So, recently we ran into a problem at we have over 500 members, and our ISP, which I used as a smarthost, objects to our sending more than 200 e-mails a day. So, sending a newsletter becomes a two-day job, with the last people on the list getting the newsletter a lot later than they should.

I went through the pain of setting up my own outgoing SMTP server. It was simple 10 years ago when all SMTP servers just accepted your e-mail: thanks to spammers, it’s become much harder and your setup needs to be a lot more precise if you want large ISPs to accept mail from your.

Here are the changes I made.


SPF (Sender Policy Framework) is a DNS record that documents who has the right to send e-mail for your domain. In our case, the IP address documented as A and MX record are allowed to send e-mail for us.

For MaraDNS, you add a line like this: ~~~ % spf ‘v=spf1 a mx ~all’ % txt ‘v=spf1 a mx ~all’ ~~~

More details about SPF, including a script that builds the SPF record for you, are available on the [[SPF Web site]].

! ISP setup

Several large ISP (e.g. AOL) filter incoming mail depending on the emitting IP address.

Configure a reverse DNS with your ISP, so the RDNS is consistent with your domain (I am not sure this is totally useful).

Remove your residential IP from [[SpamHaus]] PBL: , link “Remove IP Address”. This lets most serious ISPs (Yahoo, Gmail, …) receive your e-mail. Some other ISPs use a blacklist from [[Trend Micro]]. You can request being taken off their list, but they won’t unless you’re the ISP responsible for your address range…

AOL still won’t listen, so use your ISP as smarthost just for them, adding to /etc/exim4/hubbed_hosts: ~~~ ~~~

AOL also lets you set up a spam feedback loop, but I am not done with that yet.

! Check your DNS setup

Another goal I had was to pass all of zonecheck(1) tests. This can be either run from their [[Web site]] or installed under Debian apt-get install zonecheck.

It pointed out that my DNS setup was klunky at best. So, what I need to do is tell my registrar that each of my domains has two nameservers, ns1.% and ns2.%, with the appropriate addresses. The registrar transmits that to the registry. The thing is, this will only work properly if your DNS is consistent with the registry, i.e. you have ns1.% and ns2.% A and NS records set up. In MaraDNS: ~~~ % NS ns1.% % NS ns2.%

ns1.% ns2.% ~~~

Then zonecheck insists that my servers should also serve TCP requests. In MaraDNS, in /etc/mararc: ~~~ tcp_convert_acl = “” tcp_convert_server = “” ~~~ (with the appropriate IP address of course), and restart zoneserver (not maradns!).

Another pretty, Web-based, DNS tool that you can use is [[DNSCheck]], which has the advantage of giving you an external view of your setup even if you do not have access to a machine outside your network.

! Misc

You can test your e-mail system with ~~~ telnet ~~~ This runs a series of security tests on the IP you’re coming from and tells you the results. Ideal to find if you’re accidently set up as an open relay.