I know very little about mail server administration. I'm piecing together user guides. I've bought a domain name, and [paid] Protonmail which allows using a custom domain. I've had this working for a while, but now I'm having trouble extending it for another DKIM record.
Objectives:
In order to send/receive email using Protonmail through my domain name, I've set up the following TXT records:
Host=@ protonmail-verification=e954fa...
Host=protonmail._domainkey v=DKIM1; k=rsa; p=MGM0....
Host=@ v=spf1 include:_spf.protonmail.ch mx ~all
This has been working for months. Now I'd like to implement objective 2 (above). I created a DKIM key using opendkim:
sudo opendkim-genkey -b 8192 -h rsa-sha256 -r -v --subdomains -s postfix -d $(hostname --domain) && \
sudo sed -i 's/h=rsa-sha256/h=sha256/' postfix.txt
Then I've added the contents from postfix.txt, concatenating the long p string, to my DNS provider with another TXT record:
Host=[MY DOMAIN NAME]._domainkey v=DKIM1; h=sha256; k=rsa; s=email; p=MEEij...
Where I think I'm struggling is with updating the spf record. How should it look? I thought it should be like so:
v=spf1 include:[MY DOMAIN NAME] include:_spf.protonmail.ch mx ~all
However, when testing sending an email from my Postfix server, some client servers reject the email, with the following log in my Postfix server:
E543D5E0003: host mail.tutanota.de[81.3.6.165] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [MY POSTFIX SERVERS IP] (in reply to RCPT TO command)
I'm quite sure there is something wrong in my spf record. Are the arguments correct? And does the order matter? How can I use the Protonmail records for sending and receiving, but restrict my Postfix server to send-only? (does DNS even care about this directionality?)
Ok, let's start debugging this anyways ... (quite frankly, this is not a programming question so superuser would have been the better choice there, but I like that you wanna host your own mail :) )
Your SPF record should look like the following. Your own domain is not needed, cause the SPF record is saved in it's DNS records. Otherwise, that would (but won't) build a loop.
v=spf1 include:_spf.protonmail.ch mx ~all
The error itself you are seeing is related to the PTR lookup of your public IP, but could also be caused by the extra include and be a false positive here.
To make sure it's correct anyway, look it up manually:
On linux
dig -x <public ip of mail domain>
that will (should) print multiple lines, the one you're interested in:
;; ANSWER SECTION:
XXX.XXX.XXX.XXX.in-addr.arpa. 43200 IN PTR my-domain.com.
On windows:
nslookup <public ip of mail domain>
prints:
Server: some.dns.server.com
Address: XXX.XXX.XXX.XXX
Name: my-domain.com
Address: <public ip of mail domain>
crucial here is the "my-domain.com." part - if that is not your mail domain, then your hosting provider will most likely give you a way to change the PTR somewhere.
Try this and then we will look futher into it if necessary, of course it's hard to debug without being able to lookup all the information ;)