Postfix or CyberPanel mail server hardened against spoofing. Records published, keys rotated, DMARC reports landing in your inbox. From $290, three business days.
Google and Yahoo’s 2024 bulk-sender rules pushed thousands of small businesses into the same conversation: SPF, DKIM, and DMARC are not optional anymore. If you send any volume of email from your domain and your records are wrong, your messages land in spam or get rejected outright.
We set the records up correctly on your mail server, rotate the DKIM key, get DMARC to p=quarantine without breaking legitimate senders, and hand you a weekly report so you know what’s still trying to spoof you. Three business days from kickoff to verified DNS, from $290.
We list every server that is allowed to send mail as your domain. Your Postfix host, your transactional sender (Mailgun, Postmark, SES), your marketing tool. One SPF record per domain, kept under the 10-lookup limit so it doesn't break silently.
We generate a 2048-bit key on the mail server, publish the public half in DNS as a TXT record, and configure Postfix or CyberPanel to sign outgoing mail with the private half. The signature lets receivers verify the message wasn't altered in transit.
We start with p=none and a reporting address so you see what's happening, then move to p=quarantine once legitimate mail is clean. Reports come from Google, Microsoft, and everyone else, and we summarise them weekly for the first month.
Most setup mistakes we see are not in the syntax. They are in scope: someone published an SPF record that covered the marketing tool but missed the Postfix server, or set DMARC to p=reject before legitimate mail had time to align. We move you forward in steps so neither happens.
Everything below is in the $290 tier. We do the harder work once, hand it over, and you do not pay us monthly to keep records that should not need touching.
You get verified DNS records, a parsed first week of DMARC reports, and a written runbook for adding new senders.
Published in your DNS zone, confirmed via MXToolbox and a Gmail/Outlook/Yahoo round-trip test.
We collect rua reports for the first seven days, summarise who is sending mail as your domain (legitimately and otherwise), and flag anything suspicious.
One-page doc: when to rotate, how to rotate without breaking signatures in flight, how to retire the old selector.
How to add a new transactional sender (e.g. you sign up for HubSpot or switch from Mailgun to Postmark) without breaking SPF.
The TLS-side records most setup guides leave out, plus a check that your mail server presents a valid certificate on port 25.
Three business days from kickoff to verified records, then a week of DMARC report parsing before we step back.
We read your existing SPF, DKIM, and DMARC records, check the Postfix or CyberPanel mail config, and write a one-page diff: what is wrong and what we are going to change.
Day 1 — audit delivered same dayCorrected SPF, new 2048-bit DKIM key, DMARC at p=none with reporting addresses, MTA-STS and TLS-RPT. We confirm via MXToolbox and a round-trip from Gmail, Outlook, and Yahoo.
Days 2-3 — all records liveAggregate (rua) reports come in for seven days. We summarise who is sending as your domain and flag what needs to align. If legitimate mail aligns cleanly, we move DMARC to p=quarantine.
Days 4-10 — weekly summary and policy upgradeThe setup tier is $290. That covers DNS audit, corrected SPF, new DKIM key and Postfix signing config, DMARC at p=none with reporting, MTA-STS, TLS-RPT, and the first week of report parsing. After that you own the records and the runbook.
If you are also building or rebuilding the mail server itself (Postfix install on a fresh VPS, Dovecot for IMAP, Let’s Encrypt, rspamd, monitoring), that is the $890 Full Mail Server Build tier — same DKIM/DMARC work plus the whole stack.
If your transactional or marketing mail is bouncing from Gmail or Yahoo because of the bulk-sender requirements, we prioritise that path first. We have moved a domain from outright rejection to p=quarantine-clean in five business days when the records were genuinely broken.
This pairs naturally with our WordPress security audit and hardening work. If WordPress is your sending domain (transactional mail, contact forms, WooCommerce receipts), the application layer and the mail authentication layer break in the same kinds of ways and benefit from a single sweep.
For the broader email-deliverability picture across other senders (Workspace, 365, marketing tools), the email deliverability services hub covers the full scope. If you are setting up the Linux server underneath the mail stack from scratch, the Linux server support overview is where to start.
A compromise bad enough to blacklist your mail usually means the box itself needs rebuilding, which is our Linux server recovery job. If you would rather not run a mail server at all, our Google Workspace and Microsoft 365 setup moves you onto hosted email instead.
We'll triage the same day. Send context, screenshots, error messages — whatever you have. No sales calls, no chatbots.