Synology MailPlus Server – for Home Users

Version 2.0 – 24 Sep 2018.  This version consolidates the previous two articles into one, and includes additional information on Greylisting

Many of the Synology packaged applications are end-user oriented and just work, out of the box, with little configuration.  Office, Drive, Moments, Note Station, Photo Station, Audio Station, and the mobile apps –  they “install and go.”  Some are more technical.  Email is one of those.

I created this guide because when I tried to configure MailPlus server I found that the Synology Knowledge Base materials were aimed at email experts – not readily understood by novices; and when I supplemented the Synology resources with external ones designed for novices, the information was so fragmented that it made it even harder to follow.  I decided that to understand it, I needed to build a step-by-step description; and having done so, it made sense to share it.

I have documented what worked for me.  If you have suggestions to improve the processes I’d be delighted to hear about them so I can update and improve these guides.

An invaluable source of information was the Facebook group Synology Admins & Users.  Join now. I have listed below the names of people from that group who have contributed in some way to these articles by commenting on my endless questions.

It’s a good question.  Why go to the trouble of self-hosting a mail server when there are so many free services out there?


  • If you own a Synology DiskStation you are already invested in the technology and you have a private cloud that you own. 

  • You may, like me, distrust cloud services and want to take control of your data.

  • MailServer Plus and its client MailServer are free (up to 5 email accounts – after that you have to pay for user licences.)

  • MailServer is part of an integrated set of Synology apps – Office, Note Station, Contacts, Calendar that is a good substitute for G Suite or Office 365.  It is not as full featured, yet, but is already good enough for home use. (And I say that as an advanced user of Microsoft Office and G Suite.)

  • Because you can. 🙂

Beware the elephant in the room – there will be some minor expenses to set up and run your own mail server.

Incidental Costs

Static IP AddressApprox £5, one off
Domain NameFrom £1.20 for first year and £12 per year thereafter
Email Relay Service (doesn't apply if you use a complete end-to-end MailPlus Server approach.)Depending on the provider you use, approx £35 a year

You need to decide whether this small outlay is justified for gaining direct control over your data. 

MailServer Plus comes with 5 free perpetual licences.  If you need more you have to pay for them.  In the US a pack of 5 perpetual licences is $250 + sales tax which varies but gives a final price of about $265.  In the UK, Amazon are selling the same pack for $421 (£314.)  It looks like opportunistic pricing to me. It might be possible to buy from an overseas outlet if the supplier will ship the licence card to you (many won’t) but whether the licence keys are regionalised is unknown.


You may be required by local laws to have  a postmaster account (although I suspect that may be for corporate email systems and bulk mailers.)   To avoid having to dedicate a licence to postmaster (admin) addresses, create an alias that points the user “postmaster” to the account(s) that administer the system.

Before you go further you need to establish if your DiskStation is MailPlus Server capable – lower end models don’t have the resources to run it.  The easiest way to find out is to login to DSM as administrator and look in Package Center.  If the MailServer Plus package is not visible your DiskStation Model does not support it.  Don’t confuse MailPlus Server with Mail Server.  That’s a totally different “legacy” product, but is the only option on low end models.


Remember that you will have to run the anti virus and spam filter engines, which add to the server load

Although it is technically possible to run MailPlus Server with a dynamic IP address, it is not recommended because when your IP address changes you may experience service interruptions.  Your IP address might change if, for example, you reboot your modem/router. 

You need to check that your ISP provides true static IPs.  Some use a technique where IP addresses come from a reserved pool of dynamic address, and some email servers will treat those IPs as dynamic, and untrustworthy.  If your ISP can’t provide a true static IP you may have to look for another provider that does, or abandon self hosting.

Update:  Actually that’s not quite true.  If you go for SpamHero as a 3rd Party Relay service, they support dynamic IPs, but it’s more expensive. (see “Choose an Email Relay / Gateway Service”)

You will also need a domain name. Unless you go for something that is commercially attractive, you can pay as little as £12 a year incl VAT with the first year often heavily discounted.  Some ISPs are also domain registrars. If they aren’t, they may allow you to to transfer a domain you own to them.  But your domain can be with any provider, it doesn’t have to be your ISP.  Shop around for the best deal but don’t forget to look for user reviews of the domain name provider.

Ideally the domain registrar will give you control panel access to Domain Name Services (“DNS Settings”) as you’ll need to make changes here and having to email support and wait a week is a real pain.

