Before diving into setting up your own mail server, it’s essential to understand the DNS and TLS foundations that make email delivery secure and trustworthy.
This article explains the DNS records your mail system depends on and how SNI (Server Name Indication) works in both Postfix and Dovecot.
1. Why DNS Configuration Matters for Mail Servers
DNS is the backbone of email routing.
Every time you send or receive an email, DNS tells the internet where your mail should go and how it should be verified.
There are four key DNS records every domain should configure:
| Record | Purpose | Example |
|---|---|---|
| MX (Mail Exchanger) | Defines which server receives emails for your domain | example.com. MX 10 mail.example.com. |
| SPF (Sender Policy Framework) | Lists authorized mail servers allowed to send on behalf of your domain | v=spf1 ip4:1.2.3.4 include:_spf.google.com -all |
| DKIM (DomainKeys Identified Mail) | Uses cryptographic signatures to verify message integrity | default._domainkey.example.com TXT v=DKIM1; k=rsa; p=... |
| DMARC (Domain-based Message Authentication, Reporting & Conformance) | Defines how receivers should handle SPF/DKIM failures and where to send reports | v=DMARC1; p=quarantine; rua=mailto:dmarc-report@example.com |
💡 Tips for Real-World Deployment
- Your MX record must point to a valid A record (e.g.,
mail.example.com). - SPF should include any trusted third-party services (e.g., Microsoft 365, Google Workspace).
- Start DMARC with
p=noneto collect reports, then strengthen it later. - Use DKIM signing on outbound mail to prevent tampering and improve deliverability.
2. SNI in Postfix — Inbound vs Outbound
SNI (Server Name Indication) allows a single server to present different SSL/TLS certificates depending on the requested hostname.
For email, this means Postfix can serve multiple domains with their own certificates — an essential feature for multi-domain or multi-tenant environments.
2.1 Inbound SNI (Receiving Mail)
When another mail server connects to deliver mail, it uses your MX record to locate your host.
With SNI enabled, Postfix can present a different TLS certificate depending on which domain the incoming connection is targeting.
Example configuration:
smtpd_tls_server_sni_maps = hash:/etc/postfix/sni_in_map
mail.domain1.com /etc/ssl/domain1.pem
mail.domain2.com /etc/ssl/domain2.pem
✅ Use case:
- Hosting multiple domains (e.g., domain1.com, domain2.com)
- Each domain needs its own certificate for TLS handshakes
⚠️ Note:
Inbound SNI is rarely required for single-domain setups, since most MX records point to a single mail gateway.
2.2 Outbound SNI (Sending Mail)
Outbound SNI lets Postfix select the proper TLS certificate when sending mail from different domains.
This ensures the outgoing mail’s certificate matches the sender’s domain — a critical factor for reputation and compliance.
Example configuration:
smtp_tls_sni_maps = hash:/etc/postfix/sni_out_map
example.com /etc/ssl/example.pem
other.com /etc/ssl/other.pem
✅ Use case:
- Multi-domain or reseller environments
- Each brand/domain has its own DKIM and certificate
⚖️ Decision point:
- Single-domain system: SNI not needed
- Multi-domain outbound service: SNI strongly recommended
3. Dovecot and SNI in IMAP/POP3 Services
Dovecot also supports SNI for IMAP and POP3 connections, allowing each mail domain to present its own SSL certificate — useful for multi-domain hosting or branded login endpoints.
Example configuration:
local_name mail.domain1.com {
ssl_cert = </etc/ssl/domain1.pem
ssl_key = </etc/ssl/domain1.key
}
local_name mail.domain2.com {
ssl_cert = </etc/ssl/domain2.pem
ssl_key = </etc/ssl/domain2.key
}
✅ Typical scenarios:
- Multi-domain IMAP/POP3 hosting
- Let’s Encrypt wildcard or domain-specific certificates
- Clean SSL negotiation and branding for each domain
4. Putting It All Together — DNS & SNI Strategy Matrix
| Scenario | DNS Setup | SNI Usage | Notes |
|---|---|---|---|
| Single corporate domain | One MX/SPF/DKIM/DMARC set | No SNI | Simplest setup |
| Multi-brand domains | Each domain has its own records | Outbound SNI | Best for brand isolation |
| Multi-tenant hosting | Unified MX + per-domain SPF/DKIM | Inbound & Outbound SNI | Improves trust and separation |
| Internal-only mail | Single wildcard domain | No SNI | Stable and low-maintenance |
5. Conclusion
DNS and SNI are the foundation of a reliable mail infrastructure.
A well-designed combination of MX, SPF, DKIM, and DMARC ensures your messages are trusted across the internet,
while strategic use of SNI in Postfix and Dovecot enables secure, flexible, and scalable multi-domain email hosting.
Before configuring Postfix, Dovecot, or any other mail components, make sure your DNS and TLS groundwork is solid — it’s the difference between a working mail server and a trusted one.