DirectAdmin: A Complete Checklist

Email is notoriously tricky. Even if you think everything is perfect, one wrong DNS record somewhere in the chain can break delivery. At SystemDeveloper.nl, we make sure our email setup scores a full 100% on Internet.nl – but we still get asked why messages end up in spam.
In this article, we’ll walk through the complete checklist of what can go wrong, how to test it, and how to fix it — with examples from a DirectAdmin server setup.

1. Test First: The Easy Way

Before touching DNS or server configs, run these tests on your domain:

Internet.nl Mail Test
👉 https://internet.nl/mail/systemdeveloper.nl
Use this test to check your own domain for multiple standards:

• DNSSEC (Domain Name System Security Extensions) → ensures your DNS records can’t be tampered with during lookup.
• SPF (Sender Policy Framework) → tells the world which mail servers are allowed to send on behalf of your domain.
• DKIM (DomainKeys Identified Mail) → cryptographic signature in your emails that proves the message wasn’t altered in transit.
• DMARC (Domain-based Message Authentication, Reporting & Conformance) → policy layer on top of SPF/DKIM that tells receivers what to do with unauthenticated mail (reject/quarantine).
• STARTTLS → encryption upgrade during SMTP, securing mail in transit.
• DANE/TLSA (DNS-based Authentication of Named Entities) → publishes your mail server’s TLS fingerprint in DNSSEC, preventing forged certificates.

Mail-tester.com
👉 https://www.mail-tester.com/

• Generate a temporary email address, send a test message, then check the score.
• Shows whether SPF, DKIM, DMARC are passing, if your domain/IP is blacklisted, and how likely your mail is to end up in spam.

✅ Together, these tools give you a clear overview of where problems might lie before diving into technical debugging.

2. DNS & Records Checklist

SPF (Sender Policy Framework)

What it is:
SPF is a DNS TXT record that defines which servers are allowed to send email for your domain. When Gmail, Outlook, or another mail provider receives an email from @yourdomain.com, they check the SPF record to see if the sending server’s IP is on the “allowed list.”

• If it matches → ✅ the mail is considered more trustworthy.
• If it doesn’t match → ❌ it may be rejected or marked as spam.

Why it matters:
Without a proper SPF record, spammers can easily forge your domain in the “From:” header. An SPF policy protects your reputation and helps mail reach the inbox.

How to check your SPF record:

Copied!dig txt yourdomain.com +short
dig txt yourdomain.com +short

Example output:

Copied!"v=spf1 a mx ip4:123.123.123.123 include:spf.provider.com -all"
"v=spf1 a mx ip4:123.123.123.123 include:spf.provider.com -all"

How to fix / add in DirectAdmin:

1. Log in to DirectAdmin → DNS Management.
2. Add a new TXT Record for your domain:

Copied!yourdomain.com. 3600 TXT "v=spf1 a mx ip4:123.123.123.123 include:spf.provider.com -all"
yourdomain.com. 3600 TXT "v=spf1 a mx ip4:123.123.123.123 include:spf.provider.com -all"

3. Save and apply changes.

Best practices for SPF:

• ✅ Use -all (hard fail) or ~all (soft fail). Avoid +all → that allows every server to send as you.
• ✅ Keep your includes clean — every include: counts as a DNS lookup.
• ⚠️ Maximum of 10 DNS lookups in total. More than that → SPF check automatically fails.
• ✅ Update SPF whenever you add/remove a mail server or service (e.g., G Suite, Microsoft 365, newsletter provider).

DKIM (DomainKeys Identified Mail)

What it is:
DKIM adds a digital signature to your outgoing emails. This signature is verified with a public key published in DNS. If the signature matches, the recipient knows the email really came from your server and hasn’t been modified in transit.

Why it matters:

• Proves authenticity of your messages.
• Prevents tampering/spoofing.
• Needed for DMARC to pass.

How to check your DKIM record:

Copied!dig txt x._domainkey.yourdomain.com +short
dig txt x._domainkey.yourdomain.com +short

Fix in DirectAdmin:

1. Go to Email Accounts → DKIM Support → Enable.
2. This creates a TXT record like: default._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
3. Make sure the TXT record is published correctly and matches the private key Exim uses.

Best practice: Always use at least a 2048-bit DKIM key for security.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it is:
DMARC is a policy layer on top of SPF and DKIM. It tells mail receivers what to do if a message fails authentication.

Why it matters:

• Stops attackers from forging your domain.
• Lets you monitor who is sending mail for your domain (via reports).
• Big providers like Gmail, Microsoft, Yahoo! require DMARC for reliable delivery.