If you’re new to all of this, here’s a good place to start:

Make a logo and hyperlink

The Synology guide makes it easy to assume that Reverse DNS is mandatory.  It isn’t but it is important.


Reverse DNS is like the return address on an envelope.  It allows us to see where the mail in the envelope originated and, in the case of email, the receiving server can query the originating server to make sure it’s genuine.  If a Reverse DNS entry is not available, then the receiving mail server can’t validate the address and may quarantine or even discard the mail as suspicious.

But there’s a problem.  Few ISPs allow static IPs and even fewer support reverse DNS, on a residential line. 

Update:  I have since discovered that my ISP automatically assigns a PTR record and by default points it to a site based on the user’s name on their servers.  This fact is clearly not common knowledge as the technician (not a call centre agent, but a technician) had never heard of a PTR record.

Email servers are a prime target for malicious attacks.  You will need to keep on top of developments in the latest filtering needs or risk becoming a juicy target for criminals who are continually developing inventive new ways to exploit weaknesses in email systems.


The alternative is to use a commercial email relay service / gateway through which your incoming and outgoing mail is routed.  This has some benefits:

  1. Your incoming mail will be screened using commercial grade filters that are maintained by experts so that SPAM and malicious mails are identified / quarantined.

  2. If your NAS is down for maintenance, e.g. performing a DSM update, incoming mail will be queued at the gateway until connection is restored, instead of perhaps being discarded. The sending server will normally retry for a period before giving up, but insurance is no bad thing.

  3. You will not have to spend time trying to keep your email server secure.

If you want to go this route there are many to choose from. Some are designed for commercial use for bulk marketing campaigns, some are free but only offer outgoing.  It’s another minefield to negotiate.  One option is  Comodo – a suggestion from a user on the Synology Admins & Users Facebook group.
  1. They handle both in- and outgoing traffic,
  2. They have a 60 day trial period that doesn’t require you to enter payment card details up front
  3. They have a price plan that is suitable for residential users.  

They have dozens of products on their site – you need Comodo Antispam Gateway.  Don’t be put off by the fact that it’s designed for corporate mail servers. That’s a good thing.

An alternative service is SpamHero.  It’s more expensive than Comodo, especially if you want outbound relaying but it has the advantage of supporting:

    • Non standard ports, which is useful if your ISP blocks the standard ports 25 and 587
    • Dynamic IP addresses, if you can’t get a static IP


If, like me, you are transferring an external domain based email service to Mail Plus then you will need that service to continue while you prepare the new server.  The safest way to do this is to set up a subdomain. 

During installation you will need to test settings. There are several services you can use to do this. Every email expert seems to have their favourite.

As a novice I found two tools to be very user-friendly:

  • During setup, when I needed to test individual components I used MX Toolbox
  • After go live, when I needed to check my email wasn’t setting off alarms in recipients’ servers I used Mail-Tester.  This one is particularly user-friendly as it rates every aspect of your email, scores it, tells you what’s wrong and sometimes, how to fix it.

There are three steps you need to perform outside MailPlus Server.  How to do these steps is widely covered elsewhere so I won’t go into detail here:


  1. Assign a static LAN IP address to the DiskStation that will host MailPlus Server so that external calls to your router are always directed to the correct place.
  2. Set up port forwarding rules on your router to direct external ports 25, 143, 465, 587 and 993 to your DiskStation.
  3. Apply a free security certificate to your DiskStation using DSM’s wizard for “Let’s Encrypt” that will help you do this in a couple of minutes.

Tip:  In the window with the field “Subject Alternate Name,” enter the DiskStation’s LAN IP address.  This will allow you to access the DiskStation using the LAN IP address without causing security alerts to appear in your browser.

Like all things in life, it’s easy when you know how and difficult when you don’t. This is never more true than in the case of email systems.


I couldn’t properly understand the subject without a visualisation so I created a diagram that shows roughly how it all fits together.  Note: This diagram is like the map of the London Underground – what’s shown on the map isn’t intended to reflect the above ground geography because that would make it much harder to read.

For clarity, I have shown the MailPlus Server and MailPlus client twice, on the left and the right of the chart.  Originally I showed all the services on one set of boxes, and it was very difficult to figure out what was incoming and what was outgoing.


The numbered circles correspond with explanatory notes and installation guides in the expanding sections beneath the diagram.

