A Text Record is a generic record that can be and is used for many different things. One of the common uses is for site verification - proving to some entity that you have control of the site:

HostRecord TypeValue
softwareschmiede-herndon.de.TXTgoogle-site-verification=kL8kHnq_Vi7Jjn9vgNqvfVrvQzn7trr0NN9oKDGbD8E

Another common use is for an SPF Record, which is relevant for eMails - see the TXT/SPF section below.

DNS Records relevant to eMail

You will want to create the following DNS records for your eMail server:

Physical Mailbox
MX Record - Mail Exchange Record

The MX Record specifies the name of the server running the Mail Transfer Agent(s) (MTAs). You will want one of these records, even if you have no separate mail server: many eMail clients will get this wrong if there is no entry.

For large operations there can be multiple mail servers for each domain and hence multiple MX records, but you will only want one per domain. The number in parentheses is a priority number, which is ignored when there is only one.

HostRecord TypeValue
softwareschmiede-herndon.de.MX(10)softwareschmiede-herndon.de.

Note that I do not have a separate mail server. If I did, the mail server name would be on the right under Value.

Sun Protection Factor (SPF) logo
SPF Record - Sender Policy Framework Record

Support for the SPF Record was discontinued, but they often still exist. The TXT/SPF Record (below) is still used.

TXT/SPF Record - Text / Sender Policy Framework Record

SPF is an eMail validation system used to catch spoofers by verifying which servers are authorized to send emails from your domain.

It's complicated. Your panel probably takes care of this for you. If it doesn't, you'll want to duplicate the record below, with your domain substituted on the left. My TXT/SPF Record:

HostRecord TypeValue
softwareschmiede-herndon.de.TXTv=spf1 +a +mx -all
butler
SRV Record - Service Locator Record

These records have an unusual format and are used to locate specific services like SMTP and IMAP. The format is:

_(service)._(protocol).(domain) <TTL> <class> SRV <priority> <weight> <port> <target>

Note that the underscore is not a valid character for a server URL, so the names can only be used for locating services.

My SRV Records, specifying my SMTP server and IMAP server respectively:

HostTTLclassRecord TypepriorityweightportValue
_submission._tcp.softwareschmiede-herndon.de.-/--/-SRV010465softwareschmiede-herndon.de.
_imap._tcp.softwareschmiede-herndon.de.-/--/-SRV010143softwareschmiede-herndon.de.

Now that you know which records you need, we'll cover how to view and edit your DNS Records. I cover four configurations:

DNS in Plesk
Plesk with DNS Settings circled

Under Plesk, go to "Websites & Domains" (home), scroll to the domain for which you wish to change the DNS records, then click on "DNS Settings" (circled in red in the image).

Plesk DNS Settings with Add Record circled and IMAP SRV record circled

There you can add new records by clicking on "Add Record" or edit old records by clicking on the "Host" part of the record you want to change, like the IMAP SRV record circled in the image.

After you have made changes, an "Update" button will appear at the top. When you are done making changes, click on the "Update" button, and when that is done, click on the "Apply DNS Template" button.

Full documentation for DNS under Plesk is here.

cPanel logo
DNS in cPanel

Documentation for changing DNS records in cPanel is here.

DNS in Ubuntu (no panel)

Under Ubuntu the DNS records are handled by a program called BIND (or BIND9). Full documentation can be found here. Below is a quick-start guide:

There should be a file "/etc/named.conf". If it isn't there, use "whereis named" to find it. Use "ls -l" to find where it is linked (if at all):

me@myserver.com:~$ ls -l /etc/named.conf
lrwxrwxrwx 1 root root 34 Dec  6 10:36 /etc/named.conf -> /var/named/run-root/etc/named.conf

Look at the contents of named.conf: if it says something like "THE FOLLOWING LINES WERE GENERATED BY PLESK", then do not edit it, but rather use the program which generated it to make changes: anything you do in such files will likely be overwritten.

The beginning of the file will be sections for options, key, and controls. In the options section there should be an entry for directory:

options {
listen-on-v6 { any; };
    allow-recursion {
            localhost;
    };
    version "none";
    directory "/var"; // <-----------------
    auth-nxdomain no;
    pid-file "/var/run/named/named.pid";
};

If named.conf was not linked, then that is the zone-file directory. If named.conf was linked, as in the example, then BIND will be running in a "chroot jail", and you must make that path relative to the chroot. In the example, "/var/named/run-root/var" is the zone-file directory.

The rest of named.conf will probably be the zones, which should look something like this:

zone "softwareschmiede-herndon.de" {
    type master;
    file "softwareschmiede-herndon.de";
    allow-transfer {
        5.35.246.86;
        80.237.128.10;
        common-allow-transfer;
    };
};

The two IP-Addresses are the Name Servers in the NS records. There is some info about the relationship between the servers, and the rest of the information is found in the file specified, in this example "softwareschmiede-herndon.de", which is found in the zone-file directory.

The zone-file (softwareschmiede-herndon.de), should look something like this:

$TTL    86400

@       IN      SOA     lvps5-35-246-86.dedicated.hosteurope.de. wdh.softwareschmiede-herndon.de. (
                    1481981362      ; Serial
                    10800   ; Refresh
                    3600    ; Retry
                    604800  ; Expire
                    10800 ) ; Minimum

softwareschmiede-herndon.de.             IN NS   lvps5-35-246-86.dedicated.hosteurope.de.
softwareschmiede-herndon.de.             IN NS   ns2.hans.hosteurope.de.
ipv4.softwareschmiede-herndon.de.                IN A    5.35.246.86
softwareschmiede-herndon.de.             IN A    5.35.246.86
blog.softwareschmiede-herndon.de.                IN A    5.35.246.86
ftp.softwareschmiede-herndon.de.                 IN CNAME        softwareschmiede-herndon.de.
www.softwareschmiede-herndon.de.                 IN CNAME        softwareschmiede-herndon.de.
softwareschmiede-herndon.de.             IN MX  10 softwareschmiede-herndon.de.
softwareschmiede-herndon.de.             IN TXT  "v=spf1 +a +mx -all"
_imap._tcp.softwareschmiede-herndon.de.          IN SRV 0 10 143 softwareschmiede-herndon.de.
_submission._tcp.softwareschmiede-herndon.de.            IN SRV 0 10 465 softwareschmiede-herndon.de.

The format of the different records is evident in the example. When done making changes, increase the number marked "; Serial" above - if it is not increased, the changes will not be propagated. Some recommend using the date to generate the number, "YYYYMMDD##", but it doesn't really matter as long as it increases.

DNS under Microsoft Windows

Managing DNS under Windows without a VPS panel is too complicated to cover here. Here is an overview of DNS for Windows Server 2008.

In Closing

If you can't change your DNS records or have only limited ability to do so, don't sweat it: most client software does not access DNS. Even Thunderbird, when it is looking up an MX record, does not look it up directly, but rather uses HTTPS to ask a service to do the look up for it.

Thank you for reading my blog post!

Copyright © 2016 William David Herndon. All rights reserved.

This series:

Here be ads: