DNSSEC DS record is incorrect


I just started a mailinthebox server on a vps. I have an cloudflare domain with ddnsec enabled and I get the error message from mail in the box:

“This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately”

Can I do something about it or can I ignore this?



If you are not using the MiaB DNS server, you will get this and probably other messages on the status checks page.

Ok thanks so I can ignore those messages…? Email is working btw.

I think more correct is the message is communicating an expected condition. The messages really should never be ignored.

Because I am using nameservers from the cloudflare domain, I’ll get those messages. Everything else is in the green accept the dns… So this is normal behaviour from Mailinthebox because I don’t use the box nameservers…

1 Like

I am still missing the records from MTA-STS policy how can I make those? And I can I put them in the cloudflare dns?

I forget the order of getting this configured, but it’s something like create a DNS a record for mta-sts.example.net, then create a TLS certificate for mta-sts.example.net, then the status checks page will tell you to create a DNS txt record for _mta-sts.example.net.

Ok so I need to make this for my root domain.com? or the box.domain.com?

For whatever domains status checks is telling you the the policy is missing on.

Roger that, lot of work then haha for a own mailserver! But I love it!

It is a fraction of the work compared to configuring everything yourself.

Your right about that. I love your project, better than the competition!

1 Like

Well, it isn’t “mine”, but for the use-case of a server capable of supporting <150 active users and not requiring user roles, it’s the easiest and cheapest project to use. Some people do point to something like Mailcow because it runs in a container, but the resource requirements make the server a lot more expensive per month, at least from a percentage perspective. There are people running MiaB on 512MB servers!

1 Like

Well I am running Miab on a 2 gb 2 core vps on an older processor intel xeon 5, even Yunohost didn’t like this server cause of not streaming capable… But I am happy Miab is running wel. Now I am still trying to fix the mta error… haha Miab already has a txt file for it only need to make a working dns record.

I have the same scenario, as I also have external DNS.
I’d love to be able to “mark” which domains are Miab-dns managed and which ones are externaly managed so this errors/warnings do not produce “noise” y the status check.
I think it could be my second contribution to miab, but unsure if it will get accepted (my previous contribution wvs a bug-fix).

Does any one knows where I can discuss about this before working on it?

You might try posting what you want to do to the GitHub issues and see what kind of response is generated.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.