Schematic diagram of the components of an email system based on a Synology MailPlus server

The Synology MailPlus app is a browser based UI where the user sends, receives and monitors mail. There are mobile apps too, on the appropriate stores.  But other clients such as Outlook, Thunderbird and Windows 10 Mail can be used as described in this Synology Knowledge Base article. 

Installation of MailPlus is simple so it won’t be covered here, except for this tip… 

Tip: MailPlus should be installed after MailPlus Server has been configured. Then it can obtain some parameters from the server and simplify user setup.


SMTP Authorisation is used to ensure that only messages from legitimate users are placed into the mail queue.

SMTP setup is pretty straightforward and the options on the following screen are mostly self explanatory.

Screen shot of Synology MailPlus Server General settings tab

Home users should take a look at some of the settings with numeric values because the defaults may be high for that purpose. 

(1) Mail attachments are still limited to 2MB on some very old systems, with 10MB being a sensible limit. If you’ve got a Synology box, then sending shared links makes sense – just in case the recipient has email limits such as a 200MB mailbox (this setting is made in MailPlus not MailPlus Server:

Screen shot of Synology MailPlus settings tab for enabling share links

Synology have placed some Security options in this section instead of the security section.  No, I don’t know why either.  So set them up while you’re here:

Screen shot of Synology MailPlus Server Security settings tab

When the user presses Send, MailPlus Server  will make a DNS request for the IP address associated with the domain name  so that the recipient’s mail server can be located.  If an IP address is found, the message is dispatched to that server.

If no IP address can be found for the recipient’s mail server the MailPlus Server will queue the item and attempt to redeliver it, in case the receiving server is temporarily unavailable.  The user will be advised of the delay from time to time. If successive resends fail  the mail is returned to the sender with a covering message.

To enable the IP validation process to work in the other direction, you need to adjust two domain DNS settings – the A and MX records. 

Your domain name host will have provided you with access to a control panel where these settings can be found.  Each provider’s pages will look different but do essentially the same thing.

Screenshot on setting up A/AAA and MX records

At (1) enter the static IP address assigned to your router

The value entered at (2) depends on your circumstances.  If your domain host and your ISP are the same company, then you should enter your FQDN usually “mail.”<domain name>.  If your domain host and ISP are different, it’s best to enter the domain associated with your account by your ISP when you signed up, in my case p*********  This is because some email servers validate incoming mail by comparing the sending domain to the domain recorded against the IP address, and may treat a mismatch as a warning sign.

Once you have completed this step you have to be to be patient because it can take up to 48 hours for the changes you made in your control panel to propagate across all the DNS servers around the world.  In practice it’s always much quicker than that.

The user name of the incoming mail will be matched to the mail server’s user list or aliases.  If a match is  not found, the mail will be returned to the sending mail server which delivers it back to the sender with a covering message that there is no such user at that domain.


If the user name is valid the mail will be subject to scanning by the receiving server for viruses, spam and other malicious content.  We are not concerned with how that is performed or what level of scanning is applied.  That is their responsibility.  We will be looking at our inbound filtering later.

Useful Link: Synology Help Article – Receiving Mail from External Services.

1) SMTP is only used for “SENDING” emails, either from the mail client or from the MailPlus server to someone else.

2) IMAP is only used to synchronise a Mailbox with multiple devices such as Thunderbird and Android or iOS devices.

3) POP31 is now rarely used for general email as it was designed to only transfer email from one server to one email client (when people only had an office PC and storage on the mail server was expensive, it made sense to transfer the emails to the user and delete them from the server)

If you need to receive mail from another service, such as Gmail the simplest solution is to set up a forwarding rule on that service to send a copy of any incoming mail to your domain account. Once it arrives on the server it will be managed using IMAP. 


At first you might want to leave a copy of the incoming message on Gmail so that you can double check all incoming mail is being received, but that mailbox will not reflect the items you delete and reply to, so it’s value as a backup is limited.  Later, you can easily change the Gmail forwarding rule to delete the mail after it has been forwarded.

1By the way, you may be wondering why I have shown the IMAP/POP3 protocols against the recipient’s mail server instead of our MailPlus Server where we need to implement them.  The answer is simple – for clarity in the diagram.  It would have seriously confused things if I had added them to the MailPlus boxes on either side.  This is why I described the diagram as like the London Underground map – designed to help you understand what’s happening underground, but not what it looks like above ground.

