For a long time I have been following the practice of creating web sites that work with both the ‘naked’ domain (@) and the www subdomain. I would then create a DNS record for “mail.domain” and use that as the mail server name in the MX record. However I have never bothered with e.g. “ftp.domain”; I’ve just used the naked domain for FTP and have never had a problem.
So now I’m thinking I really need to use SSL/TLS with my mail servers (especially with the Let’s Encrypt project making progress). The trouble is, my certificates are bought for “www” (and are also valid for the naked domain). If I want to use TLS with “mail.domain” I’m going to need another certificate (and maybe IP address?).
My question then is this: What is the point of making a sub-domain for the mailserver name? Why not just use the naked domain? That way I can get by with just the one certificate. If that’s just as good, why have we all been complicating things all these years?
(I’m thinking perhaps the reason for this tradition is that really it’s best to have multiple mail servers, and hence the need for subdomains? But multiple mail servers are a bit above my pay grade!)
“All addresses referenced by MX records have matching reverse DNS entries. This is good because many mail platforms and spam-prevention schemes require consistency between MX hostnames and IP address PTR records, aka reverse DNS.”
That’s fine, but at SimpleDNS.com they say this about AOL:
But are they right that a FQDN must have three parts? If so, having a mailserver called simply “some-domain.com” would cause problems. But according to https://kb.iu.edu/d/aiuv a FQDN only needs two parts!
Only reason for making the mail server a separate sub-domain name is if it was on different server/ip and
for future proofing for when splitting off email server to standalone server later. You wouldn’t have to change anything but the DNS ip for mail.domain.com. Users would not have to change anything. But users would have to change when going from domain.com to mail.domain.com.
So www and mail can be done with 1 certificate on same machine and same ip.
Otherwise you’d need a cert for each sub.domain or a wildcard cert to handle any *.domain.com.
Also most phones/email programs default to mail.domain.com when users are setting them up and users cant figure out it should be just domain.com.
Main thing other mail servers look for as far as spam is the reverse dns, which your isp has to setup. My current mail server address is domain.com. No issues after setting rDNS.
