17 KiB
17 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| Integrating MXRoute with MailCow | true | 2026-02-25T20:00:39.861Z | markdown | 2026-02-25T19:22:31.514Z |
MXRoute — Master Configuration Reference
Overview
MXRoute serves two roles in Netgrimoire mail infrastructure:
- Inbound gateway — MX records for all domains point to MXRoute's commercial IPs, solving residential AT&T IP filtering by banks and financial institutions. MXRoute receives mail and forwards to Mailcow via per-address forwarders.
- Outbound relay — Mailcow sends all outbound mail through MXRoute via sender-dependent transports for improved deliverability.
Mail flow:
Inbound: Internet → MXRoute (commercial IP) → Mailcow (192.168.5.16)
Outbound: Mailcow (192.168.5.16) → MXRoute SMTP relay → Internet
Mailcow host: 192.168.5.16
MXRoute control panel: confirm server hostname from MXRoute welcome email (e.g. arrow.mxrouting.net)
MXRoute SMTP relay: confirm from welcome email (e.g. smtp.mxroute.com:587)
Architecture — Why Two Domains Per Hosted Domain
MXRoute forwarders require a valid destination email address. Forwarding user@domain.com back to user@domain.com creates a mail loop because MXRoute would look up the MX for domain.com and find itself. The solution is a mail.domain.com subdomain with its own MX record pointing directly to Mailcow. MXRoute forwards to user@mail.domain.com, Mailcow accepts and delivers, and an alias domain maps @domain.com back so users only ever see @domain.com.
domain.com MX → MXRoute (public-facing, receives from internet)
mail.domain.com MX → 192.168.5.16 (internal, MXRoute forwards here)
MXRoute Control Panel
Login: confirm URL from MXRoute welcome email Interface: MXRoute 4.0 (new UI — not old DirectAdmin)
Creating a Forwarder
- Go to Forwarders
- Click Create New Forwarder
- Set Forwarder Name:
username(domain shown automatically) - Set Destination Type:
Forward to Email(s) - Set Recipients:
username@mail.domain.com - Click Create Forwarder
Recipients field accepts multiple addresses comma or newline separated.
Mailcow Configuration
Adding a New Domain (One-Time Per Domain)
-
Mail Setup → Domains → Add domain
- Domain:
mail.domain.com(the subdomain Mailcow owns) - Leave relay settings as default
- Domain:
-
Mail Setup → Alias Domains → Add alias domain
- Alias Domain:
domain.com - Target Domain:
mail.domain.com - This makes Mailcow accept and deliver mail for
@domain.comto@mail.domain.commailboxes
- Alias Domain:
-
Configuration → ARC/DKIM Keys
- Select domain
mail.domain.com - Selector:
mailcow - Key length: 2048
- Generate and copy TXT record for DNS
- Select domain
-
Configuration → Extra Postfix configuration → extra.cf
# Trust MXRoute forwarding IPs — prevents SPF scoring on forwarded mail
mynetworks = 127.0.0.1/8 [::1]/128 192.168.5.0/24 69.167.160.0/19 198.54.120.0/22
Restart affected containers after saving.
Adding a New Mailbox
-
Mail Setup → Mailboxes → Add mailbox
- Username:
user - Domain:
mail.domain.com
- Username:
-
MXRoute control panel → Forwarders → Create New Forwarder
- Forwarder:
user@domain.com - Destination:
user@mail.domain.com
- Forwarder:
Outbound Relay — Sender-Dependent Transports
One transport entry per domain. Configuration → Routing → Sender-Dependent Transports
| Domain | Relay Host | Username | Password |
|---|---|---|---|
| pncharris.com | [smtp.mxroute.com]:587 |
relay@pncharris.com | H@rv3yD)G123 |
| wasted-bandwidth.net | [smtp.mxroute.com]:587 |
relay@wasted-bandwidth.net | dZ4yLYznVvgSJtqWZJFA |
| netgrimoire.com | [smtp.mxroute.com]:587 |
relay@netgrimoire.com | TVGCnJp9SxRbWU8EhkMw |
| florosafd.org | [smtp.mxroute.com]:587 |
relay@florosafd.org | 2Fe8XMyaeh6Z5dvdHYdq |
| gnarlypandaproductions.com | [smtp.mxroute.com]:587 |
relay@gnarlypandaproductions.com | vG5ZsUQhRWD2UyzLPsqA |
Confirm SMTP relay hostname from MXRoute welcome email — substitute actual hostname for
smtp.mxroute.comif different.
