As promised, new blog entry on my minimal dns template for my domains at - replies to this toot will show up as comment on the blog!

And please - do tell me if you think I got something wrong or if I should change something. I am by no means an expert. I just like things in a way I understand myself and can explain to others. The "good enough" way :)

As my blog lives in a git repo, you can even send me pull requests and open issues ;)

The first helpful advice already came in (over on twitter). I've added a paragraph on CAA entries :)

Updated the blog entry: added links for checkers/verfiers to make sure the config is working.

@jwildeboer I love Let's Encrypt! When I'm done with my masters project, I wanna see if I can help them with their documentation for newbies issues.

@jwildeboer Maybe you also want to add an entry to restrict wildcard certificates?

I don't issue wildcard certificates so I publish this in the DNS:

128 issuewild ";"
128 issue ""

@smortex I do net (yet) see a reason to exclude wildcard certificates. I am not using them right now, but might.

@jwildeboer I think you've got most of it covered, after that point you wander off into the weeds to argue esoterica and the color of a bike shed

@jwildeboer ohhh i like the idea of toot to comment!

I will be curious to see if you find dkim actually worthwhile. I've generally seen dkim / dnssec to be solutions that cause more problems than they solve

@warthog9 It was quite simple to set up and it seems to help to keep my mailserver equipped with a good reputation. So, we'll see :)

@jwildeboer I've explicitly avoided both, but caved to spf and dmarc and that's been pretty good (ok maybe running my own pristine netblocks directly acquired from ARIN might have helped too...)

@warthog9 @jwildeboer Yeah, I find that new mail servers tend to be untrusted by Google, etc at first, so I usually send emails to my other accounts or to people I know and have them mark "Not Spam" in addition to PTR/SPF, etc.

Hi Jan thank you. Adding the IP addressses also to the SPF entry was new to me. Works fine. And the hint to a “linked zone” is a great idea. I will check to see if my registrar offers this feature as well.

@jbr_IC Adding the ip addresses helps to keep mails flowing when I mess up dns, especially the mx entries. Which happens. Because sometimes mistakes are made :)

@jwildeboer That is correct. Also, you can't always see an effect immediately after a parameter change. So thanks again for your advice.

Namecheap, by the way, does not have a grouping feature like the "linked zone" you mentioned. You have to make all settings per domain, as needed.

Sign in to participate in the conversation

Mastodon instance for people with Wildeboer as their last name