Introduction

SUMMARY: configuration for clients

  • Servers for IMAP, POP3 and SMTP all start with mail and are followed by your domain (such as mail.mydomain.tld)
  • Port 993 - IMAP secure receiving OR
  • Port 995 - POP3 secure receiving
  • Port 465 - SMTP secure sending,
  • If asked to use SSL or TLS for a secure connection, choose SSL.

Essential Terminology: IMAP, POP3, SMTP and their numeric port numbers

If you already familiar with all of this just skip to the Quick Start.

You need to understand there are two sides to Email Hosting. The client side, which is what you see, and the server side, which you do not see. The client side runs locally (even when using a web based client) and the server side runs remotely. ZGUS Email provides a server side. You can use a wide variety of client software. In fact ZGUS Email even provides email client software: webmail.

The server side is divided into three servers: POP3, IMAP and SMTP. Each server has a different purpose

For email client configuration you need either a connection to an IMAP or POP3 server to receive and view email. A connection to an SMTP server is for sending email. Email client software disguises the different server connections except when setting up (configuring). That is why it is important to be familiar with the terminology.

POP3 is simpler than IMAP. POP3 is intended to remove your your email from the server. IMAP is intended to leave your email on the server within a folder on the server.

A server can be specified by a name. The concept of a port, which is expressed as a number, is also important because a port is a way of telling a server what service you want. There are seven different ports used by the three different servers and they further refine how a connection is to be made

Email clients now default to encouraging secure connection ports 993, 995 and 465 instead of insecure ports 143, 110 and 25 for IMAP, POP3 and SMTP respectively. To work conveniently with your domain name, instead of server with domain name like mx.zgus.com, you can add in a few extra steps to DNS and ZGUS Email configuration that will make everyone happier and say clever you!

Please note port 465 is preferred over port 587 for SMTP. Port 465 forces a secure connection and is now, again, being officially encouraged over port 587. Port 587 can be used as either an insecure port or a secure port.

Some clients (Gmail) ask whether to use SSL ot TLS for the secure connection. Use SSL

IMAP or POP3?

If you only have one device you use, like a mobile phone, POP3 is a good choice, you can still opt to leave mail on the server or be deleted from the server (as is normal with POP3) to keep space use down

If you read from different PCs or from different clients, IMAP is a better choice. If you do not delete email or do not move email from one IMAP server to another (including to Gmail) then space may become a problem.

Backing Up, Storing and Protecting Email

Thuderbird allows email to be exported to disk and also accessed from disk independent of which account it originally belonged to.

For ZGUS Email you are recommended to backup to disk or move email to another IMAP server to avoid limited space being used up. You do not have todo this often. Once a month might be a good choice. Even though Gmail is not ideal for non personal email. Gmail is a non ideal choice to temporarily store email with (such as by backup to a folder) if the email is not protected information. Ideally email that needs to be protected and stored should be backed up to a protected disc.

You need to be aware there are rules about storing emails on an email server or other type of server or disc. The basic rule is that protected information in emails and backed up from emails, needs to be stored in a protected manner with controlled access.

If there is no valid reason to store personal or protected information in email, email should be deleted and not stored.

Mail server name: how we make configuration easier with a common and intuitive server name.

The hardest part is getting email clients, such as Gmail, Thunderbird and K-9 configured. We make it easier by encouraging server configuration that makes default secure level email client configuration more intuitive and makes autodiscovery work more reliably, if chosen.

So please do not skip DNS and ZGUS Email steps configuration steps described.

Suppose one of your domain names is mydomain.tld. tld means ’top level domain’, such as com, io, au, net. Although country level domains, such as com.au, are not top level domains, for this documentation you can consider theme to be.

The port server names are all mail.mydomain.tld. Using the domain from the email address. Almost all email clients will suggest a default choice that includes mydomain.tld. Some defaults may be just mydomain.tld or be imap.mydomain.tld or be smtp.mydomain.tld.

Just stick to mail.mydomain.tld for all server names for IMAP, POP3 and SMTP ports.

Just a simple step to make your life in IT less anguished!

Forwarding, Aliasing and Plus Addressing

Forwarding needs careful consideration to avoid loops. It also runs increased risk of rejection of mail when it should not be, if forwarded to another server.

With plus addressing, everything between and including + but before @ is ignored at the server level. For example a+b@mydomain.tld is considered to be a@mydomain.tld by the server for processing on receipt. Further processing can be done at the account level (either at the server email account level or client level)

Aliasing is more specific than forwarding and is processed at the server level only. If account a@mydomain.tld does not exist but account b@mydomain.tld does exist then a is an alias for b on domain mydoamin.tld if mail for a is only to go to b.