Email Client Settings (All Domains)
| Setting | Value |
|---|---|
| IMAP server | mail.domain.com |
| IMAP port | 993 (SSL/TLS) |
| SMTP server | mail.domain.com |
| SMTP port | 465 (SSL/TLS) |
| Username | user@domain.com |
Users log in with
@domain.com. Mailcow resolves to the internal@mail.domain.commailbox via alias domain — transparent to the user.
DNS Reference — All Domains
DNS Pattern (Apply to Every Domain)
Two sets of MX records are required — one for the public domain (pointing to MXRoute) and one for the mail subdomain (pointing directly to Mailcow).
| Type | Host | Value | Notes |
|---|---|---|---|
| A | mail |
YOUR_ATT_MAIL_IP |
Mailcow server — MXRoute forwards here |
| MX | @ |
MXRoute primary (priority 10) | From MXRoute welcome email |
| MX | @ |
MXRoute secondary (priority 20) | From MXRoute welcome email |
| MX | mail |
mail.domain.com (priority 10) |
Mailcow handles subdomain directly |
| CNAME | imap |
mail.domain.com |
Client autoconfiguration |
| CNAME | smtp |
mail.domain.com |
Client autoconfiguration |
| CNAME | webmail |
mail.domain.com |
Roundcube access |
| CNAME | autodiscover |
mail.domain.com |
Outlook autodiscover |
| CNAME | autoconfig |
mail.domain.com |
Thunderbird autoconfig |
| TXT | @ |
v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all |
SPF — both Mailcow direct and MXRoute relay |
| TXT | mail |
v=spf1 ip4:YOUR_ATT_MAIL_IP -all |
SPF for subdomain — Mailcow direct only |
| TXT | _dmarc |
v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com |
DMARC enforcement |
| TXT | mailcow._domainkey.mail |
(generated in Mailcow ARC/DKIM Keys) | Mailcow DKIM selector |
| TXT | x._domainkey |
(from MXRoute control panel) | MXRoute DKIM selector — confirm actual selector name |
pncharris.com
| Type | Host | Value |
|---|---|---|
| A | mail |
YOUR_ATT_MAIL_IP |
| MX | @ |
MXRoute primary (priority 10) |
| MX | @ |
MXRoute secondary (priority 20) |
| MX | mail |
mail.pncharris.com (priority 10) |
| CNAME | imap |
mail.pncharris.com |
| CNAME | smtp |
mail.pncharris.com |
| CNAME | webmail |
mail.pncharris.com |
| CNAME | autodiscover |
mail.pncharris.com |
| CNAME | autoconfig |
mail.pncharris.com |
| TXT | @ |
v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all |
| TXT | mail |
v=spf1 ip4:YOUR_ATT_MAIL_IP -all |
| TXT | _dmarc |
v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com |
| TXT | mailcow._domainkey.mail |
(from Mailcow ARC/DKIM Keys for mail.pncharris.com) |
| TXT | x._domainkey |
(from MXRoute control panel) |
Mailcow domains: mail.pncharris.com (primary), pncharris.com (alias domain → mail.pncharris.com)
Relay credentials:
| Account | Password | Notes |
|---|---|---|
| relay@pncharris.com | H@rv3yD)G123 | Current relay account |
| forwarder@pncharris.com | (see password history below) | Legacy account |
| passer@pncharris.com | bBJtPhrGkHvvhxhukkae | Current |
| kylr pncharris | -,68,incTeR | |
| G4@rlyf1ng3r | (Feb 14) |