The reply process is  the same as MailPlus Server used to dispatch the original mail so there’s nothing to add. It all starts to happen when the incoming mail arrives at the MailPlus Server when it is subjected to a raft of tests

With the release of MailPlus Server 2.0.0-0522 Synology replaced SpamAssassin with Rspamd

At the time of release of MailPlus Server 2.0.0-0522 there is some uncertainty about SpamAssassin rules, because that capability is still in the product.  It’s unclear whether this is an oversight or whether SA rules work with Rspamd.  For now, I have left the instructions as they were.  I will update this article when I know the outcome.  In the meantime, you can proceed with the setup and just ignore the references to SA rules.  In all other respects, Spam filtering setup is the same.

The MailPlus Server in-app help, accessible from the spam setup screens is very good so please refer to it for more information.

Synology have done a good job of integrating the SA tool-set into MailPlus Server and have reduced what could be a very cumbersome and difficult to maintain task into a reasonable number of steps which, unless indicated to the contrary, are one-off setup tasks:

  1. Find and import additional spam filtering rules
  2. Set rules update schedule
  3. Enable Auto-learning
  4. Set spam trigger levels (tweak periodically)
  5. Enable spam reporting
  6. Set daily schedule
  7. Enable postscreen protection
  8. Enable greylist (one off, but only after auto-learning has been running for a while)

Number 1 on the list is the most time consuming but Synology have made that easier by providing a link to a website from where rules can be obtained, although they have buried it in the in-app help file rather than putting it directly on the screen where you need it.  Some of the rule-sets require a bit of detective work to find.  For example, the Malware Block List is one of the most detailed filters there is (over 330,000 lines long) but you have to dig deep to find it.  To help you, here is the sign-up link for the free home version.

Beware of On my installation this set of rules stopped ALL mail from flowing in and out of MailServer Plus. It took a painful process of turning on each MailPlus Server setting one by one to find the problem. You could try installing it to see if it works for you. It’s easy to delete it if you have the same problem. The file is 330,000 lines so debugging it was not an option for me.

These rule-sets add extra filters to complement the basic filtering performed by SpamAssassin.  They are plain text files with a .cf extension.  In many cases a filter’s site doesn’t provide a .cf file to download.  Instead you have to copy the plain text from their page and paste it into a new text file that you give a file name and .cf extension.  Then you import it into MailPlus Server.  It is also slightly strange that several of the first entries on the page are dead links.  It may be that new rule sets are added to the end of the page, and those at the top go stale without being removed. 

Some rule sets carry a warning that they should not be used because of memory overheads.  Given that these rule sets are primarily designed for commercial servers, they should definitely be avoided on a relatively low powered device like a NAS.

Custom rule sets can be defined but that should be left for another time, if at all.  SpamAssassin’s site says that this should only be necessary if the profile of your mail traffic is outside the norm.  The existing rule sets cover most eventualities.  If you need to create a custom rule there’s a link to an instruction site in the in-app help page.

As a starting point, I enabled all of the items except Greylist, which will be turned on later after auto-learn has been running for a while (as advised in the Help System.)


Screen shot of Synology MailPlus Server Spam settings tab

The Anti-Spam settings defaults were also accepted:

Screen shot of Synology MailPlus Server ant-spam settings

SpamAssassin rules were added, sourced from the website provided in the in-app help system.  As described above, I did not install

Screen shot of Synology MailPlus Server SpamAssassin rules

Auto learning was enabled using the default settings which may need to be tweaked based on live results.

Screen shot of Synology MailPlus Server Auto-learning tab

I encountered a problem with reporting (1). For some reason forwarded spam and false spam have to be reported to two different email addresses.  Because I didn’t want to dedicate a precious licence to this, I tried to use aliases but because they resolve to the same named account, the system would not accept them.  For now I have disabled that facility.

Default DNSBL settings were accepted because is widely recognised as an authoritative source:

Screen shot of Synology MailPlus Server DNSBL settings

AV doesn’t need much explanation.  I run AV at all points of entry to my DiskStation, and email is one of these.  There are two options for AV engine, ClamAV (free) and McAfee (subscription).  Though I had never heard of ClamAV before I started this project it seems to have a good reputation, it’s open source, is widely used on mail servers and was developed by Cisco.


