Basic Configuration
Configure DNS records, SSL certificates, SMTP relay, AI spam screening, and backups.
After completing the setup and install wizards, you need to add DNS authentication records so your emails pass SPF, DKIM, and DMARC checks. This guide covers DNS configuration, SSL management, SMTP relay setup, AI spam screening, and other post-install configuration.
DNS records overview
Email delivery depends on several DNS record types. The install wizard summary page displays all records you need -- you can copy them directly from there or from the DNS page in the dashboard.
| Record Type | Purpose | When to add |
|---|---|---|
| A | Points mail hostname to server IP | Before installation |
| A | Points dashboard subdomain to server IP | Before installation |
| MX | Directs email to your mail server | After install wizard |
| SPF (TXT) | Declares authorized sending IPs | After install wizard |
| DKIM (TXT) | Cryptographic email signatures | After install wizard |
| DMARC (TXT) | Policy for failed authentication | After install wizard |
| PTR (rDNS) | Reverse DNS for server IP | After install (at hosting provider) |
SPF record
SPF (Sender Policy Framework) tells receiving servers which IPs are authorized to send email for your domain:
Type: TXT
Host: @
Value: v=spf1 mx a:mail.example.com ~all
TTL: 3600
The ~all soft-fail is recommended during initial setup. Once you have verified everything works, change it to -all (hard-fail) for stricter enforcement:
v=spf1 mx a:mail.example.com -all
SPF lookup limit
SPF has a 10 DNS lookup limit. If you use third-party services (like Google Workspace or SendGrid alongside CeyMail), be careful not to exceed this limit. Use include: directives sparingly.
DKIM record
CeyMail generates 2048-bit DKIM signing keys during the install wizard's DKIM setup step. The keys are managed through the DKIM page in the dashboard, where you can:
- View the DNS TXT record for each domain
- Generate new keys for additional domains
- Rotate keys for existing domains
Add the displayed TXT record to your DNS:
Type: TXT
Host: ceymail._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQE...
TTL: 3600
The selector is ceymail by default.
DMARC record
DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when SPF or DKIM checks fail:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100; adkim=s; aspf=s
TTL: 3600
Start with p=none during testing to receive reports without affecting delivery, then move to p=quarantine or p=reject once you are confident in your configuration.
Reverse DNS (PTR record)
Reverse DNS maps your server IP back to your mail hostname. This is configured at your hosting provider (not your domain registrar). Contact your VPS provider to set the PTR record:
IP: 203.0.113.10
PTR: mail.example.com
Many receiving mail servers reject or deprioritize email from servers without valid reverse DNS.
Verifying your DNS configuration
The dashboard has a dedicated DNS page that checks all records for your configured domains and flags any issues. It verifies A, MX, SPF, DKIM, and DMARC records in real time.
You can also verify from the command line:
# Check MX record
dig +short MX example.com
# Check SPF record
dig +short TXT example.com
# Check DKIM record
dig +short TXT ceymail._domainkey.example.com
# Check DMARC record
dig +short TXT _dmarc.example.com
SSL/TLS certificates
CeyMail provisions Let's Encrypt certificates automatically during installation. Auto-renewal is handled by the certbot systemd timer that runs twice daily.
If SSL was skipped during initial setup (because DNS was not ready), re-run the setup script after DNS propagates:
sudo bash /opt/mission-control/setup.sh
The script will detect that DNS now resolves correctly and obtain certificates.
SMTP relay configuration
If your server IP has delivery issues (common with new VPS IPs), you can relay outbound email through a third-party SMTP service. Configure this from the dashboard under Settings > Integrations.
Supported relay providers:
| Provider | Host |
|---|---|
| Amazon SES | email-smtp.us-east-1.amazonaws.com |
| SendGrid | smtp.sendgrid.net |
| Mailgun | smtp.mailgun.org |
| Brevo | smtp-relay.brevo.com |
| Postmark | smtp.postmarkapp.com |
| SparkPost | smtp.sparkpostmail.com |
| Generic SMTP | Any standard SMTP server |
The relay configuration supports TLS levels (encrypt, may, secure) and ports 25, 465, 587, and 2525.
Relay credentials
Relay credentials are stored securely in Postfix's SASL authentication files, never in the dashboard configuration. The dashboard only stores provider metadata (host, port, TLS level).
