Operating an Internet Transmitter

Safe and secure operation of an Internet Transmitter (Public Email Server) requires a high level of expertise and a serious committment of time.  Q1  If you are not comfortable with DNS and email protocols, firewalls, and Internet security in general, or cannot devote the time and resources necessary to handle problems that arise every day in even the best setups, then we recommend that you sign up with one of the many Email Service Providers offering excellent services at reasonable rates.  These providers can handle anything from simple forwarding of personal mail to operating a network of servers transmitting under your domain name.  Q2

If you still want to operate your own transmitter, there are three steps you must take to allow receivers to distinguish your transmitter from the typical virus-infected PC blasting spam to every corner of the planet.  You must provide a unique Identity for your transmitter, prevent others from abusing that Identity, and build a good reputation.  It also helps to have a "static" IP address, not one that is changed "dynamically" every time your server connects, and to ensure that your setup is fully compliant with all Internet standards.  Although most receivers do not insist on full compliance, the more rules you break, the more likely your messages will be tagged as spam.

Step 1:  Identify Your Transmitter
A common but unreliable method is to have your ISP or network owner publish a "PTR record" giving your address an "IP name".  Many ISPs already publish IP names for every address in their entire allocation, including dynamic addresses.  Often these records provide little more than a repeat of the IP address and the name of the ISP, e.g. "24-147-74-145.hsd1.nh.comcast.net".  This will identify you and all other transmitters using this ISP as "comcast.net".  The numbers are also a red flag for spam filters, since it looks like a typical "spam zombie".

If you use this method, chose a more informative name like "mailserver17.dallas.texas.example.com".  This "hostname" should start with the name of your machine and end in the registered name of the domain you are serving.  Ask your ISP to publish this hostname in their PTR record for your IP address, and ask the domain-name owner to publish an "A record" listing your IP address under this hostname.  Then be sure to include this exact same hostname in your HELO command.  Any discrepancy between the HELO name you provide, and the records provided by either the network owner or the domain owner will invalidate the method.  Q3

To use a HELO name independent of your IP name, the domain owner must provide an "authentication record" to authorize your use of his name (Step 2).  A and MX records will associate your address with his domain, but there are other reasons to publish these records besides sending email, so they too are unreliable.  Q4

If possible you should make the domain name in your HELO command the same as in the Return Address and the From header lines of messages you will be sending.  Having a single, well-defined Identity will avoid problems with "phishing" detectors.  If your HELO Identity must differ from later identities, be sure to offer authentication methods for these later identities also.

Step 2:  Protect Your Identity
To prevent forgers from using your name, you will need to assert control of the DNS records under that name, and publish records for one or more commonly accepted authentication methods.  Find a secure and reliable DNS Service Provider, and tell your Registrar to list the nameservers from that service as authoritative for your domain.  Then tell your Registrar to lock their records for your domain, so that only you can make further changes.

Authentication methods fall into two categories, IP-based, and signature-based.  We recommend that senders offer at least one from each category.  IP methods allow receivers to quickly check the addresses you authorize to say HELO this is <your domain name>.  Signature methods authenticate the entire content of a message.  Some of the methods can get quite complicated.  Start with a simple setup, watch for reports of abuse, or problems in getting your mail accepted, then add complications as needed.  See Notes for Senders for more information.

Open-mail.org maintains a Registry of Internet Transmitters {TM} to provide a "clearing house" for the sharing of authentication and reputation data.  Authentication data is collected from DNS records, Regional Registry records, and other public sources, and may include some addresses you would rather not authorize to use your name.  You can assert control of this data by publishing a record at _auth.<your domain name>.  If an _auth record is avialable for your domain, the Registry will use it instead of other less reliable sources.

Step 3:  Build Your Reputation
Having established your Identity, and denied others the ability to use it, you now must build a good reputation for that Identity.  This is done by sending lots of good mail over a long period of time, and very little spam.  How to avoid spam being sent through your servers is a big topic, beyond the scope of this discussion, but the links below will help you get started.  The most important points are 1) Secure your own servers from breakins and infections,  2) Provide a secure login for users authorized to send via your servers, and 3) Rate limit the mail you send for each user, in case their machine gets infected.
Best Practices for Controlling your Outbound Mail

http://www.imc.org/ube-sol.html Unsolicited Bulk Email: Mechanisms for Control
http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00317e.html - Canadian Task Force on Spam
http://www.circleid.com/posts/new_code_of_practice_to_combat_spam/ - Australia