Screen shot of Synology MailPlus Server Anti-Virus settings tab

A Sender Policy Framework record is used to indicate to mail exchanges which hosts are authorized to send mail for a domain.  A record is created on your domain host by adding a TXT record type.  Some sources maintain that an SPF record is not strictly necessary and that some large email services such as Gmail will work without one.  However, most validation tools, such as ValiMail will return an error if one is not present and, as takes only a few minutes to create, it’s easier to provide one than not.


Formatting the SPF record

SPF records can be complex, with many switches to perform different functions.  Fortunately for us, our SPF record can be much simpler:

v=spf1 a mx ~all

For an explanation of these parameters click here.

Next you must enter the value in a TXT record on your domain’s DNS settings1.  In your domain host’s control panel, look for the ability to add CNAME/TXT/SRV records and choose a TXT record type.

Screen shot of creating a TXT record for SPF

1 Some registrars (including Fasthost) still support the now obsolete “SPF” record as well as the recommended “TXT” record.

 Domain Key Identified eMail is a method for validating that the sending system is authorised to do so.  DKIM enhances the reputation of your mail server for mail that you send, and for the sender of incoming mail.


Screenshot of set up screens for DKIM filters in Synology MailPlus Server


1. Turn DKIM on for incoming mail to validate the sender.  The lack of a DKIM signature lowers the reputation of the sender, possibly resulting in dropped mail.

2. Enable it for your outgoing messages.  That makes the next field mandatory.

3. DKIM selector prefix is  a free text field where the user labels the public key by which their service is validated.  I have used a naming convention of <DiskStation name>-<domain name> but you can use whatever label you want.  At this stage you only enter the prefix.   When you deploy it later, the label will be followed by “._domainkey” so in this case the complete selector is nas3-rrett._domainkey but for now just enter prefix that you want. NOTE:  There are limitations on the characters in your label.  For example, the . and _ characters are not allowed. If your chosen prefix contains invalid characters your domain host will probably not let you save the record.

Enter your chosen prefix.  “default” will be sufficient.

4. DKIM uses RSA validation where there are private and public keys that are matched and validated.  The public key will be required in later steps.  Press Generate Public Key button and accept the warning that the private key will be updated; it needs to be to match the public key.  (If you ever have a need to regenerate the key, the warning is a reminder to update the TXT record in your host’s DNS settings.)  Apply the settings.

5. Next you must enter the public key details to a TXT record on your domain’s DNS settings.  In your domain host’s control panel, look for the ability to add CNAME/TXT/SRV records and choose a TXT record type

Screen shot of how to enter a DKIM TXT record on your domain

At 1, enter the prefix you defined in step 4 above, followed by ._domainkey

At 2, enter the highlighted values manually and then paste the public key. You can copy the values from here:


Note 1: In the image shown above, my ISP’s control panel has wrapped the text, which makes it appear to have a line break.  In reality, you must enter the DKIM values and key as one continuous string without line breaks. 

Note 2: The value should be DKIM1 not DKIM.

Save the settings. They should take effect almost immediately. Validate them using MX Toolbox

 Domain-based Message Authentication, Reporting & Conformance is another authentication method which builds on SPF and DKIM.  An unusually plain English (relatively) description of DMARC can be found here.  There’s also a good guide to DMARC value settings here (you need to scroll down, and then some.)


v=DMARC1; p=none; pct=100  The prefix to be used in the TXT record on the domain’s DNS Settings, followed by the domain name

 Defines the TXT record as a DMARC item


Defines the policy to apply when a message fails the DMARC checks

none = delivered as normal. quarantine and reject are self explanatory


The percentage of mails to which DMARC rules will be applied.  With Policy set to none and percentage to 100, all mails will flow.  If we apply a policy such as quarantine, leave the pct at 100 and make a mistake in the overall rule set, 100% of our mail could go to quarantine.  Worse, if we set the policy to reject and pct to 100, all our mail incoming mail could be dropped.  It’s therefore important to reduce the pct value to a really low figure as soon as a policy is introduced.  Better to let some suspicious stuff past the filters at first to make sure mail is flowing.  The quarantine policy can then be introduced with a pct value setting of 5 to 10.  Monitoring of quarantined content will show you whether you need to be more or less aggressive with the pct level.


It should come as no surprise that the DMARC record is added to your domain’s DNS settings in Control panel as a TXT record, just as we did earlier for SPF and DKIM records.