AI spam screening
CeyMail includes an AI-powered spam screening system that runs as a Postfix milter. It screens both inbound and outbound email and supports three operating modes:
Off mode
Disables AI screening entirely. SpamAssassin continues to handle spam filtering using traditional rule-based methods. Use this if you prefer a purely traditional setup or are running on very limited hardware.
Cloud mode (recommended)
Uses advanced cloud AI to classify messages with the highest accuracy. Detects phishing, scams, spoofing, and spam patterns that rule-based systems miss. Requires a Gemini API key, which you configure on the Screening page in the dashboard. This mode uses minimal server resources since classification runs remotely.
Cloud mode is recommended for most deployments because it provides the strongest protection with zero local resource overhead.
Local mode
Runs an on-device AI model via Ollama for completely offline spam screening. The dashboard handles Ollama installation and model setup automatically. This mode focuses on traditional spam patterns and requires more RAM (2 GB+ recommended) but keeps all email data entirely on your server. Choose this mode for privacy-sensitive environments where no data should leave the server.
Inbound screening
All incoming email is analyzed before delivery. Messages exceeding the spam threshold are handled according to your configured action: rejected at SMTP level, tagged with spam headers, or moved to quarantine. Messages scoring between the suspicious and spam thresholds are flagged but delivered.
Outbound screening
When enabled, outgoing email is also analyzed to protect your server's IP reputation. If a compromised account sends spam through your server, outbound screening catches it before it damages your deliverability. This is critical for maintaining inbox placement rates across all your domains.
Configuration options
- Spam threshold (default 75%) -- Messages scoring above this are treated as spam
- Suspicious threshold (default 50%) -- Messages scoring above this are flagged as suspicious
- Actions -- Choose between reject at SMTP, tag as spam, or move to quarantine
- Max body characters (default 4,000) -- Controls how much of the message body is sent for analysis
- Allow/block lists -- Manage trusted senders and blocked senders per email address or domain
- Screening logs -- Search and filter logs by classification (spam, suspicious, clean), action taken (rejected, tagged, quarantined), and direction (inbound, outbound)
- Overview dashboard -- Real-time stats cards and a 24-hour activity chart with auto-refresh showing accepted, tagged, and rejected messages
Enable and configure AI screening from the Screening page in the dashboard sidebar.
Webmail (Roundcube)
Roundcube webmail is installed during the install wizard and is accessible through the dashboard. The Webmail page in the dashboard provides the URL and configuration status.
Backups
CeyMail provides database backups from the Backup page in the dashboard. Backups include both the mail database (domains, users, aliases) and the dashboard database (admin accounts, audit logs, settings). Backup files can be downloaded directly from the dashboard.
Dashboard features
The Mission Control dashboard provides these management pages:
| Page | Description |
|---|---|
| Dashboard | Server overview with system metrics, service status, queue stats, and live log stream |
| Domains | Add, remove, and manage mail domains |
| Users | Create and manage mailboxes with Dovecot-compatible password hashing |
| Aliases | Configure email forwarding between addresses |
| DKIM | Generate and manage DKIM signing keys per domain |
| DNS | Check DNS record status for all configured domains |
| Services | Monitor and control systemd services (start, stop, restart) |
| Queue | View and manage the Postfix mail queue (flush, clear, delete individual messages) |
| Screening | Configure and monitor AI spam screening with logs and statistics |
| Logs | View mail server logs and audit logs |
| Webmail | Roundcube webmail access and configuration |
| Backup | Create and download database backups |
| Settings | General settings, SMTP relay, license management, updates, and factory reset |
CLI commands
CeyMail provides a command-line interface for common operations:
# Show service status overview
ceymail status
# Show current version
ceymail version
# Check for available updates
ceymail update --check
# Apply the latest update
ceymail update
# Force re-deploy the current version
ceymail update --force
# Show help
ceymail help
Updates
Updates can be applied from the dashboard (Settings > About > Check for Updates) or from the CLI:
ceymail update
The update process downloads a new release tarball, verifies its SHA256 checksum, and re-deploys the dashboard with zero downtime.
Outbound port 25
Ensure outbound port 25 is not blocked by your hosting provider. This is required for your server to deliver email to other mail servers. If it is blocked, configure an SMTP relay through Settings > Integrations.