How to check your DMARC record:

Copied!dig txt _dmarc.yourdomain.com +short
dig txt _dmarc.yourdomain.com +short

Fix in DirectAdmin:

1. Add a TXT record for _dmarc: _dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com"
   • p= defines the policy: none (monitor only), quarantine, or reject.
   • rua= is the address where aggregate reports are sent.

Best practice: Start with p=none to collect reports, then move to quarantine or reject once you’re confident your SPF/DKIM are solid.

DNSSEC (Domain Name System Security Extensions)

What it is:
DNSSEC secures DNS lookups by signing your DNS records cryptographically. This prevents attackers from spoofing records (like pointing your MX to a fake server).

Why it matters:

• Essential trust anchor for DANE/TLSA.
• Required for full Internet.nl 100% score.

How to check:

• Use Internet.nl Mail Test.

Fix:
Enable DNSSEC at your domain registrar. DirectAdmin itself does not provide DNSSEC signing.

TLS & DANE (DNS-based Authentication of Named Entities)

What it is:

• TLS (Transport Layer Security): Encrypts mail in transit (via STARTTLS).
• DANE/TLSA: Publishes the TLS certificate fingerprint in DNSSEC, so receivers can confirm they’re talking to the real server, not one with a forged certificate.

Why it matters:

• Without STARTTLS, emails travel unencrypted over the internet.
• With DANE/TLSA, even compromised certificate authorities can’t fake your mail server.

How to check TLS:

Copied!openssl s_client -connect mail.yourdomain.com:25 -starttls smtp
openssl s_client -connect mail.yourdomain.com:25 -starttls smtp

Fix in DirectAdmin:

1. Enable Let’s Encrypt SSL for mail.yourdomain.com.
2. Confirm Exim/Dovecot are using the certificate.
3. If your DNS host supports it, publish a TLSA record for your mail server.

3. Reverse DNS & HELO

Reverse DNS (rDNS / PTR record)

What it is:
Reverse DNS (PTR record) maps your server’s IP address back to a hostname (e.g., 123.123.123.123 → mail.yourdomain.com).
Mail providers use this as a trust check: if the IP you’re sending from has no PTR, or it points to something unrelated, your email may be flagged as spam.

Why it matters:

• Many providers (Gmail, Microsoft, Yahoo!) outright reject email if the sending IP has no valid PTR.
• PTR should match the mail server’s HELO/EHLO name and its forward DNS (A/AAAA).

How to check rDNS:

Copied!dig -x 123.123.123.123 +short
dig -x 123.123.123.123 +short

Expected output:

Copied!mail.yourdomain.com.
mail.yourdomain.com.

Fix:

• PTR records can only be set by your hosting/datacenter provider (the one who owns the IP range).
• In most cases, you open a ticket or set it in their control panel.
• This cannot be configured from DirectAdmin.

HELO/EHLO

What it is:
When your mail server connects to another mail server, it introduces itself with a HELO/EHLO string (like a “hello, this is who I am”).
This name must match your server’s FQDN (fully qualified domain name) and ideally match the PTR record.

Why it matters:

• If HELO is generic (like localhost.localdomain), your mail looks suspicious.
• A mismatch between HELO, PTR, and A record often causes delivery issues.

How to check HELO/EHLO:
Send a test connection:

Copied!telnet mail.yourdomain.com 25
telnet mail.yourdomain.com 25

(or openssl s_client -connect mail.yourdomain.com:25 -starttls smtp)

Example output:

Copied!220 mail.yourdomain.com ESMTP Exim 4.96
220 mail.yourdomain.com ESMTP Exim 4.96

Fix in DirectAdmin (Exim):

1. Edit /etc/exim.conf or better: use Exim custom templates in DirectAdmin.
2. Set: primary_hostname = mail.yourdomain.com
3. Restart Exim: systemctl restart exim

✅ Golden Rule:

HELO: mail.yourdomain.com mail.yourdomain.com.

Forward DNS: mail.yourdomain.com → 123.123.123.123

Reverse DNS: 123.123.123.123 → mail.yourdomain.com

4. Blacklists (RBLs – Realtime Blackhole Lists)

What it is:
Blacklists (RBLs or DNSBLs) are databases used by mail providers to block known sources of spam.

• If your mail server IP is on one of these lists, many providers will reject or junk your messages.
• Listings usually happen because of spam, hacked accounts, open relays, or poor server reputation.

Why it matters:

• Even with perfect SPF, DKIM, and DMARC, your email won’t deliver if the sending IP has a bad reputation.
• Some lists are extremely strict (Spamhaus), others are more advisory.

