Tenant Domain Setup Guide

Use this guide when a customer or tenant admin is preparing a domain for mail service in Email Reseller Server.

Who Does What

TaskTenant admin or domain ownerSuper AdminServer operator
Choose the tenant domainYesCan verifyNo
Add DNS records at the domain DNS hostYesCan adviseSometimes
Create the tenant in the appNoYesNo
Approve IMAP/SMTP hostnamesNoCan requestYes
Create users and aliasesYes, inside own tenantYesNo
Generate or install DKIM signing keyNoCan requestYes
Provide DKIM public TXT value to tenantNoYesYes
Upload S/MIME identity for own accountYesYesNo
Upload S/MIME identity for usersRegular users in own tenant onlyYesNo

Information To Collect First

Required DNS Records

Replace example.com, mail.example.com, and 203.0.113.10 with the tenant's real values.

TypeNameValuePurpose
Amail203.0.113.10Points the mail hostname to the mail server.
MX@10 mail.example.comSends inbound mail for the domain to the mail server.
TXT@v=spf1 mx -allAuthorizes the domain's MX hosts to send mail.
TXTdefault._domainkeyDKIM public key from the server operatorLets receivers verify signed outbound mail.
TXT_dmarcv=DMARC1; p=quarantine; rua=mailto:dmarc@example.comPublishes domain policy and reporting address.
Start DMARC with p=none while testing if the domain is new or existing senders are still being discovered. Move to quarantine or reject only after SPF, DKIM, and legitimate sending paths are confirmed.

DKIM Public Key

DKIM has two parts: the private signing key stays on the mail server, and the public DNS key is added as a TXT record by the domain owner. Tenants should not receive or upload the private DKIM key.

The server operator or Super Admin should provide the tenant with:

Type: TXT
Name: default._domainkey.example.com
Value: v=DKIM1; k=rsa; p=<public-key-text>

The selector in the name, such as default, must match the server's OpenDKIM configuration.

Optional But Recommended DNS Records

MTA-STS

Type: A
Name: mta-sts
Value: 203.0.113.10

Type: TXT
Name: _mta-sts
Value: v=STSv1; id=20260521T000000Z

The policy must also be reachable at:

https://mta-sts.example.com/.well-known/mta-sts.txt

Use mode: testing first, then move to enforce after reports look healthy.

TLS-RPT

Type: TXT
Name: _smtp._tls
Value: v=TLSRPTv1; rua=mailto:tls-rpt@example.com

Use a mailbox that an admin or Super Admin can review.

Tenant Setup In The App

Only a Super Admin can create a tenant.

  1. Log in as a Super Admin.
  2. Open Admin Panel, then Tenants.
  3. Click Server Setup Wizard and confirm the approved IMAP/SMTP hosts.
  4. Click Add Tenant.
  5. Enter the organization name, primary domain, approved IMAP/SMTP hosts, ports, user limit, and storage limit.
  6. Save the tenant.
  7. Create or assign a Tenant Admin for that tenant.

Mailbox User Setup

  1. Tenant Admin opens Admin Panel, then Users.
  2. Click User Wizard or Add User.
  3. Enter the mailbox address, such as support@example.com.
  4. Generate a temporary password.
  5. Leave mailbox credentials blank when this deployment should provision the local mailbox automatically.
  6. Give the temporary password to the user through a secure channel.

The user should sign in, click Password, and choose their own password. On provisioned local mailboxes, this also updates the IMAP/SMTP mailbox password.

Alias Setup

Aliases are managed in the app, but the mail server must also route them correctly.

  1. Open Admin Panel, then Aliases.
  2. Click Add Alias.
  3. Enter the alias address, such as sales@example.com.
  4. Choose the destination user.
  5. Save.

S/MIME Identity Setup

S/MIME is different from DKIM. DKIM signs the domain's outbound mail at the server level. S/MIME signs or encrypts a user's individual messages with that user's certificate.

For S/MIME signing, the user or admin needs a PEM-formatted S/MIME certificate, the matching PEM-formatted private key, and the optional private key passphrase.

  1. Log in as the user.
  2. Click S/MIME in the top bar.
  3. Paste the certificate PEM.
  4. Paste the matching private key PEM.
  5. Enter the passphrase only if the key requires one.
  6. Click Save S/MIME Identity.
Do not upload another user's private key into your own account. The certificate email address must match the account email address.

External Mail Client Details

SettingTypical value
Account typeIMAP
Email addressFull mailbox address
UsernameFull mailbox address, unless the admin says otherwise
PasswordCurrent webmail/mailbox password
Incoming hostmail.example.com
Incoming port993
Incoming securitySSL/TLS
Outgoing hostmail.example.com
Outgoing port587
Outgoing securitySTARTTLS
Outgoing authenticationRequired

Go-Live Checklist

Troubleshooting

ProblemWhat to check
Tenant cannot be created with desired hostThe host must be in the approved mail-server allow-list.
Mail does not arriveCheck MX, local mailbox provisioning, aliases, and mail logs.
Outbound mail lands in spamCheck SPF, DKIM, DMARC, PTR, and sending reputation.
DKIM failsConfirm selector name and TXT value match OpenDKIM.
Mail client cannot sign inConfirm username, password, IMAP host, port, and TLS mode.
S/MIME signing disabledConfirm certificate/key match, certificate is valid, and server S/MIME runtime is configured.