 Hello everybody! In a previous video, we explored how to install Exchange Server and how to configure it for running a mail server. And in today's video, I'm going to show you how to make sure that your emails reach their recipients instead of ending up in the spam folder, and how to set up POP3 and IMAP4 mail protocols. Hello friends! If you need to recover deleted data, view or restore removed browser history, Hetman Software products will help you. Follow the link in the description. Download the necessary program for free, install it and analyze the disk. The utility will show you the data you can recover, so you will be able to view it or get it back. In our channel and blog, you will find solutions to any problem, from installing an operating system or configuring it, to fixing possible bugs and errors or optimizing mobile gadgets. Our specialists will answer any questions you ask in your comments under the videos or articles. You need to add SPF, decim and demarc records to your DNS hosting so that your emails go all the way to their recipients. Pass all the filters and don't get classified as spam. SPF, decim and demarc are essential settings that must be changed before starting a mail server. These records prevent fraudsters from sending harmful mail to your on-your-behalf and if they are absent, messages may never reach their recipients. An SPF – send a policy framework – record ensures a kind of mutual understanding between the sender and the recipient's mail service. It contains information about the mail service that are allowed to send mail on your behalf. When an SPF record is missing, many mail services can just send all mail received from mailboxes within a certain domain into the spam folder, regardless of the mail contents. An SPF record is published on DNS service that service a certain domain. Go to control panel of your DNS hosting and create the following TXT record by filling in all these fields. The record contains such keys as the SPF version, the domain IP address, the key A sets the rules for a specific domain by comparing the IP address of the sender with the IP address specified in the A records of the domain. MX contains all server addresses specified in MX records of the domain. Such riddle symbol means there is some deviation. The mail will be accepted but marked as spam. All means all addresses which are not specified in the record. You will be able to add additional tags later, but for now, just click Save. The second level of protection when data is transmitted between mail service is DKIM – the main keys identified mail. It helps to add a digital signature to all outgoing emails. The recipient uses this signature to verify incoming emails. The recipient email server sends a DNS request and receives a public key which is placed into the DNS record. This key is then used to verify the email. If the keys match, the email is delivered to the recipient. Otherwise, it is sent to the spam folder. By default, MSExchange server doesn't support DKIM. To configure it, you need to install a third-party transport agent onto Exchange and this agent is called ExchangeDKIMSigner. After the installation, it needs to be configured. Start the application and in the window that opens, click Configure. Then make sure that the agent ExchangeDKIMSigner has the lowest priority, that is, placed at the bottom of the list. This requirement is important so that emails are signed at the last stage, after all possible changes made by other transport agents. In the tab entitled DKIM Settings, you can see which fields will be signed. By default, they include From, Subject, To, Date and Message ID. Domain parameters are configured in the Domain Settings tab. To add a domain, click Add, give the domain name and selector, that is the DNS record name, and this is where you can either generate a new key or specify its location. To create a public key, click Generate New Key, and it will appear in this window. After that, go to the Domain Hosting Control Panel, create a TXT record with such name, and paste your public key into the content field. After the settings are configured, click Save Domain. The settings will apply automatically. Finally, let's find out what is DMARC, Domain Based Message Authentication Reporting and Conformance. It's the level of protection that comes after SPF and DKIM. This record determines how to handle emails which have failed verification with SPF and DKIM. This is also the rule which is set for emails sent on your behalf. Before adding DMARC, it is important to make sure that SPF and DKIM are configured in a correct manner, otherwise it may result in filtering your own outgoing emails. To configure DMARC, go to the Control Panel of your DNS hosting and create a TXT record like this. As the minimum requirement, it should include the mechanism version and the policy. During initial configuration, it is recommended to set the policy as none. It means do nothing, just send a report. Later, you'll be able to tighten your security by changing the record and adding more tags. Now that we are finished with the email setup, you can check how it worked by sending a test email from your mailbox. At this stage, I'm going to show you how to configure POP3 and IMAP4 mail services. By default, POP3 and IMAP4 mail services are disabled for Exchange Server. To configure client connections by IMAP and POP3, you need to start them and enable automatic startup. Open services. Find the service with the name Microsoft Exchange IMAP4, set its startup type to automatic and start the service. Then click Apply and OK. After that, perform the same actions for the following services. Microsoft Exchange IMAP4 backend, Microsoft Exchange POP3 and Microsoft Exchange POP3 backend. After the services are started, you need to configure