Forwarding, at the server level, is when an account a@mydomian.tld may or may not exist but mail for a@mydomin.tld goes to one or more other domains (on same or other server), such as to a@myotherdomain.tld, AND/OR goes to one or more addresses on the same domain, such as b@mydomain.tld and c@mydomain.tld.

Where an email account exists, forwarding can also be configured at the user account level, including at the server level for a specific account (see On server message filtering below), as well as the client level.

There is no facility in ZGUS Email for forwarding email for an entire domain to another domain on the same server. If you have another domain to forward to on the same server, aliasing and forwarding needs to be set up individually, as if the domain is on another server.

Mailadmin in ZGUS Email uses the same administration screen in ZGUS Email for forwarding and aliasing at the mailadmin server level.

The solution provided by ZGUS Email is more simple to apply than when aliasing and forwarding is treated separately and allows forwarding to be simply applied at the mailadmin level.

Forwarding to Gmail and others on other servers is problematic. Other Solutions

Suppose you forward email to another domain that is not on your mailadmin account at ZGUS Email.

Forwarding to Gmail and to other servers can be problematic and email can rejected at the other server. Why have email go through another round of filtering on another server looking for reasons to reject or label?

Also with forwarding is you can quickly lose track of what email went where originally and what the priorities are for attending to the email, so it should be used with caution.

As another solution, desktop clients that are non web based are a good way of of keeping track of multiple email accounts (such as Thunderbird and Outlook). Also K-9 and Apple Mail are good solutions.

Note with Gmail you can fetch email form other servers. However, Gmail also processes this email as if it came to Gmail first and this can lead to problems that would not arise if it just went to Gmail without forwarding (as shown next) and was not a problem originally

Some email clients

Gmail on desktop with web

Only POP3/SMTP external connections are allowed for non ‘Gmailified’ services.

You will have a primary account, usually (but not necessarily), ending in .gmail.com that is used for more than email. Your @mysomain.tld account will be an additional account for Email only (POP3/SMTP only on desktop)

Following are some problems with POP3/SMTP fetching with Gmail on desktop with a web browser or on mobile:

  1. Cannot control how often polling occurs to the ZGUS Email IMAP/POP3/SMTP server but can be manually initiated.
  2. Will falsely report with a big banner an SPF failure when one non gmail account sends email to another account on the same server and the sent email is fetched by Gmail. Gmail falsely interprets the sending PC as as origin SMTP server when a single SMTP server just did a local delivery (before the fetch by Gmail).
  3. Pools all mail together into the one Inbox, which may not be what you want.

Gmail on mobile phone

On Android personal IMAP and POP3 accounts can be setup that work with Gmail.

Your additional @mydomain.tld account will be an additional email only (POP3/SMTP or IMAP/SMTP) account and will be listed as an account in system settings.

Gmail is available for iPhone

Gmail as POP3/IMAP/SMTP server

Gmail can work with standard email clients by just using the server POP3/IMAP/SMTP server side.

Works well. IMAP needs to be enabled. Labels need to be marked ‘Show in IMAP’.

Using Gmail as a POP3/IMAP/SMTP server in another email client is preferable to using a POP3/IMAP/SMTP server (like ZGUS Email) within Gmail desktop, for reasons stated above.

K-9 Mail for Android

Works well and is easy to setup.

A distinct advantage of K-9 Mail over Gmail as a client on Android is that, unlike Gmail, separate IMAP accounts can be maintained. Although the default view is a unified Inbox (which is convenient) inboxes and IMAP folders of separate accounts can be viewed.

A disadvantage of K-9 mail, compared to desktop clients, is a folder view of IMAP folders is not shown. For example if ‘subfolder’ is a folder of ‘folder’ then K-9 Mail shows the folder as ‘folder.subfolder’ in a single list view of folders, not as ‘subfolder’ in a tree view with ‘folder’ at an upper level.

Mail for Apple Phone (iOS), Mac and Web (iCloud)

Reported to work well. As with Gmail, you will have an account associated with Apple that can be used for email. Your @mydomain.tld address will be a secondary account for email only.

Account Linking for authentication

Google (and so also Apple) will allow a non Google and non Apple account address to be used for authentication and authorisation services to other services

TBD

Thunderbird, Outlook and Windows Mail desktop clients on Windows

All work and clearly distinguish easily between accounts, account folders (for IMAP) and inboxes.

If email is an important part of your life that takes up your time then a desktop email client is the place to be.

Thunderbird has the easiest setup, then Windows Mail, with Outlook the most difficult

All work with Gmail through POP3/IMAP/SMTP

The nicest thing about desktop clients? How quick it is to get rid of unwanted email by just repeatedly pressing the delete key! They even allow the repeat key to be kept pressed down! There is no equivalent on mobile phones!