passer@pncharris.com password history (most recent last):
- !5!,_*zDyLEhhR4
- sh7dXWnTPqbkDGsTcwtn
- MY3V8p69b2HYksygxhXX
- RS6U2GU6rcYe3THKKgYx
- yzqNysrd73yzWptVEZ5H (current)
wasted-bandwidth.net
| Type | Host | Value |
|---|---|---|
| A | mail |
YOUR_ATT_MAIL_IP |
| MX | @ |
MXRoute primary (priority 10) |
| MX | @ |
MXRoute secondary (priority 20) |
| MX | mail |
mail.wasted-bandwidth.net (priority 10) |
| CNAME | imap |
mail.wasted-bandwidth.net |
| CNAME | smtp |
mail.wasted-bandwidth.net |
| CNAME | webmail |
mail.wasted-bandwidth.net |
| CNAME | autodiscover |
mail.wasted-bandwidth.net |
| CNAME | autoconfig |
mail.wasted-bandwidth.net |
| TXT | @ |
v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all |
| TXT | mail |
v=spf1 ip4:YOUR_ATT_MAIL_IP -all |
| TXT | _dmarc |
v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com |
| TXT | mailcow._domainkey.mail |
(from Mailcow ARC/DKIM Keys for mail.wasted-bandwidth.net) |
| TXT | x._domainkey |
(from MXRoute control panel) |
Mailcow domains: mail.wasted-bandwidth.net (primary), wasted-bandwidth.net (alias domain)
Relay credentials:
| Account | Password |
|---|---|
| relay@wasted-bandwidth.net | dZ4yLYznVvgSJtqWZJFA |
netgrimoire.com
| Type | Host | Value |
|---|---|---|
| A | mail |
YOUR_ATT_MAIL_IP |
| MX | @ |
MXRoute primary (priority 10) |
| MX | @ |
MXRoute secondary (priority 20) |
| MX | mail |
mail.netgrimoire.com (priority 10) |
| CNAME | imap |
mail.netgrimoire.com |
| CNAME | smtp |
mail.netgrimoire.com |
| CNAME | webmail |
mail.netgrimoire.com |
| CNAME | autodiscover |
mail.netgrimoire.com |
| CNAME | autoconfig |
mail.netgrimoire.com |
| TXT | @ |
v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all |
| TXT | mail |
v=spf1 ip4:YOUR_ATT_MAIL_IP -all |
| TXT | _dmarc |
v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com |
| TXT | mailcow._domainkey.mail |
(from Mailcow ARC/DKIM Keys for mail.netgrimoire.com) |
| TXT | x._domainkey |
(from MXRoute control panel) |
Mailcow domains: mail.netgrimoire.com (primary), netgrimoire.com (alias domain)
Relay credentials:
| Account | Password |
|---|---|
| relay@netgrimoire.com | TVGCnJp9SxRbWU8EhkMw |
florosafd.org
| Type | Host | Value |
|---|---|---|
| A | mail |
YOUR_ATT_MAIL_IP |
| MX | @ |
MXRoute primary (priority 10) |
| MX | @ |
MXRoute secondary (priority 20) |
| MX | mail |
mail.florosafd.org (priority 10) |
| CNAME | imap |
mail.florosafd.org |
| CNAME | smtp |
mail.florosafd.org |
| CNAME | webmail |
mail.florosafd.org |
| CNAME | autodiscover |
mail.florosafd.org |
| CNAME | autoconfig |
mail.florosafd.org |
| TXT | @ |
v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all |
| TXT | mail |
v=spf1 ip4:YOUR_ATT_MAIL_IP -all |
| TXT | _dmarc |
v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com |
| TXT | mailcow._domainkey.mail |
(from Mailcow ARC/DKIM Keys for mail.florosafd.org) |
| TXT | x._domainkey |
(from MXRoute control panel) |