this certificate. Open Exchange Admin Center and go to Servers – Certificates. Open the SSL certificate by double-clicking on it. Jump to the Services tab and check the boxes next to IMAP and POP and click Save. Now you need to connect the domain to POP3 and IMAP services. Click on Start, Microsoft Exchange Server, Exchange Management Shell and run this command. Type the first command for POP3 service and remember to specify the external domain – Port 995 and SSL, then the domain with Port 110 and the certificate name at the end. Open the certificate in the Admin Center and copy its name. After you run the command, restart POP3 service. In the Service window, right-click on the service and choose Restart. Then do the same to the other service – POP3 backend. After that, run one more command to connect the IMAP service. Then restart the services IMAP and IMAP backend. At the next stage, you should check if the following ports are open for these services in your network and open them if necessary – 995, 993, 110 and 143. Access the network settings and open these ports for Exchange Server. The next thing to do is to modify the Receive Connector options. In the Admin Center, go to Mail Flow, Receive Connectors, Client, Front and Exchange, open the Scoping tab, FQDN, change the domain from internal to external to mail.hatmansoftware.com as in our example and click Save. After that, you should specify the certificate which will be used to encrypt SMT connections. First of all, you need to know the ID of the certificate that you want to bind to the services. Open Exchange Management Shell and run this command. Copy the certificate value. Then specify the certificate used to encrypt SMTP authenticated client connections. This requires three commands to be used. Run the first command and add the certificate value at the end. After that, run the second command and then the third command. To make sure that you have given the certificate that is used to encrypt SMTP authenticated client connections, run another command. As a result, you'll get the certificate name. That should be the name of the certificate you have given. At the next stage, you should check if these protocols are enabled at the mailbox level. If they are disabled, users can't configure their profiles in Outlook to use Part 3 and IMAP4. However, they should be enabled by default. To check it, open Exchange Admin Center, go to Recipients, Mailboxes, open a specific account that is a mailbox, and navigate to Mailbox features. And then check if the enable value is set for these services. To see how the services work, use the command Test. Enter the password. Here you are, success. After that, run a similar command for IMAP. Type the password to your account. As you can see, this configuration works as well. To make sure that you enabled and configured IMAP4 on the Exchange server, do the following. Visit the Microsoft website to use a special service that checks POP3 and IMAP protocols. Fill in all required fields and click Perform Test. As you can see, the test is successful, but with a warning. The matter is that Microsoft can't check the certificate chain. This feature might be disabled or misconfigured for the server. As for the SSL certificate, I'm 100% confident about it, so I'll just disregard this warning. The service works properly. Now let's check POP3 protocol. Follow the same steps, fill in the fields and click Perform Test. The test is successful, and you can see the same kind of warning. Now let's find out if Mail circulates the way it should. In Outlook, I'll set up connection via IMAP or POP3 protocol and send a test email. As you can see, now my emails don't end up in the spam folder, but reach the recipient without any errors. Now let's analyze a few errors that you may encounter in case of incorrect configuration or when DNS records are missing – SPF, D-keam or D-mark. Error 550 – SPF check failed. The error may look this way if an anti-spam tool is installed on the Microsoft Exchange server. This error means that the center's domain has an incorrect SPF record or that this center is using a fake email address. If the SPF DNS record is missing, misconfigured or disabled when sending an email to an external email address, you can receive a message containing this error. To eliminate the error, add an SPF record to your DNS hosting. When checking a D-mark record, this error can be observed. This means that the email didn't pass verification and doesn't meet D-mark requirements. D-mark compliance error means that this email has failed SPF and D-keam verification tests. Such errors may have negative effects on delivering your emails, as other mailboxes cannot verify your email address. This is how a D-mark-related error looks like. Usually, it emerges during D-keam initial configuration, after the application is updated or after the server migration. It is often caused by errors in spelling the tags or in configuring the public key. If the D-keam record is missing or misconfigured, you will receive an email with a warning, and it applies to the D-mark record. If the mail looks like this, change the settings for the corresponding record. Summing up, in today's video, we have explored the simple and easy to use set of basic integrated tools available to any administrator that let you improve the security of Microsoft mail servers. When properly configured, D-keam, SPF and D-mark records allow you to reduce the flow of spam, newsletters and malicious emails to a minimum. However, I've only shown you the basic configuration and the working principles. To achieve full flash protection, some finer settings are required. And that is all for now. Hopefully this video was useful. Remember to click the Like button and subscribe to our channel. Thank you for watching and good luck.