diff --git a/howto/submission.md b/howto/submission.md
index ebd8c4986fa81668aefb93837eea2596b593236f..bf854475fe7748d43fa578420d6bd047340de1be 100644
--- a/howto/submission.md
+++ b/howto/submission.md
@@ -62,16 +62,33 @@ the email providers they were using before this service was deployed.
 
 ## Installation
 
-TODO: how to setup the service from scratch. puppet role and DNS?
-
-    _submission._tcp.example.com.     SRV 0 1 587 mail.example.com.
+To setup a new mail server, create a machine with the
+`email::submission` role in Puppet. Ideally, it should be on a network
+with a good IP reputation.
 
 In `letsencrypt.git`, add an entry for that host's specific TLS
-certificate. For example, the `submit-01.torproject.org` has a line
-like this:
+certificate. For example, the `submit-01.torproject.org` server has a
+line like this:
 
     submit-01.torproject.org submit.torproject.org
 
+Those domains are glued together in DNS with:
+
+    submission              IN      CNAME   submit-01
+    _submission._tcp        IN      SRV     0 1 587 submission
+
+This implies there is only *one* `submission.torproject.org`, because
+one cannot have multiple `CNAME` records, of course. But it should
+make replacing the server transparent for end-users.
+
+The latter SRV record is actually specified in [RFC6186](https://datatracker.ietf.org/doc/html/rfc6186), but may
+not be sufficient for all automatic configuration. We do *not* go
+deeper into auto-discovery, because that typically implies IMAP
+servers and so on. But if we would, we could consider using [this
+software which tries to support all of them](https://github.com/Monogramm/autodiscover-email-settings) (e.g. [Microsoft](https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019),
+[Mozilla](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration/FileFormat/HowTo), [Apple](https://developer.apple.com/library/archive/featuredarticles/iPhoneConfigurationProfileRef/index.html)). For now, we'll only stick with the SRV
+record.
+
 ## SLA
 
 <!-- this describes an acceptable level of service for this service -->