Quick Start for Operating an Internet Transmitter
Before we begin, please ask yourself - Do I really want to operate my own transmitter? Doing it right requires a high level of expertise, and a serious commitment of time. Even if you manage to avoid abuse of your transmitter, you may not get reliable delivery if your mailflow is too small to build a good reputation at receivers all over the world. The alternative is to send your outgoing mail via a well-established email service provider. Most of these companies will allow you to use your own domain name in the Return Address seen by your recipients.
- "I need to get our new mail server running now, and I don't have time to learn about authentication protocols. What can I do?" -- busy system administrator
Here is a bare-minimum setup that will work for any domain-name owner, even if your ISP won't help set up your DNS records. It allows a quick authentication of your HELO name, nothing else. It does not take the place of other methods that authenticate your Return Address, header identities, or content of your messages.
1) Find out who is in charge of the nameservers for your domain. These will be the same folks who set up your MX records. (You must have MX records or you wouldn't be able to receive any mail.)
2) Tell them to publish a TXT record for <your domain> as follows:
_auth.<your domain> 86400 TXT "helo=<your IP address>"
_auth.little.org 86400 TXT "helo=192.168.1.2"
_auth.huge.com 86400 TXT "helo=188.8.131.52-7,184.108.40.206/22"
3) Make sure the HELO name used by your server ends in <your domain>. If you send both first-class and bulk mail from the same server, be careful to not use the same domain name for both. Even the best-managed commercial mailing list will get more spam complaints than typical first-class mail.
4) To update your Registry record, and test that update, send a message from the machine at <your IP address> to test_AT_open-mail.org, with a Return Address in <your domain>. A reply will be sent showing the updates to your record. If not, see Note 4.
5) If you are changing an existing _auth record, you must allow at least two days for your changes to propagate to DNS servers all over the world.
An _auth record will prove that your domain has authorized the machine at <your IP address> to say "HELO this is <your machine name>.<your domain>". It will also allow receivers to reject forgery attempts from any other address.
Authentication does not establish your reputation as a trusted sender. It does expose your domain name to the risk of acquiring a bad reputation if something goes wrong, and spam is sent from an IP address you have authorized.
Use our webtool to edit your _auth record.
Read DNShelp for more help on setting up an Internet Transmitter.
See dnsreport.com for a complete test of your DNS standards compliance.
1) You can find out who is in charge of your nameservers by checking with the registrar or hosting service where you ordered your domain name. Often they will have a web interface where you can set up minimal records for your domain, or at least set up a delegation of authority to one of the many DNS services that are easier and more versatile than the typical registrar.
2) The <domain name> we need is the name assigned by your registrar, not any subdomain under that. Typically this name will have two parts (example.com), but many country-code top-level-domains assign names at level three. (example.co.uk)
2a) If you have already published *all* of your authorized transmitter addresses in an SPF record, you need not re-type the same information twice. Just put "helo=spf" in your _auth record. For possible problems with this setup, see "Using SPF Records to List HELO Addresses" at http://open-mail.org/Notes_for_Senders
3) The leading underscore in the _auth label is a common convention to distinguish this name from an ordinary machine name. Some DNS services don't allow this, so make sure yours does when you sign up.
4) If you do not get a reply to a test message, it means your HELO name or your Return Address failed. To avoid abuse of our test address, the domain name in your Return Address must match your HELO domain name, and the IP address from which we receive the test message must be included in the _auth record for that domain.