Email Setup

Server Hostname vs Domain Email

A critical distinction for email deliverability is understanding that emails sent as root@host.domain.com (the server hostname) and emails sent as user@domain.com (a hosted domain) are evaluated differently by receiving mail servers.

• Emails from root@host.domain.com — DNS records (SPF, DKIM, DMARC, PTR) are evaluated against host.domain.com
• Emails from user@domain.com — DNS records are evaluated against domain.com

Both the server hostname and each domain that sends email need their own independent set of SPF, DKIM, DMARC, and PTR records configured. Missing records on either will cause deliverability issues for emails sent from that identity.

# Check if main hostname is used by any vhost (should return empty)
grep -rw server_name /usr/local/nginx/conf/conf.d/ | grep -w "$(hostname)"

# Main hostname vhost config
/usr/local/nginx/conf/conf.d/virtual.conf

Sendmail Installation

Centmin Mod can be configured to install Sendmail during the initial setup or it can be installed manually via YUM/DNF package manager.

To install Sendmail via the Centmin Mod menu:

centmin
# Select option 13 to install Sendmail

Alternatively, if you prefer Postfix as your MTA, you can install it manually:

yum -y install postfix
systemctl enable postfix
systemctl start postfix

DNS Records

Proper DNS records are essential for email deliverability. Without them, emails sent from your server are likely to be flagged as spam or rejected entirely. The three key DNS record types for email authentication are SPF, DKIM, and DMARC.

SPF (Sender Policy Framework)

SPF records specify which mail servers are authorized to send email on behalf of your domain. Add a TXT record to your domain's DNS:

Type: TXT
Host: @
Value: v=spf1 ip4:YOUR_SERVER_IP -all

# SendGrid
v=spf1 ip4:YOUR_SERVER_IP include:sendgrid.net -all

# Mailgun
v=spf1 ip4:YOUR_SERVER_IP include:mailgun.org -all

# Amazon SES
v=spf1 ip4:YOUR_SERVER_IP include:amazonses.com -all

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to outgoing emails, allowing the recipient's mail server to verify that the email was legitimately sent and has not been tampered with. DKIM uses a public/private key pair:

• The private key is stored on your mail server and used to sign outgoing messages.
• The public key is published as a DNS TXT record so recipients can verify the signature.

Type: TXT
Host: selector._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY

# Quick start: configure DKIM for your domain
cd /usr/local/src/centminmod
addons/opendkim.sh yourdomain.com

DMARC (Domain-based Message Authentication)

DMARC builds on SPF and DKIM to tell receiving mail servers what to do when authentication checks fail. It also provides reporting so you can monitor email authentication results.

Type: TXT
Host: _dmarc.yourdomain.com
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Reverse DNS (PTR Record)

A PTR record maps your server's IP address back to your domain name. Many mail servers check for a valid reverse DNS entry and will reject mail from IPs without one. PTR records are typically configured through your VPS or hosting provider's control panel, not your DNS provider.

SPF, DKIM & DMARC DNS Testing Tools

Use these tools to test and verify your email SPF, DKIM, and DMARC DNS records are correctly configured and propagated:

• SPF: Kitterman SPF Validator, whatsmydns.net
• DKIM: dmarcian DKIM Inspector, addons/opendkim.sh check
• DMARC: dmarcian DMARC Inspector, learndmarc.com
• General: MXToolbox (comprehensive MX, SPF, DKIM, DMARC, blacklist checks)

Email List Hygiene & Bulk Sender Compliance

Google and Microsoft bulk sender requirements enforce a maximum 0.3% spam rate threshold. To keep your bounce rate low and maintain deliverability, regularly clean your email lists using the centminmod/validate-emails GitHub tool to validate email addresses before sending. This tool checks for invalid, disposable, and inactive addresses that would otherwise cause bounces and spam complaints. Monitor your spam rate via Google Postmaster Tools to stay below the 0.3% threshold required by bulk sender guidelines.

Testing Email

After installing Sendmail or Postfix and configuring your DNS records, test that your server can send email correctly.

Command Line Test

Send a test email from the command line:

echo "Test email body" | mail -s "Test Subject" you@example.com

PHP mail() Function Test

Create a temporary PHP script to verify that mail() works from your web applications:

<?php
$to      = 'you@example.com';
$subject = 'PHP Mail Test';
$message = 'This is a test email sent from PHP mail().';
$headers = 'From: webmaster@yourdomain.com' . "\r\n" .
           'Reply-To: webmaster@yourdomain.com' . "\r\n" .
           'X-Mailer: PHP/' . phpversion();

if (mail($to, $subject, $message, $headers)) {
    echo 'Email sent successfully.';
} else {
    echo 'Email sending failed.';
}
?>

Custom From Address Test

To test email delivery with a specific From address (matching your domain):

# Send with specific From address (-r flag)
echo "mail-test" | mail -s "Test from domain" -r user@yourdomain.com you@example.com

# Send test email to mail-tester.com with custom From
echo "mail-test" | mail -s "mail-tester" -r user@yourdomain.com web-XXXXX@mail-tester.com

mail-tester.com Score Check

Visit mail-tester.com, copy the unique email address shown, send a test email to it from your server, then click "Check your score." The tool validates SPF, DKIM, DMARC, blacklists, and message content. Aim for 9/10 or higher.

