Opened 6 months ago

Last modified 6 months ago

#16517 assigned Bug/Something is broken

DKIM and DMARC

Reported by: Kirstin Beatty Owned by: JaimeV
Priority: Medium Component: Tech
Keywords: Cc: Jamie McClelland
Sensitive: no

Description (last modified by Kirstin Beatty)

Hello, I'm working on domain name email verification since email delivery is so important for activism, and we've had lots of trouble. Also, we recently saw someone spoofing our domain name to send spam. We were hoping to set up SPF, DKIM, and DMARC.

I added a SPF record, which MX toolbox confirmed as correct. However, I don't see a way to add DKIM under the DNS section of the control panel. There is ticket from 15 months ago which says there isn't yet a capacity to add it but there was a plan to get it done last summer. Was that plan derailed or am I looking in the wrong place?

Also, I want to point out something on your Wiki pages the SPF record instructions are a little hard to follow here: https://support.mayfirst.org/wiki/faq/email/add-spf-record

What I initially did was copy and paste everything it said exactly, so for example: v=spf1 a:spf.mayfirst.org a:viewsic.mayfirst.org ~all -- and this didn't provide SPF for the domain. I think it could be written differently, such as perhaps just to switch out mayfirst.org with [domainname.com] and instructions to replace this with the relevant domain name, if that is what is supposed to happen.

I am not an expert, but I researched online to try to make it work since it didn't according to MX toolbox SPF check. Below is what I did, but I don't know if it is completely right. I used an ip4 address which is supposed to be faster, as I understood it, than writing words like this: v=spf1 a:spf.mayfirst.org ~all, but then I wrote words for the include section so I don't know. This is written mainly as instructions to a random person, as I keep a document to try to remember how things were done.

SPF RECORD ENTRY: SPF RECORD TIPS HERE: https://www.dmarcanalyzer.com/spf/how-to-create-an-spf-txt-record/

  1. On control panel, select DNS, then select add new record - choose text.
  2. Enter domain name
  3. The number of 3600 is fine.
  4. Enter value, replacing brackets with ip address and minus quotations, as:"v=spf1 ip4:[enter ip address here] -all"
  5. Add another record using the same process but in the value replace as follows: v=spf1 include=domainname.com -all
  6. For number 5, I used my own domain name, but I believe you can also add others following another format (search online for how to "include" more SPF records) this is to allow commercial or other services to send email for you - I'm not there yet.

Change History (12)

comment:1 Changed 6 months ago by Kirstin Beatty

Description: modified (diff)
Sensitive: unset

comment:2 Changed 6 months ago by Kirstin Beatty

Description: modified (diff)

comment:3 Changed 6 months ago by Kirstin Beatty

Description: modified (diff)

comment:4 Changed 6 months ago by JaimeV

Cc: Jamie McClelland added
Owner: set to JaimeV
Status: newassigned

Hi Kristin, Unfortunately we have to yet been able to implement the planned changes in our infrastructure that would allow sending DKIM signed messages for members using our shared hosting servers.

Setting an SPF record should work though and most of our members find that sufficient to improve delivery for now. I'm sorry if the instructions on the wiki page are unclear. We're happy to work with you to improve them however I think there are some initial misunderstandings we should clear up.

The reason "a:spf.mayfirst.org" is included is because the spf.mayfist.org domain name in turn refers to a list of our outgoing e-mail ip numbers. "a:spf.mayfirst.org" instructs other servers to look up the ip numbers associated with that domain. There are several ip numbers and we may change them periodically so using the spf.mayfirst.org domain is actually the easiest/safest solution.

The reason you shouldn't actually include your own domain name in the record is because the DNS record you are creating is already associated with your domain. The purpose of the SPF record is to tell other servers from which servers mail can be sent on behalf of your domain. So in this case you want to tell them that mail from your domain can come from any of the servers referred to by spf.mayfirst.org.

You do not need to include viewsic.mayfirst.org. That was included as an example of the following case explained in the wiki:

If you have set up any of your e-mail addresses to be automatically forwarded to a 3rd party server or if you also send email using your domain from your web site (e.g. password reminders or new account welcome messages), you should also include your primary host, e.g.:

So in this case if you want your website to be able to send mail on behalf of your domain you would also include claudette.mayfirst.org which is your assigned primary host within the May First infrastructure. While technically you could use your own domain in place of claudette.mayfirst.org as they currently refer to the same ip number this may not be a good idea. In the future you might want to place your site behind a proxy in which case the domain would point to a new ip that wouldn't be the same one sending e-mail, using claudette.mayfirst.org would be safer for now.