The label for the TXT record takes the format:


Note: there is an exception to the rule for 1&1 hosted domains.  See image below.  1&1 will take the .dmarc prefix and append your domain name automatically. 

Screenshote showing the exception that is applied to entering DMARC records on 1&1 hosting

The value is:

v=DMARC1; p=none; pct=100

Save the record and check it is working correctly, as we did for SPF & DKIM records.

DMARC has many additional attributes than can increase its capabilities, including two that combine DMARC with elements of SPF and DKIM respectively, for increased authenticity.

This is one of the simplest of all the security filters to apply. 


There are few mysteries here and for once everything is well defined in the Help System.  These are the settings that seem most sensible to me:

 Screen shot of Synology MailPlus Server Content Scan settings tab

I chose to not convert html into plain text.  This may be effective on a simple message with an html tag or two within it but many genuine emails contain so many that they are  impossible to read in plain text format.  I prefer to use the specific tag options to “Make tags ineffective” so that the end user can still read the mail but potentially dangerous tags are deactivated.

The Attachment Filter section contains a list of prohibited file attachment types, that could potentially carry a payload.  For some reason the .exe file type is missing from the list.

Rectifying this omission can be completed in three steps by clicking the Attachment Filter button:


Screen shot of Synology MailPlus Server Content Scan settings tab, showing how to add exe files to the attachment filters list

I have not implemented Message Content Protection because:
  1.  Defining rules looks like a tedious and error prone process with some complex masking requirements in some cases. 
  2. Some example rules are given but I could not discover what all of them mean.  For example ex_tw_identify_number has a complex mask that doesn’t match either of the first two candidates that I found from a web search, “Twitter ID” and “Taiwanese ID Number.”  But while researching those, I found a source that states that as of 2016, Spam Assassin is the better way to handle content protection.  I have already activated Spam Assassin so it’s just a case of ensuring the correct filter files are loaded.

Greylisting is a process applied to incoming mail to reduce spam.


Incoming mail that is not from a trusted source is held for delivery and a “received” message is not sent to the originating server.  Reputable originator servers will resend the message if receipt has not been acknowledged by the receiving mail server within a set period governed by the originating server.  Spam servers generally do not perform resends – they are too busy sending spam mail to be bothered about resending, and recipients without grey-listing are probably a better target.

As soon as the second send is received the receiving mail server releases the incoming mail.

The reason it is recommended to wait for 10,000 emails to be received is that MailPlus Server needs to learn what constitutes normal traffic for you.

Tip: Greylist delays

I have noticed that even after the 10K learning period there are some types of incoming email that are routinely greylisted:

  1. New Account verification emails – the ones where you have to click a link to verify your email address for the new account
  2. Password Reset Requests – the ones where you have to wait for an email with a link to a password reset form.

These delays are frustrating if you’re in a hurry to complete a transaction and may tempt you to turn off Greylisting.  Given the sensitive nature of those email types a little delay seems reasonable to me.  This is one area where using resources such as Gmail or a 3rd party relay service is beneficial, because their servers are learning about email activities from millions of people.


I hope you found this guide useful. I try to update it when I discover more about the products involved. If you have any comments or better solutions, I’d love to hear from you. You can use the Comments area below or the Contact link in the menu.



Scott Parcher, John Greenwood, Ray Jacott, Matt Beardon, André Berends, Dolf Weiner, Christopher A Wichura, James Richards, Marco Panetto, Thorsten Stoeteram, Matt Hall, Kris Kristofferson, Peter Holland, John Henderson, Will Ku, Frans Vindum Tjagvad, Thomas Torpare, Daniel Ellenwood

  1. Paul Barrett says:

    On my server I have temporarily disabled DKIM authentication because reports the signature is incorrect. I am waiting for Synology Support to respond because I have followed the instructions to the letter and it still does not work. gives a better overall score with DKIM turned off than it does with an incorrect DKIM signature.

    I will update the guide in due course

  2. Paul Barrett says:

    The DKIM issue has been resolved and the guide updated. It was a simple fix. the DKIM value in the TXT record needed to be DKIM1 not DKIM.

  3. Thanks for putting this blog together. I am still having the same issue with DKIM failing. The header of the gives me a DKIM temperror.

