--- title: Integrating MXRoute with MailCow description: published: true date: 2026-02-25T21:04:37.135Z tags: editor: markdown dateCreated: 2026-02-25T19:22:31.514Z --- # MXRoute — Master Configuration Reference ## Overview MXRoute serves two roles in Netgrimoire mail infrastructure: - **Inbound gateway** — MX records for all domains point to MXRoute's commercial IPs, solving residential AT&T IP filtering by banks and financial institutions. MXRoute receives mail and forwards to Mailcow via per-address forwarders. - **Outbound relay** — Mailcow sends all outbound mail through MXRoute via sender-dependent transports for improved deliverability. **Mail flow:** ``` Inbound: Internet → MXRoute (commercial IP) → Mailcow (192.168.5.16) Outbound: Mailcow (192.168.5.16) → MXRoute SMTP relay → Internet ``` **Mailcow host:** 192.168.5.16 **MXRoute control panel:** confirm server hostname from MXRoute welcome email (e.g. `arrow.mxrouting.net`) **MXRoute SMTP relay:** confirm from welcome email (e.g. `smtp.mxroute.com:587`) --- ## Architecture — Why Two Domains Per Hosted Domain MXRoute forwarders require a valid destination email address. Forwarding `user@domain.com` back to `user@domain.com` creates a mail loop because MXRoute would look up the MX for `domain.com` and find itself. The solution is a `mail.domain.com` subdomain with its own MX record pointing directly to Mailcow. MXRoute forwards to `user@mail.domain.com`, Mailcow accepts and delivers, and an alias domain maps `@domain.com` back so users only ever see `@domain.com`. ``` domain.com MX → MXRoute (public-facing, receives from internet) mail.domain.com MX → 192.168.5.16 (internal, MXRoute forwards here) ``` --- ## MXRoute Control Panel **Login:** confirm URL from MXRoute welcome email **Interface:** MXRoute 4.0 (new UI — not old DirectAdmin) ### Creating a Forwarder 1. Go to **Forwarders** 2. Click **Create New Forwarder** 3. Set **Forwarder Name:** `username` (domain shown automatically) 4. Set **Destination Type:** `Forward to Email(s)` 5. Set **Recipients:** `username@mail.domain.com` 6. Click **Create Forwarder** > Recipients field accepts multiple addresses comma or newline separated. --- ## Mailcow Configuration ### Adding a New Domain (One-Time Per Domain) 1. **Mail Setup → Domains → Add domain** - Domain: `mail.domain.com` (the subdomain Mailcow owns) - Leave relay settings as default 2. **Mail Setup → Alias Domains → Add alias domain** - Alias Domain: `domain.com` - Target Domain: `mail.domain.com` - This makes Mailcow accept and deliver mail for `@domain.com` to `@mail.domain.com` mailboxes 3. **Configuration → ARC/DKIM Keys** - Select domain `mail.domain.com` - Selector: `mailcow` - Key length: 2048 - Generate and copy TXT record for DNS 4. **Configuration → Extra Postfix configuration → extra.cf** ``` # Trust MXRoute forwarding IPs — prevents SPF scoring on forwarded mail mynetworks = 127.0.0.1/8 [::1]/128 192.168.5.0/24 69.167.160.0/19 198.54.120.0/22 ``` Restart affected containers after saving. ### Adding a New Mailbox 1. **Mail Setup → Mailboxes → Add mailbox** - Username: `user` - Domain: `mail.domain.com` 2. **MXRoute control panel → Forwarders → Create New Forwarder** - Forwarder: `user@domain.com` - Destination: `user@mail.domain.com` ### Outbound Relay — Sender-Dependent Transports One transport entry per domain. **Configuration → Routing → Sender-Dependent Transports** | Domain | Relay Host | Username | Password | |--------|-----------|----------|----------| | pncharris.com | `[smtp.mxroute.com]:587` | relay@pncharris.com | H@rv3yD)G123 | | wasted-bandwidth.net | `[smtp.mxroute.com]:587` | relay@wasted-bandwidth.net | dZ4yLYznVvgSJtqWZJFA | | netgrimoire.com | `[smtp.mxroute.com]:587` | relay@netgrimoire.com | TVGCnJp9SxRbWU8EhkMw | | florosafd.org | `[smtp.mxroute.com]:587` | relay@florosafd.org | 2Fe8XMyaeh6Z5dvdHYdq | | gnarlypandaproductions.com | `[smtp.mxroute.com]:587` | relay@gnarlypandaproductions.com | vG5ZsUQhRWD2UyzLPsqA | > Confirm SMTP relay hostname from MXRoute welcome email — substitute actual hostname for `smtp.mxroute.com` if different. ### Email Client Settings (All Domains) | Setting | Value | |---------|-------| | IMAP server | `mail.domain.com` | | IMAP port | `993` (SSL/TLS) | | SMTP server | `mail.domain.com` | | SMTP