DNS record types needed for MTA server

Types of needed DNS resords (as example I'll use mysubd.webredirect.org):

A record points mysubd.webredirect.org to a hard coded IP address

MX record - point mysubd.webredirect.org to a mail server. These type of records are special for just mail servers, they can co-exist with A records, and their only use is for routing mail to a different location. All mail implementations check for this record first before attempting to route an e-mail message. If a MX record does not exist for a host, an e-mail delivery would be attempted directly to the IP that the hostname resolves to.

PTR record - used to perform a Reverse DNS lookup (match IP address t)

FCrDNS (Forward-Confirmed rDNS) - if you have A record for your subdomain (mail.mysubd.webredirect.org) and also PTR record pointing to the same subdomain-name, then you can say that you have reached FCrDNS

SPF record - advertise which machines are allowed to send mail on behalf of my domain

DKIM - is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain.

DMARC - technical specification. Mail server decides itself which mail is good or bad using DMARC record. DMARC allows instructing a destination mail server what to do with senders that fail SPF and DKIM tests. Most notably it allows instructing them to reject such senders.

Adding DNS records

Check that server IP address is not is a spammers list:
https://mxtoolbox.com/blacklists.aspx
https://www.senderscore.org/

If you don't have your own url registered to DNS hosting, then register on https://www.dynu.com  (below are for Linux DNS but approach is general to all flavours of DNS).

Add subdomains and needed records:

A record:

1. mail.mysubd.webredirect.org IN  A yourIPaddress
2. Check:
1. host mail.mysubd.webredirect.org
2. dig -t A mail.mysubd.webredirect.org +short

MX record:

1. mysubd.webredirect.org. IN MX 10 mail.mysubd.webredirect.org.
2. Check:
1. dig -t MX mysubd.webredirect.org +short

PTR record:

1. yourIPaddress IN PTR mail.mysubd.webredirect.org
2. But usually this must be set up on your ISP side
3. Check:
1. host yourIPaddress

SPF record:

1. not all servers understand SPF record (it's deprecated) so it's good to use both TXT and SPF records. Below I allow sending mail only from servers in my own subdomain:
1. mysubd.webredirect.org.  IN TXT  "v=spf1 +mx -all"
2. mysubd.webredirect.org.  IN SPF  "v=spf1 +mx -all"
3. Options described:
1. v=spf1 > use SPF v1
2. + > allow
3. mx > all servers in mysubd.webredirect.org MX records
4. - > deny
5. all > all servers not listed in SPF record
4. Check:
1. https://mxtoolbox.com/spf.aspx

DKIM (create keys of length 1024 - longer keys are generally create problems because of not being supported by many hosts):

1. create a directory to hold the keys:  mkdir -p /etc/mail/dkim
2. Generate the keypair and extract the public key out of the private key
1. openssl genrsa -out /etc/mail/dkim/mysubd.webredirect.org.key 1024
2. openssl rsa -in /etc/mail/dkim/mysubd.webredirect.org.key -pubout -out /etc/mail/dkim/mysubd.webredirect.org.pub
3. Add DKIM record:
1. 20200514._domainkey.mysubd.webredirect.org. IN TXT "v=DKIM1;k=rsa;p=addContentOfPublicKeyHere;"
2. ; is delimiter between parameters
3. 20200514 - selector (I used just YYYY.MM.DD of cert generation but you can use anything you want)
4. Check:
1. https://dkimcore.org/tools/

DMARC record:

1. _dmarc.mysubd.webredirect.org.   IN TXT    "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@mysubd.webredirect.org;"
1. p > what to do (none - only for reporting / quarantine - adds to spam / reject - rejects mail)
2. pct > percentage of mail to be filtered
3. rua > daily report mail
2. Check:
1. https://dmarcian.com/dmarc-inspector/