    “ARC-Authentication-Results: i=1;;
    dkim=temperror (no key for signature)”

    I have gone over the steps a thousand times and still can’t work out why. I am also running a later version of MailPlus Server which doesn’t allow me to select DKIM for incoming mail. Not that I think that’s the problem as it is outgoing mail that is affecting my reputation score.

    Any advice would be appreciated.

    • I had a lot of trouble with DKIM too.

      1. Check that your key definition in MailPlus Server is DKIM1 not just DKIM
      2. Are you sure that all elements of the key are entered as a continuous string with no hard line breaks

  4. Hi Paul,

    I am trying to config mail plus on my Synology Nas. I found your guide and I really apreciate the work you did. However I cannot make my mail station work:

    Domain register -> Ok with google domains with dynamic Ip. Getting a static one is not possible
    Reverse DNS -> No done. Really needed?
    Email Relay -> Registered with comodo. How to make it work?
    In MailPlus Server -> Mail Delivery -> Delivery. Which option should be checked?

    Comodo AntiSpam configuration:
    Domain registered and active -> OK
    The mail-delivery IP addresses to allow though your firewall and add to your Recipient Filtering or Transport Rules are (Europe). The Delivery Queue alerts FQDN/IP address to allow through the firewall is [] -> For this step I do not know where I should do it

    DNS MX records for your domain to point to the relevant servers. If you ordered license for Europe (EU):, -> OK email MX 1h

    For outbound filtering you will need to designate our servers as authorized relays by editing your SPF records with “” before enabling any smarthost or send-connector changes on your mail server. -> OK TXT 1h “v=spf1 a mx ~all”

    DMARC record -> OK TXT 1h “v=DMARC1; p=none”
    A Record -> OK A 1h
    DKIM record -> OK but Mail-Tester shows me that it is invalid. selector1._domainkey TXT 1h “v=DKIM1; g=*; k=rsa; p= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    I tested with ant I get 5.5/10 with these problems:

    Your DKIM signature is not valid
    RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS

    I tested with MX tool and I get these errors

    SOA Serial Number Format is Invalid
    smtp Reverse DNS does not match SMTP Banner
    smtp Reverse DNS does not match SMTP Banner
    smtp Reverse DNS does not match SMTP Banner
    smtp Reverse DNS does not match SMTP Banner
    smtp 6.510 seconds – Warning on Transaction Time
    smtp Reverse DNS does not match SMTP Banner

    I don’t know if you can give me a hand on this with the experience you have about this issues.

    Nontheles thanks in advance,

    • I will take a look tomorrow

    • If you are using a relay agent like Comodo a lot of the configuration becomes unnecessary because the Comodo relay server handles it. I used Comodo briefly and as i recall, getting the port number right was crucial. Here are my old settings:

      Link to Comodo Settings

      So, check your settings are similar (suitable for your region) and then disable things like DKIM, DMARC, SPF and see if that works.

  5. Fantastic guide Paul! 🙂

  6. It’s worth noting in the “Is your DiskStation Able to Run MailPlus Server” section that the MailPlus server is only available for x86 based models.

    • That’s true, but that requires you to know what architecture your NAS’s chip uses. It’s a lot easier to let Package Centre do the work for you. if MailPlus Server isn’t available for your model it isn’t available for your model. Simple as that.

  7. Thanks for your guide Paul, very helpful as a guideline when setting up MailPlus server for the first time.
    Regarding the default DNSBL’s: It might be interesting to know that apart from the two default DNSBLs ( and, Synology also seems to use URIBLs which you cannot seem to change yourself. I’m running a local DNS server and I see requests from my Synology going to several URIBLs, such as,, and However, I’m not sure if it’s only used to generate the green checkmark in the MailPlus Server Dashboard next to DNSBL or that it actually consults these lists periodically for known spammer IPs.

    • That’s interesting to hear. Those lists may be implicated in an ongoing ticket I have open with Synology about false positive phishing scam notices that are being placed into incoming emails, from reputable sources. There is a fix promised for that. It’ll be interesting to see if that has any effect on the traffic your refer to.

  8. Thanks a great deal for your guide, Paul. It has made a painful exercise of migrating away from macOS Server Mail (which has been primarily the mail server serving our needs for almost a decade) much easier and smooth sailing. Our MailPlus Server is fully functional and received a score of 10/10 from Guess the little tweaking to improve anti-spam is an ongoing effort as spam evolves every now and then.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>