Gmail Header Inspection

Send a test email to a Gmail address, then open the email and click the three-dot menu → "Show Original." Inspect the full headers to verify SPF, DKIM, and DMARC pass results. Look for spf=pass, dkim=pass, and dmarc=pass in the Authentication-Results header.

MXToolbox Deliverability Test

Send a test email to the MXToolbox diagnostic address to get a detailed deliverability report:

echo "test" | mail -s "test" ping@tools.mxtoolbox.com

Check Mail Logs

Monitor the mail log to verify emails are being sent and to diagnose delivery issues. See the configuration files page for log file locations.

# View mail log (CentOS/RHEL/AlmaLinux/Rocky Linux)
tail -f /var/log/maillog

# Check mail queue
mailq

Postfix Log Analysis (pflogsumm)

Centmin Mod installs pflogsumm (Postfix Log Summary) by default for analyzing Postfix mail logs at /var/log/maillog. Use the postfixlog alias for a quick summary. The tool provides detailed statistics about your Postfix mail activity including message counts, bounces, deferrals, and top senders/recipients.

# Quick summary for today (built-in alias)
postfixlog

# Yesterday's mail stats with message details
pflogsumm -d yesterday --verbose_msg_detail /var/log/maillog

# All available mail logs (including rotated)
pflogsumm $(ls -rt /var/log/maillog*)

# Filter by specific date
grep 'Mar 16' /var/log/maillog | pflogsumm --verbose_msg_detail

Transactional Email Services

For production websites, using a dedicated transactional email service is strongly recommended over local Sendmail/Postfix. These services provide better deliverability, reputation management, analytics, and compliance with email regulations.

Most services can be configured as an SMTP relay in your Postfix or Sendmail configuration, or used directly via their API from your PHP applications using libraries like PHPMailer or SwiftMailer.

# Example: SendGrid SMTP relay via Postfix
relayhost = [smtp.sendgrid.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
header_size_limit = 4096000

@yourdomain.com Email Hosting

For receiving email at your domain (e.g., info@yourdomain.com), it is strongly recommended to use a third-party email hosting provider rather than running a mail server on your web server. Benefits include:

• Portability — Your email is uninterrupted when migrating between VPS or dedicated servers.
• Reduced resource usage — Less disk and CPU consumption on your web server.
• Reliability — Dedicated mail infrastructure with redundancy and spam filtering.
• Security — Particularly important for domains using HTTPS SSL certificates that require domain-validated email verification.

Previously, Microsoft Outlook Live Domains and Google Apps provided free @yourdomain.com email hosting. Both free services have been discontinued. See the Outlook Live Domains archive for historical reference.

Recommended Providers

Troubleshooting

Common email delivery issues and their solutions:

Google Postmaster Tools

Google Postmaster Tools provides visibility into how Gmail evaluates your domain's email reputation and spam rate. The critical threshold is keeping your spam rate below 0.3% — exceeding this can severely impact deliverability. After verifying domain ownership, you can monitor:

• Spam rate — percentage of your emails marked as spam by recipients (must stay below 0.3%)
• Domain reputation — Gmail's assessment of your sending domain (High, Medium, Low, Bad)
• IP reputation — reputation of each IP address sending email for your domain
• Authentication results — SPF, DKIM, and DMARC pass/fail rates
• Encryption — percentage of emails using TLS encryption

Bulk Sender Requirements (2024–2025)

Major email providers have introduced strict authentication and anti-spam requirements. Senders who do not comply will see their emails rejected or filtered to spam.

Complete Email Deliverability Checklist

Follow this step-by-step checklist to ensure emails sent from your Centmin Mod server reach recipients’ inboxes instead of spam folders.

1. Set up PTR/rDNS record

   Configure a reverse DNS (PTR) record for your server’s IP address that matches your server hostname. This is set at your hosting provider’s control panel, not in DNS zone files. Verify with: dig -x YOUR_SERVER_IP

2. Add SPF DNS record

   Add a TXT record to your domain’s DNS:

   v=spf1 a mx ip4:YOUR_SERVER_IP ~all

3. Configure DKIM via opendkim.sh

   Install and configure OpenDKIM (see the full OpenDKIM Setup Guide):

   cd /usr/local/src/centminmod
   addons/opendkim.sh yourdomain.com

   Add the generated DNS TXT record to your domain’s DNS zone. Verify with: addons/opendkim.sh check (see Testing & Verification)

4. Add DMARC DNS record

   Start with monitoring mode, then progressively tighten:

   # Stage 1: Monitor only (start here)
   _dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
   
   # Stage 2: Quarantine suspicious emails
   _dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"
   
   # Stage 3: Reject failing emails (after confirming SPF+DKIM work)
   _dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"

5. Verify HELO hostname matches PTR

   The SMTP HELO/EHLO hostname should match your server’s PTR record. Check your Postfix or Sendmail configuration to ensure the hostname is correct.

6. Test with mail-tester.com

   Send a test email to the address provided by mail-tester.com. Aim for a score of 9/10 or higher. The tool checks SPF, DKIM, DMARC, blacklists, and content quality.

7. Monitor IP reputation

   Check your server IP against email blacklists at MXToolbox. A clean IP reputation is essential for inbox delivery.

For more details, see the Email Deliverability forum discussion, the OpenDKIM Setup Guide for detailed DKIM configuration, and the FAQ on avoiding spam folders.