Mailcow domains: mail.florosafd.org (primary), florosafd.org (alias domain)
Relay credentials:
| Account | Password |
|---|---|
| relay@florosafd.org | 2Fe8XMyaeh6Z5dvdHYdq |
gnarlypandaproductions.com
| Type | Host | Value |
|---|---|---|
| A | mail |
YOUR_ATT_MAIL_IP |
| MX | @ |
MXRoute primary (priority 10) |
| MX | @ |
MXRoute secondary (priority 20) |
| MX | mail |
mail.gnarlypandaproductions.com (priority 10) |
| CNAME | imap |
mail.gnarlypandaproductions.com |
| CNAME | smtp |
mail.gnarlypandaproductions.com |
| CNAME | webmail |
mail.gnarlypandaproductions.com |
| CNAME | roundcube |
roundcube.netgrimoire.com |
| CNAME | autodiscover |
mail.gnarlypandaproductions.com |
| CNAME | autoconfig |
mail.gnarlypandaproductions.com |
| TXT | @ |
v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all |
| TXT | mail |
v=spf1 ip4:YOUR_ATT_MAIL_IP -all |
| TXT | _dmarc |
v=DMARC1; p=reject; rua=mailto:admin@gnarlypandaproductions.com |
| TXT | mailcow._domainkey.mail |
(from Mailcow ARC/DKIM Keys for mail.gnarlypandaproductions.com) |
| TXT | default._domainkey |
v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3D3vyPoBHB4eMSMq8HygVWHzYbketRX4yjk9wV4bdaar0/c89dK230FMOW6zVXEsY1sXKFk1kBxerHVw0wY8qnQyooHgINEQcEXrtB/x93Sl/cqBQXk+PHOIOymQwgni8WCUhCSnvunxXK8qX5f9J56qzd0/wpY2WSEHho+XrnQjc+c7HMvkcC3+nKJe59ZNgvQW/Y9B/L6zFDjAp+QOUYp9wwX4L+j1T4fQSygYxAJZ0aIoR8FsbOuXc38pht99HyUnYwH08HoK7xv3DL2BrVo3KVZ7xMe2S4YMxd1HkJz2evbV/ziNsJcKW/le3fFS7mza09yJXDLDcLOKLXbYUQIDAQAB |
| TXT | x._domainkey |
(from MXRoute control panel — confirm actual selector) |
Mailcow domains: mail.gnarlypandaproductions.com (primary), gnarlypandaproductions.com (alias domain)
Relay credentials:
| Account | Password |
|---|---|
| relay@gnarlypandaproductions.com | vG5ZsUQhRWD2UyzLPsqA |
nucking-futz.com
New domain — see Mail Setup — nucking-futz.com for full setup guide.
| Type | Host | Value |
|---|---|---|
| A | mail |
YOUR_ATT_MAIL_IP |
| MX | @ |
MXRoute primary (priority 10) |
| MX | @ |
MXRoute secondary (priority 20) |
| MX | mail |
mail.nucking-futz.com (priority 10) |
| CNAME | imap |
mail.nucking-futz.com |
| CNAME | smtp |
mail.nucking-futz.com |
| CNAME | webmail |
mail.nucking-futz.com |
| CNAME | autodiscover |
mail.nucking-futz.com |
| CNAME | autoconfig |
mail.nucking-futz.com |
| TXT | @ |
v=spf1 ip4:YOUR_ATT_MAIL_IP include:mxroute.com -all |
| TXT | mail |
v=spf1 ip4:YOUR_ATT_MAIL_IP -all |
| TXT | _dmarc |
v=DMARC1; p=reject; rua=mailto:admin@netgrimoire.com |
| TXT | mailcow._domainkey.mail |
(from Mailcow ARC/DKIM Keys for mail.nucking-futz.com) |
| TXT | x._domainkey |
(from MXRoute control panel) |
Mailcow domains: mail.nucking-futz.com (primary), nucking-futz.com (alias domain)
Relay credentials:
| Account | Password |
|---|---|
| relay@nucking-futz.com | (set during MXRoute domain creation) |
Adding a New Domain — Checklist
Use this checklist every time a new domain is added to the stack.
