Menu
Cart

How to Set Up a Secure Mail Server on Synology NAS

How to Set Up a Safe Mail Server on Synology NAS (SPF, DKIM, and DMARC Guide)

You have complete control over your data, privacy, and compliance when you run your own mail server. But setting up a secure NAS email server is more than just installing a package and pointing DNS to your IP address. If you don’t have the right authentication records, like SPF, DKIM, and DMARC, your emails will probably go to spam or be rejected.

This guide shows you how to set up a safe Synology mail server with Mail Server or MailPlus, including how to set up DNS authentication, reverse DNS, and SSL.

Before You Start: What You Need

To set up a secure mail server on a Synology NAS, you need:

  • A public IP address that doesn’t change
  • A domain name that is registered
  • You have control over your DNS zone
  • ISP allows SMTP to run (port 25 is open)

If your ISP blocks outbound SMTP, you might need a business-grade connection or an SMTP relay.

Step 1: Set up Synology Mail Server or MailPlus

From the Package Center, you can install one of these:

  • Mail Server (basic SMTP, IMAP, and POP3 service)
  • MailPlus Server (for advanced features, webmail, and working together)

After you install it, open the Mail Server settings and turn on:

  • SMTP
  • IMAP
  • POP3 (optional)

In the Domain section, set your mail domain. For example, mail.yourdomain.com. Step 2: Set up your DNS records correctly.

Your emails are trusted based on how you set up DNS.

A Record

Make an A record:

  1. mail.yourdomain.com → Your Public IP
  2. Record MX

Set the MX record for your domain:

  • mail.yourdomain.com → yourdomain.com

This tells other mail servers where to send messages.

Step 3: Set up Reverse DNS (PTR Record)

Reverse DNS is very important for the reputation of your email.

Your hosting company or ISP needs to set up the PTR record so that your public IP address points back to:

  • mail.yourdomain.com

Many servers that get your mail will reject it if you don’t have reverse DNS.

Step 4: Set Up SPF

SPF (Sender Policy Framework) tells servers that get your email which IP addresses are allowed to send it.

In DNS, add a TXT record:

  • v=spf1 ip4:YOUR_PUBLIC_IP -all

If you use Microsoft 365 or SendGrid, which are both third-party services, add them to the record as well.

SPF makes it less likely that someone will fake an email and makes it more likely that the email will get through.

Step 5: Turn on DKIM on Synology

DKIM uses cryptography to sign outgoing emails to prove that they are real.

Settings for the Mail Server:

  • Turn on DKIM
  • Make a DKIM key
  • Take a copy of the DNS TXT record given

Put that DKIM TXT record in your DNS zone exactly as it is.

Check the DKIM status in Synology after publishing.

Step 6: Set up DMARC

DMARC is based on SPF and DKIM. It tells the servers that get the messages what to do with them if they don’t pass authentication.

Add a TXT record that looks like this: _dmarc.yourdomain.com

Example of a value:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

There are several policy options, including:

  • none (only watch)
  • quarantine (mark mail that looks suspicious)
  • reject (stop messages that don’t work)

Start by putting the item in quarantine, then test it and reject it.

Step 7: Turn on SSL and secure ports

A secure NAS email server must have security that can’t be changed.

Inside DSM:

  • Turn on HTTPS
  • Add a reliable SSL certificate (Let’s Encrypt is a good choice)
  • Give the certificate to Mail services

Make sure that secure ports are turned on:

  • SMTP with TLS on port 587
  • IMAPS (993)
  • POP3S (995)

If you can, turn off plain-text authentication.

Step 8: Set up the firewall and ports

Your firewall should only have the ports you need open:

  • 25 (SMTP in)
  • 587 (SMTP submission)
  • 993 (IMAP safe)

If you can, limit access by region or IP range. Turn on DSM firewall rules for extra safety.

Step 9: Turn on security features in the mail server

In the settings for Mail Server or MailPlus:

  • Turn on anti-spam
  • Turn on anti-virus
  • Set up rate limiting
  • Turn on SMTP authentication

These controls stop spam and abuse.

Step 10: Check Your Setup

Before going live:

  • Send test emails to both Gmail and Outlook.
  • Use online tools to check SPF, DKIM, and DMARC validation.
  • Check reverse DNS
  • Check that the SSL certificate is still valid
  • Check the DSM mail logs for failed authentication attempts.
  • Things you should not do

A lot of mail server setups don’t work because:

  • There is no reverse DNS.
  • SPF has the wrong IP
  • The DKIM record was copied wrong
  • Port 25 is closed
  • There is no SSL certificate set up
  • Email security needs to be exact.

Should you host your email on Synology?

A Synology mail server is good for:

  • Small businesses
  • Organizations that need data sovereignty
  • Private email systems for businesses
  • Environments that need full control

But keeping a mail server running requires constant monitoring, security updates, and DNS management.

About Epis Technology

Epis Technology sets up and designs safe Synology mail server environments with the right SPF, DKIM, DMARC, reverse DNS, and SSL integration. We make sure that email authentication is as good as it can be for getting emails through while still keeping strong security controls. Epis Technology helps businesses set up and keep their NAS-based email infrastructure secure, compliant, and reliable. They do this by planning DNS, hardening firewalls, and keeping an eye on things all the time.

Related Posts