Also it is not necessary to set SPF records for subdomains like www.lasttreelaws.com unless you plan to send mail from addresses like info@…

I am not certain why MX toolbox did not initially validate your SPF record as provided by the wiki instructions but the DNS records with a TTL (Time to Live) of 3600 seconds can take up to an hour to propagate so it is possible that it was not yet reading the new record.

Writing documentation that accurately covers all use cases is sometimes very difficult, especially for a subject like SPF, we would be happy hear any more suggestions based on the information above.

comment:5 Changed 6 months ago by Kirstin Beatty

Hi Jaime - I appreciate your help! I do have follow up questions on this topic. First of all, I do have the idea that the ip numbers won't work from you clear. I just want to check on what should be written, though.

So here are all the fill in sections - I believe both are needed to send email using the domain name:

  1. v=spf1 a:spf.mayfirst.org ~all
  2. v=spf1 a:spf.mayfirst.org a:viewsic.mayfirst.org ~all

When I did this before, I checked several days to see if the spf record worked for the domain and it did show at MX toolbox. I'm trying to guess if maybe I left off the www. in the domain field? Would that do it?

Or, do I need to revise the above or include this extra record?

  1. v=spf1 include=lasttreelaws.com -all

Right now I've all three of the above records and it is working - so that is good! But I'm wondering if it is correct to add number 3.

comment:6 Changed 6 months ago by JaimeV

I think there should only be one record and it should be this:

v=spf1 a:spf.mayfirst.org a:claudette.mayfirst.org ~all

Remember spf.mayfirst.org represents all of our mail servers, and viewsic is just an example in case you also want your website host to be able to send mail on behalf of the domain. Your website host is actually claudette, not viewsic.

comment:7 in reply to:  6 Changed 6 months ago by Kirstin Beatty

Hi Jaime, well, clearly I'm not getting it!

I deleted and replaced as recommended, but mxtoolbox did not show any spf records for lasttreelaws.com, when before I had the 3 records and it was recognized by mxtoolbox as having spf records. I looked at the wiki and it said to include the viewsic entry if you used a domain name that was not mayfirst's.

The DNS said the entry was active, but it wasn't showing the records at mx toolbox - unless there is delay then it seems like 3 records works.

So, I added all 3 records back again as before, since just 2 didn't work before and it didn't seem to be working again with just 2 or 1 either - unless there is a delay!

I am guessing that even if imperfect it works at least.

Kirstin

Replying to JaimeV:

I think there should only be one record and it should be this:

v=spf1 a:spf.mayfirst.org a:claudette.mayfirst.org ~all

Remember spf.mayfirst.org represents all of our mail servers, and viewsic is just an example in case you also want your website host to be able to send mail on behalf of the domain. Your website host is actually claudette, not viewsic.

comment:8 Changed 6 months ago by Kirstin Beatty

Hi Jaime, I see it can take an hour to propagate so I'll try it again.

comment:9 Changed 6 months ago by Kirstin Beatty

Hi Jaime, it worked! Just adding the one line you suggested worked.

I realized I was searching the SPF record the wrong way. I made a change entering into mx toolbox, by using www rather dropping it as usual. The SPF record doesn't show without it, and that is why the include: probably worked even if the record was incorrect.

Thank God! This was driving me crazy. Thank you! Kirstin

comment:10 Changed 6 months ago by JaimeV

Kristin I support this progress and your process of experimentation however I am concerned about your conclusion as I am quite certain you will need an SPF record for lasttreelaws.com without the www as you will probably be sending mail as someone@… and not someone@…

I wouldn't be too concerned about what MX toolbox is telling you immediately. Please trust me on this.

comment:11 Changed 6 months ago by JaimeV

Actually I am going to add the record for you so you can compare. I am quite certain this will work. Please give it an hour and then check in mxtoolbox without the www

comment:12 Changed 6 months ago by Kirstin Beatty

Hi Jaime, you are right - I double checked and mxtoolbox came up with the SPF records for both versions. I was wondering whether the www. and the dropped www. both had SPF records so I'm glad you mentioned this.

I think as a newbie that the Wiki page wasn't clear to me as I included both lines including the viewsic version, and I am still not clear what the view sic version is, when to use it, whether the replace any part of it with other words . . . but I'm just going to stick with the version you suggested. Thanks so much!

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.