DNS (at registrar):
- A record:
mail.newdomain.com→ YOUR_ATT_MAIL_IP - MX records:
@→ MXRoute servers - MX record:
mail→mail.newdomain.com - CNAME records: imap, smtp, webmail, autodiscover, autoconfig
- SPF TXT:
@— includes both ATT IP andinclude:mxroute.com - SPF TXT:
mail— ATT IP only - DMARC TXT:
_dmarc - DKIM TXT:
mailcow._domainkey.mail— after generating in Mailcow - DKIM TXT:
x._domainkey— after retrieving from MXRoute
Mailcow:
- Add domain:
mail.newdomain.com - Add alias domain:
newdomain.com→mail.newdomain.com - Generate DKIM key (selector:
mailcow) formail.newdomain.com - Add sender-dependent transport for
newdomain.com - Add sender-dependent transport for
mail.newdomain.com - Create mailboxes as
user@mail.newdomain.com
MXRoute:
- Add domain in control panel
- Create forwarder for each mailbox:
user@newdomain.com→user@mail.newdomain.com - Retrieve DKIM key for DNS
Troubleshooting
Mail not delivering inbound (not reaching Mailcow)
- Check MX records for
@point to MXRoute servers:dig MX domain.com +short - Check MX record for
mailsubdomain points to Mailcow:dig MX mail.domain.com +short - Verify MXRoute forwarder exists for the address in the control panel
- Check Mailcow logs: Logs → Postfix — look for the delivery attempt and any rejection reason
- Verify MXRoute IP ranges are in Mailcow
extra.cftrusted networks
Mail not delivering inbound (banks / financial institutions)
- This is the residential AT&T IP problem — confirm MX records point to MXRoute, not directly to your IP
- Run
dig MX domain.com +short— should show MXRoute servers, not your IP - If MX still points to your ATT IP, update DNS and wait for propagation
Outbound mail rejected or going to spam
- Verify sender-dependent transport is configured for the domain in Mailcow
- Check relay credentials are current in the transport entry
- Run an SPF check:
dig TXT domain.com +short— confirminclude:mxroute.comis present - Send test to check-auth@verifier.port25.com for full SPF/DKIM/DMARC report
- Run through https://mail-tester.com for a deliverability score
DKIM verification failing
- Confirm both selectors are published in DNS:
dig TXT mailcow._domainkey.mail.domain.com +shortdig TXT x._domainkey.domain.com +short(substitute actual MXRoute selector)
- Allow up to 48 hours for DNS propagation after adding records
- Verify selector names match exactly what Mailcow and MXRoute are using to sign
DMARC failures
- SPF and DKIM must both pass and align with the From: domain
- Check DMARC reports sent to
admin@netgrimoire.com— use Postmark DMARC or dmarcian.com to parse raw XML reports - Common cause: outbound mail going through MXRoute but
include:mxroute.commissing from SPF
Forwarded mail getting spam-scored
- Confirm MXRoute IP ranges are in Mailcow
extra.cfmynetworks - Check that Mailcow trusted networks were saved and containers restarted
- Verify SRS is working: in Roundcube open a forwarded message → More → View Source →
Return-Pathshould begin withSRS0=
New mailbox not receiving mail
- Two steps are required — confirm both were done:
- Mailbox created in Mailcow as
user@mail.domain.com - Forwarder created in MXRoute as
user@domain.com→user@mail.domain.com
- Mailbox created in Mailcow as
- If the MXRoute forwarder is missing, inbound mail silently goes nowhere
Related Documentation
- MailCow Configuration
- MailCow Security Hardening
- Mail Setup — nucking-futz.com
- OPNsense Firewall — ATT_Mail static IP allocation