How to check if you are blacklisted:

1. Spamhaus Blocklist Removal Center
   👉 https://check.spamhaus.org/

• Enter your IP address.
• If you’re listed, Spamhaus will tell you which list and why.

2. MXToolbox Blacklist Check
   👉 https://mxtoolbox.com/blacklists.aspx

• Checks your IP against dozens of public RBLs.
• Helpful overview for a quick scan.

Command-line check (for admins):

Copied!host <reversed-ip>.zen.spamhaus.org</reversed-ip>
host <reversed-ip>.zen.spamhaus.org

Example:

Copied!host 123.123.123.123.zen.spamhaus.org
host 123.123.123.123.zen.spamhaus.org

If it returns an IP, you’re listed. If it says NXDOMAIN, you’re clean.

Fix if listed:

1. Investigate first:
   • Check Exim logs (/var/log/exim/mainlog) for unusual outbound volume.
   • Look for compromised accounts sending spam.
   • Scan for malware or hacked CMS sites (WordPress, Joomla, etc.).
2. Remove the cause:
   • Change user passwords.
   • Secure scripts or disable compromised accounts.
   • Patch outdated websites.
3. Delisting:
   • Most RBLs have an automatic removal process once the issue is fixed.
   • Spamhaus provides a removal request form after you solve the root cause.
   • Smaller lists may require a manual request or simply expire over time.

✅ Best practices to avoid blacklisting:

• Rate-limit outbound mail (prevent hacked sites from blasting 10,000 mails).
• Enforce SMTP AUTH on DirectAdmin/Exim.
• Monitor outbound logs daily.
• Use proper rDNS, SPF, DKIM, and DMARC to boost reputation.
• Keep web apps up-to-date (most spam originates from hacked CMS installs).

5. Common Pitfalls in DirectAdmin Environments

Even if your DNS and mailserver are configured correctly, small misconfigurations can still break deliverability. Here are the most common issues we see in DirectAdmin setups:

Wrong nameservers

Problem:
A domain is hosted on your server, but the registrar is still pointing to external nameservers (e.g., the reseller’s or another host’s). That means the DNS records you fix in DirectAdmin are never actually used.

Impact:
SPF/DKIM/DMARC or MX changes won’t apply, leading to mail failures.

Fix:

• Check with intodns.com or dig ns yourdomain.com +trace.
• Make sure the domain is really using your DirectAdmin nameservers.

SPF includes gone wild

Problem:
Resellers love to keep stacking include: in SPF records (e.g. include:spf1 → include:spf2 → include:spf3...).
This easily exceeds the 10 DNS lookup limit, causing SPF to fail silently.

Impact:
Mail fails SPF even though “everything looks correct.”

Fix:

• Keep SPF flat: only include what you actually use.
• Remove old IPs and unused services.
• Test at dmarcian.com/spf-survey.

Missing CAA records

Problem:
CAA (Certification Authority Authorization) DNS records define which CAs are allowed to issue SSL/TLS certificates for your domain.
Without CAA, any CA could (in theory) issue a cert. Some stricter policies or tools (like Internet.nl) require them.

Impact:

• Can block Let’s Encrypt issuance if a conflicting CAA exists.
• Lowers your domain’s security score.

Fix in DirectAdmin:
Add a simple CAA record:

Copied!yourdomain.com. 3600 IN CAA 0 issue "letsencrypt.org"
yourdomain.com. 3600 IN CAA 0 issue "letsencrypt.org"

Shared IP conflicts

Problem:
On a DirectAdmin server with many resellers, multiple hostnames may share the same IP. If rDNS points to another reseller’s hostname, your mail will fail rDNS/HELO checks.

Impact:
Your mail may be rejected because the PTR doesn’t match your hostname.

Fix:

• Assign a dedicated IP for the main mailserver (mail.yourdomain.com).
• Or ensure rDNS is set to match your hostname, not a reseller’s.

✅ Summary for DirectAdmin admins:

• Always confirm the domain actually uses your DNS before debugging.
• Keep SPF clean and under 10 lookups.
• Add CAA for Let’s Encrypt stability.
• Avoid shared-IP rDNS issues by using a dedicated mail IP.

6. Final Thoughts

If you’ve gone through this checklist, your mail setup should score near-perfect on Internet.nl and Mail-tester. At SystemDeveloper.nl, both our web and mail score 100%.
But this can change every day. Todays best SSL ciphers may be insecure next year. One forgotten DNS change can cause problems days later. The key is consistency:

• Keep DNS tidy
• Use valid TLS certificates
• Monitor your logs (/var/log/exim/mainlog)

💡 If you’re a reseller or hoster: run this checklist yourself first, before escalating to your upstream provider. It will save everyone a lot of time.