How to setup send only encrypted email on LEMP server with WP installed

May 1, 2018 752 views
Nginx WordPress Email Security

Hi,

I am having trouble sending encrypted email from my server. My site is live and perfectly working and secure as can be (I followed all security guides on DigitalOcean) BUT there is one frustrating issue that I am having trouble fixing. First, my domain's nameservers are pointing to Microsoft Office 365's server for emails and then I have an A record pointing to my Droplet's IP address.

My site is on Wordpress and I configured my droplet from scratch following this guide to install a LEMP server:

https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lemp-on-ubuntu-16-04

Then I followed this guide to setup send only SMTP server:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-16-04

Which is when I started to notice that A. Emails were going to spam on my gmail and B. I was not receiving the emails at all to my office 365 email – which is the main email that I need it to go to.

The email server has been setup years ago and has SPF record and I followed this guide to configure DKIM with Postfix and installed the record on Microsoft Office 365's DNS and I validated it by using this tool:

Guide: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy

Tool: https://dkimcore.org/tools/keycheck.html

And I am still getting unencrypted email sent out and not even showing up to my MS Office emails. What am I doing wrong?

1 Answer

Hi. Is your web server listed in your SPF record? If the server is not authorized in the SPF to send email for your domain then it is likely to be flagged as spam or dropped by receiving servers.

You have a couple options. You can either adjust your SPF record to support both your Office365 mail and your web server's need to send mail or you could create a second MX record for a subdomain on your domain and configure your web service to send email as user@web.domain.com or another subdomain.

  • Hey ryanpq,

    Thank you for the reply. I have adjusted my SPF record to include my server and now I am seeing progress. Now I am seeing "mailed-by: domain.com" and "signed by: domain.com" which I was not seeing before. The only thing now is that it still says "Security: No encryption", and also still does not allow the message to through to my Office 365 mailbox.

    What steps am I missing?

    Best Regards,
    Jose

    • Update:

      I have added this to my postfix configuration file and adjusted it to my self-signed certificate

      # TLS parameters
      smtpd_tls_cert_file=/etc/ssl/certs/fullchain.pem
      smtpd_tls_key_file=/etc/ssl/private/privatekey.pem
      smtp_use_tls=yes
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      

      and now I am sending encrypted email using TLS! Almost there!

      BUT, for some reason, my office 365 email is still not accepting/receiving emails?

Have another answer? Share your knowledge.