Tenant Domain Setup Guide
Use this guide when a customer or tenant admin is preparing a domain for mail service in Email Reseller Server.
Who Does What
| Task | Tenant admin or domain owner | Super Admin | Server operator |
|---|---|---|---|
| Choose the tenant domain | Yes | Can verify | No |
| Add DNS records at the domain DNS host | Yes | Can advise | Sometimes |
| Create the tenant in the app | No | Yes | No |
| Approve IMAP/SMTP hostnames | No | Can request | Yes |
| Create users and aliases | Yes, inside own tenant | Yes | No |
| Generate or install DKIM signing key | No | Can request | Yes |
| Provide DKIM public TXT value to tenant | No | Yes | Yes |
| Upload S/MIME identity for own account | Yes | Yes | No |
| Upload S/MIME identity for users | Regular users in own tenant only | Yes | No |
Information To Collect First
- Primary domain, for example
example.com. - Mail hostname users will connect to, for example
mail.example.com. - Tenant admin email address.
- Expected mailbox addresses, such as
support@example.comandbilling@example.com. - DNS provider login owner, such as Cloudflare, Route 53, GoDaddy, or the registrar.
- Whether mail is locally hosted by this server or by an external IMAP/SMTP provider.
- Whether the tenant needs S/MIME signing or encrypted outbound mail.
Required DNS Records
Replace example.com, mail.example.com, and 203.0.113.10 with the tenant's real values.
| Type | Name | Value | Purpose |
|---|---|---|---|
A | mail | 203.0.113.10 | Points the mail hostname to the mail server. |
MX | @ | 10 mail.example.com | Sends inbound mail for the domain to the mail server. |
TXT | @ | v=spf1 mx -all | Authorizes the domain's MX hosts to send mail. |
TXT | default._domainkey | DKIM public key from the server operator | Lets receivers verify signed outbound mail. |
TXT | _dmarc | v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com | Publishes domain policy and reporting address. |
p=none while testing if the domain is new or existing senders are still being discovered. Move to quarantine or reject only after SPF, DKIM, and legitimate sending paths are confirmed.DKIM Public Key
DKIM has two parts: the private signing key stays on the mail server, and the public DNS key is added as a TXT record by the domain owner. Tenants should not receive or upload the private DKIM key.
The server operator or Super Admin should provide the tenant with:
Type: TXT Name: default._domainkey.example.com Value: v=DKIM1; k=rsa; p=<public-key-text>
The selector in the name, such as default, must match the server's OpenDKIM configuration.
Optional But Recommended DNS Records
MTA-STS
Type: A Name: mta-sts Value: 203.0.113.10 Type: TXT Name: _mta-sts Value: v=STSv1; id=20260521T000000Z
The policy must also be reachable at:
https://mta-sts.example.com/.well-known/mta-sts.txt
Use mode: testing first, then move to enforce after reports look healthy.
TLS-RPT
Type: TXT Name: _smtp._tls Value: v=TLSRPTv1; rua=mailto:tls-rpt@example.com
Use a mailbox that an admin or Super Admin can review.
Tenant Setup In The App
Only a Super Admin can create a tenant.
- Log in as a Super Admin.
- Open Admin Panel, then Tenants.
- Click Server Setup Wizard and confirm the approved IMAP/SMTP hosts.
- Click Add Tenant.
- Enter the organization name, primary domain, approved IMAP/SMTP hosts, ports, user limit, and storage limit.
- Save the tenant.
- Create or assign a Tenant Admin for that tenant.
Mailbox User Setup
- Tenant Admin opens Admin Panel, then Users.
- Click User Wizard or Add User.
- Enter the mailbox address, such as
support@example.com. - Generate a temporary password.
- Leave mailbox credentials blank when this deployment should provision the local mailbox automatically.
- Give the temporary password to the user through a secure channel.
The user should sign in, click Password, and choose their own password. On provisioned local mailboxes, this also updates the IMAP/SMTP mailbox password.
Alias Setup
Aliases are managed in the app, but the mail server must also route them correctly.
- Open Admin Panel, then Aliases.
- Click Add Alias.
- Enter the alias address, such as
sales@example.com. - Choose the destination user.
- Save.
S/MIME Identity Setup
S/MIME is different from DKIM. DKIM signs the domain's outbound mail at the server level. S/MIME signs or encrypts a user's individual messages with that user's certificate.
For S/MIME signing, the user or admin needs a PEM-formatted S/MIME certificate, the matching PEM-formatted private key, and the optional private key passphrase.
- Log in as the user.
- Click S/MIME in the top bar.
- Paste the certificate PEM.
- Paste the matching private key PEM.
- Enter the passphrase only if the key requires one.
- Click Save S/MIME Identity.
External Mail Client Details
| Setting | Typical value |
|---|---|
| Account type | IMAP |
| Email address | Full mailbox address |
| Username | Full mailbox address, unless the admin says otherwise |
| Password | Current webmail/mailbox password |
| Incoming host | mail.example.com |
| Incoming port | 993 |
| Incoming security | SSL/TLS |
| Outgoing host | mail.example.com |
| Outgoing port | 587 |
| Outgoing security | STARTTLS |
| Outgoing authentication | Required |
Go-Live Checklist
- Tenant domain is correct in the app.
- Mail hostname resolves to the correct server.
- MX points to the mail hostname.
- SPF exists and authorizes the active sending path.
- DKIM TXT exists for the configured selector.
- DMARC exists, starting with
p=noneor a policy approved by the domain owner. - Reverse DNS/PTR for the mail server IP is configured by the IP provider.
- Optional MTA-STS and TLS-RPT are configured.
- Test user can sign in to webmail, receive mail, and send mail.
- External IMAP/SMTP client setup works if needed.
- S/MIME status is healthy for users who need signing/encryption.
Troubleshooting
| Problem | What to check |
|---|---|
| Tenant cannot be created with desired host | The host must be in the approved mail-server allow-list. |
| Mail does not arrive | Check MX, local mailbox provisioning, aliases, and mail logs. |
| Outbound mail lands in spam | Check SPF, DKIM, DMARC, PTR, and sending reputation. |
| DKIM fails | Confirm selector name and TXT value match OpenDKIM. |
| Mail client cannot sign in | Confirm username, password, IMAP host, port, and TLS mode. |
| S/MIME signing disabled | Confirm certificate/key match, certificate is valid, and server S/MIME runtime is configured. |