port | `465` (SSL/TLS) | | Username | `user@domain.com` | > Users log in with `@domain.com`. Mailcow resolves to the internal `@mail.domain.com` mailbox via alias domain — transparent to the user. --- ## DNS Reference — All Domains ### DNS Pattern (Apply to Every Domain) Two sets of MX records are required — one for the public domain (pointing to MXRoute) and one for the mail subdomain (pointing directly to Mailcow). | Type | Host | Value | Notes | |------|------|-------|-------| | A | `mail` | `YOUR_ATT_MAIL_IP` | Mailcow server — MXRoute forwards here | | MX | `@` | MXRoute primary (priority 10) | From MXRoute welcome email | | MX | `@` | MXRoute secondary (priority 20) | From MXRoute welcome email | | MX | `mail` | `mail.domain.com` (priority 10) | Mailcow handles subdomain directly | | CNAME | `imap` | `mail.domain.com` | Client autoconfiguration | | CNAME | `smtp` | `mail.domain.com` | Client autoconfiguration | | CNAME | `webmail` | `mail.domain.com` | Roundcube access | | CNAME | `autodiscover` | `mail.domain.com` | Outlook autodiscover | | CNAME | `autoconfig` | `mail.domain.com` | Thunderbird autoconfig | | TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | SPF — both Mailcow direct and MXRoute relay | | TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | SPF for subdomain — Mailcow direct only | | TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | DMARC enforcement | | TXT | `mailcow._domainkey.mail` | *(generated in Mailcow ARC/DKIM Keys)* | Mailcow DKIM selector | | TXT | `x._domainkey` | *(from MXRoute control panel)* | MXRoute DKIM selector — confirm actual selector name | --- ### pncharris.com | Type | Host | Value | |------|------|-------| | A | `mail` | YOUR_ATT_MAIL_IP | | MX | `@` | MXRoute primary (priority 10) | | MX | `@` | MXRoute secondary (priority 20) | | MX | `mail` | `mail.pncharris.com` (priority 10) | | CNAME | `imap` | `mail.pncharris.com` | | CNAME | `smtp` | `mail.pncharris.com` | | CNAME | `webmail` | `mail.pncharris.com` | | CNAME | `autodiscover` | `mail.pncharris.com` | | CNAME | `autoconfig` | `mail.pncharris.com` | | TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | | TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | | TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | | TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.pncharris.com)* | | TXT | `x._domainkey` | *(from MXRoute control panel)* | **Mailcow domains:** `mail.pncharris.com` (primary), `pncharris.com` (alias domain → mail.pncharris.com) **Relay credentials:** | Account | Password | Notes | |---------|----------|-------| | relay@pncharris.com | H@rv3yD)G123 | Current relay account | | forwarder@pncharris.com | *(see password history below)* | Legacy account | | passer@pncharris.com | bBJtPhrGkHvvhxhukkae | Current | | kylr pncharris | -,68,incTeR | | | G4@rlyf1ng3r | *(Feb 14)* | | **passer@pncharris.com password history** (most recent last): - !5!,_\*zDyLEhhR4 - sh7dXWnTPqbkDGsTcwtn - MY3V8p69b2HYksygxhXX - RS6U2GU6rcYe3THKKgYx - yzqNysrd73yzWptVEZ5H (current) --- ### wasted-bandwidth.net | Type | Host | Value | |------|------|-------| | A | `mail` | YOUR_ATT_MAIL_IP | | MX | `@` | MXRoute primary (priority 10) | | MX | `@` | MXRoute secondary (priority 20) | | MX | `mail` | `mail.wasted-bandwidth.net` (priority 10) | | CNAME | `imap` | `mail.wasted-bandwidth.net` | | CNAME | `smtp` | `mail.wasted-bandwidth.net` | | CNAME | `webmail` | `mail.wasted-bandwidth.net` | | CNAME | `autodiscover` | `mail.wasted-bandwidth.net` | | CNAME | `autoconfig` | `mail.wasted-bandwidth.net` | | TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | | TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | | TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | | TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.wasted-bandwidth.net)* | | TXT | `x._domainkey` | *(from MXRoute control panel)* | **Mailcow domains:** `mail.wasted-bandwidth.net` (primary), `wasted-bandwidth.net` (alias domain) **Relay credentials:** | Account | Password | |---------|----------| | relay@wasted-bandwidth.net | dZ4yLYznVvgSJtqWZJFA | --- ### netgrimoire.com | Type | Host | Value | |------|------|-------| | A | `mail` | YOUR_ATT_MAIL_IP | | MX | `@` | MXRoute primary (priority 10) | | MX | `@` | MXRoute secondary (priority 20) | | MX | `mail` | `mail.netgrimoire.com` (priority 10) | | CNAME | `imap` | `mail.netgrimoire.com` | | CNAME | `smtp` | `mail.netgrimoire.com` | | CNAME | `webmail` | `mail.netgrimoire.com` | | CNAME | `autodiscover` | `mail.netgrimoire.com` | | CNAME | `autoconfig` | `mail.netgrimoire.com` | | TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | | TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | | TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | | TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.netgrimoire.com)* | | TXT | `x._domainkey` | *(from MXRoute control panel)* | **Mailcow domains:** `mail.netgrimoire.com` (primary), `netgrimoire.com` (alias domain) **Relay credentials:** | Account | Password | |---------|----------| | relay@netgrimoire.com | TVGCnJp9SxRbWU8EhkMw | --- ### florosafd.org | Type | Host | Value | |------|------|-------| | A | `mail` | YOUR_ATT_MAIL_IP | | MX | `@` | MXRoute primary (priority 10) | | MX | `@` | MXRoute secondary (priority 20) | | MX | `mail` | `mail.florosafd.org` (priority 10) | | CNAME | `imap` | `mail.florosafd.org` | | CNAME | `smtp` | `mail.florosafd.org` | | CNAME | `webmail` | `mail.florosafd.org` | | CNAME | `autodiscover` | `mail.florosafd.org` | | CNAME | `autoconfig` | `mail.florosafd.org` | | TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | | TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | | TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | | TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.florosafd.org)* | | TXT | `x._domainkey` | *(from MXRoute control panel)* | **Mailcow domains:** `mail.florosafd.org` (primary), `florosafd.org` (alias domain) **Relay credentials:** | Account | Password | |---------|----------| | relay@florosafd.org | 2Fe8XMyaeh6Z5dvdHYdq | --- ### gnarlypandaproductions.com | Type | Host | Value | |------|------|-------| | A | `mail` | YOUR_ATT_MAIL_IP | | MX | `@` | MXRoute primary (priority 10) | | MX | `@` | MXRoute secondary (priority 20) | | MX | `mail` | `mail.gnarlypandaproductions.com` (priority 10) | | CNAME | `imap` | `mail.gnarlypandaproductions.com` | | CNAME | `smtp` | `mail.gnarlypandaproductions.com` | | CNAME | `webmail` | `mail.gnarlypandaproductions.com` | | CNAME | `roundcube` | `roundcube.netgrimoire.com` | | CNAME | `autodiscover` | `mail.gnarlypandaproductions.com` | | CNAME | `autoconfig` | `mail.gnarlypandaproductions.com` | | TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | | TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | | TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@gnarlypandaproductions.com` | | TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.gnarlypandaproductions.com)* | | TXT | `default._domainkey` | `v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3D3vyPoBHB4eMSMq8HygVWHzYbketRX4yjk9wV4bdaar0/c89dK230FMOW6zVXEsY1sXKFk1kBxerHVw0wY8qnQyooHgINEQcEXrtB/x93Sl/cqBQXk+PHOIOymQwgni8WCUhCSnvunxXK8qX5f9J56qzd0/wpY2WSEHho+XrnQjc+c7HMvkcC3+nKJe59ZNgvQW/Y9B/L6zFDjAp+QOUYp9wwX4L+j1T4fQSygYxAJZ0aIoR8FsbOuXc38pht99HyUnYwH08HoK7xv3DL2BrVo3KVZ7xMe2S4YMxd1HkJz2evbV/ziNsJcKW/le3fFS7mza09yJXDLDcLOKLXbYUQIDAQAB` | | TXT | `x._domainkey` | *(from MXRoute control panel — confirm actual selector)* | **Mailcow domains:** `mail.gnarlypandaproductions.com` (primary), `gnarlypandaproductions.com` (alias domain) **Relay credentials:** | Account | Password | |---------|----------| | relay@gnarlypandaproductions.com | vG5ZsUQhRWD2UyzLPsqA | --- ### nucking-futz.com New domain — see [Mail Setup — nucking-futz.com](./mail-setup-nucking-futz) for full setup guide. | Type | Host | Value | |------|------|-------| | A | `mail` | YOUR_ATT_MAIL_IP | | MX | `@` | MXRoute primary (priority 10) | | MX | `@` | MXRoute secondary (priority 20) | | MX | `mail` | `mail.nucking-futz.com` (priority 10) | | CNAME | `imap` | `mail.nucking-futz.com` | | CNAME | `smtp` | `mail.nucking-futz.com` | | CNAME | `webmail` | `mail.nucking-futz.com` | | CNAME | `autodiscover` | `mail.nucking-futz.com` | | CNAME | `autoconfig` | `mail.nucking-futz.com` | | TXT | `@` | `v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all` | | TXT | `mail` | `v=spf1 ip4:YOUR_ATT_MAIL_IP -all` | | TXT | `_dmarc` | `v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com` | | TXT | `mailcow._domainkey.mail` | *(from Mailcow ARC/DKIM Keys for mail.nucking-futz.com)* | | TXT | `x._domainkey` | *(from MXRoute control panel)* | **Mailcow domains:** `mail.nucking-futz.com` (primary), `nucking-futz.com` (alias domain) **Relay credentials:** | Account | Password | |---------|----------| | relay@nucking-futz.com | *(set during MXRoute domain creation)* | --- ## Adding a New Domain — Checklist Use this checklist every time a new domain is added to the stack. **DNS (at registrar):** - [ ] A record: `mail.newdomain.com` → YOUR_ATT_MAIL_IP - [ ] MX records: `@` → MXRoute servers - [ ] MX record: `mail` → `mail.newdomain.com` - [ ] CNAME records: imap, smtp, webmail, autodiscover, autoconfig - [ ] SPF TXT: `@` — includes both ATT IP and `include:mxroute.com` - [ ] SPF TXT: `mail` — ATT IP only - [ ] DMARC TXT: `_dmarc` - [ ] DKIM TXT: `mailcow._domainkey.mail` — after generating in Mailcow - [ ] DKIM TXT: `x._domainkey` — after retrieving from MXRoute **Mailcow:** - [ ] Add domain: `mail.newdomain.com` - [ ] Add alias domain: `newdomain.com` → `mail.newdomain.com` - [ ] Generate DKIM key (selector: `mailcow`) for `mail.newdomain.com` - [ ] Add sender-dependent transport for `newdomain.com` - [ ] Add sender-dependent transport for `mail.newdomain.com` - [ ] Create mailboxes as `user@mail.newdomain.com` **MXRoute:** - [ ] Add domain in control panel - [ ] Create forwarder for each mailbox: `user@newdomain.com` → `user@mail.newdomain.com` - [ ] Retrieve DKIM key for DNS --- ## Troubleshooting ### Mail not delivering inbound (not reaching Mailcow) - Check MX records for `@` point to MXRoute servers: `dig MX domain.com +short` - Check MX record for `mail` subdomain points to Mailcow: `dig MX mail.domain.com +short` - Verify MXRoute forwarder exists for the address in the control panel - Check Mailcow logs: **Logs → Postfix** — look for the delivery attempt and any rejection reason - Verify MXRoute IP ranges are in Mailcow `extra.cf` trusted networks ### Mail not delivering inbound (banks / financial institutions) - This is the residential AT&T IP problem — confirm MX records point to MXRoute, not directly to your IP - Run `dig MX domain.com +short` — should show MXRoute servers, not your IP - If MX still points to your ATT IP, update DNS and wait for propagation ### Outbound mail rejected or going to spam - Verify sender-dependent transport is configured for the domain in Mailcow - Check relay credentials are current in the transport entry - Run an SPF check: `dig TXT domain.com +short` — confirm `include:mxroute.com` is present - Send test to check-auth@verifier.port25.com for full SPF/DKIM/DMARC report - Run through https://mail-tester.com for a deliverability score ### DKIM verification failing - Confirm both selectors are published in DNS: - `dig TXT mailcow._domainkey.mail.domain.com +short` - `dig TXT x._domainkey.domain.com +short` (substitute actual MXRoute selector) - Allow up to 48 hours for DNS propagation after adding records - Verify selector names match exactly what Mailcow and MXRoute are using to sign ### DMARC failures - SPF and DKIM must both pass and align with the From: domain - Check DMARC reports sent to `admin@netgrimoire.com` — use [Postmark DMARC](https://dmarc.postmarkapp.com/) or [dmarcian.com](https://dmarcian.com) to parse raw XML reports - Common cause: outbound mail going through MXRoute but `include:mxroute.com` missing from SPF ### Forwarded mail getting spam-scored - Confirm MXRoute IP ranges are in Mailcow `extra.cf` mynetworks - Check that Mailcow trusted networks were saved and containers restarted - Verify SRS is working: in Roundcube open a forwarded message → More → View Source → `Return-Path` should begin with `SRS0=` ### New mailbox not receiving mail - Two steps are required — confirm both were done: 1. Mailbox created in Mailcow as `user@mail.domain.com` 2. Forwarder created in MXRoute as `user@domain.com` → `user@mail.domain.com` - If the MXRoute forwarder is missing, inbound mail silently goes nowhere --- ## Related Documentation - [MailCow Configuration](./mailcow) - [MailCow Security Hardening](./mailcow-security-hardening) - [Mail Setup — nucking-futz.com](./mail-setup-nucking-futz) - [OPNsense Firewall](./opnsense-firewall) — ATT_Mail static IP allocation