SPAM

Avoiding Generating Spam

Please see Avoiding Triggering Spam Treshold Scores

SPF and DKIM

Your DNS records must contain contain the DNS SPF and DKIM records specified to ensure delivery will be accepted and to help ensure your domain is not being spoofed.

SPF means ‘Sender Policy Framework’. It lets email receivers know what IP addresses are approved for sending email for your domain. The envelope header domain is used, not the ‘From:’ header domain.

DKIM means ‘Domain Keys Identified Mail’. It provide a public key to decrypt an encrypted hash of parts of contents of an email (body and selected headers), known as a digital signature, to ensure email has not been tampered with. If there is a match then the hashed parts of the email has not been altered with the public key obtained from the d= tag of the DKIM signature. If the hash has been altered it means the email has been tampered with (body or headers) or the private key was not correct. The hash can only have been generated by the private key of the public key used to encrypt the hash

DMARC is important for large organisations

‘DMARC Alignment’ is a test to see if the domain in the ‘From:’ header matches the domain from either the envelope header used in the SPF test or matches the ’d=’ tag in the DKIM-Signature header.

It is up to you to decide whether to use DMARC or not. DMARC involves more than just making a DNS entry.

DMARC means ‘Domain-based Message Authentication, Reporting, and Conformance’ and has two parts:

  1. A way for email receivers who receive email supposedly from your domain, to provide XML reports emailed back to you or a third party, that emails has been received with SPF and/or DKIM mismatch,
  2. A way for email receivers to determine what your recommendation is that they do with email that fail the test (either you have no recommendation, you recommend quarantine or you recommend rejection)
  3. A way to provide a percentage recommendation of how much of your policy to apply.

DMARC helps identify misconfiguration and also helps prevent domain spoofing and phishing, which certain industries are vulnerable to. You can request third parties analyse the XML reports emailed, although the XML is straightforward enough to be read as is without analysis if there is only a small amount of reporting.

Ideally a recommendation should be reject. But this may not be practical for large organisations.

A large organisation can start off by recommending they have no recommendation. They can analyse reports and use the reports to tighten up their SPF and DKIM DNS records. When they are satisfied their records are correct they can progress to recommending quarantine and later reject. Reports should continue to be analysed. While you cannot stop spoofing, you can provide a way to determine if emails supposedly from you should be rejected because you are asserting SPF and DKIM failures are not due to a misconfiguration fault by your organisation.

DMARC Alignment and maillist services

Be careful if you use a maillist service with DMARC! You need to add more DNS records!

If you use maillist services, such as Mailchimp, who email on your behalf, then DMARC alignment tests will fail unless you provide CNAME records to their DKIM server. So if you provide a DMARC record with a policy of quarantine or reject, make sure you insert relevant CNAME records.

Sample DMARC records

This record was retrieved on 13 June 2022 from DNS with command nslookup -type=txt _dmarc.apple.com:

  • Apple: _dmarc.apple.com text = "v=DMARC1; p=quarantine; sp=reject; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"

For Apple, their recommendation is to reject subdomain mismatches and to quarantine domain matches

Rspamd and SPAM Filters for each domain

Rspamd provides a spam filtering system and makes use of SPF, DKIM and DMARC DNS records in mailadmin.

Make sure you are on the correct domain.

In your mailadmin ‘Dashboard’, ‘E-mail Manager’, ‘Rspamd Setup’ you can set some broad parameters.

In your mailadmin ‘Dashboard’, ‘E-mail Manager’, ‘SPAM Filters’ you can set some highly specific filters

On server message filtering for individual email accounts

Sieve Message Filters enables message filtering to be set up on ZGUS Email server at the IMAP folder level. This means no matter what IMAP client is used, the effect is the same.

ZGUS webmail at https://webmail.mydomain.tld (using Roundcube) can adjust settings.

Thunderbird has an extension for this and is more flexible than Roundcube webmail.

Other

Email client Autodiscovery

We should be able to offer a service that allows autodiscovery to work more reliably if you add in an extra DNS SRV record and an extra DNS CNAME record.

Outlook and Thunderbird email clients can both use different Autodiscovery techniques for IMAP. Autodiscovery requires web use. Some autodiscovery also requires additional DNS records.

Email hosts provide the parameters for Autodiscovery to work. Email hosts do not provide autodiscovery because autodiscovery involves web and DNS adjustment, not email hosting adjustment.

So we cannot automatically provide the most reliable autodiscovery without an additional web service, which will be free.

Firebase for static web site hosting with your domains

Other than configuring Firebase and setting up local development, there are just three additional DNS records to do. Nothing to do with email.

While Firebase is far more than for static web site hosting, Firebase provides a convenient way to host static websites incrementally. You can still push website source code changes to GitHub