Opened 6 days ago

Last modified 5 days ago

#16517 assigned Bug/Something is broken

DKIM and DMARC

Reported by: Kirstin Beatty Owned by: JaimeV
Priority: Medium Component: Tech
Keywords: Cc: Jamie McClelland
Sensitive: no

Description (last modified by Kirstin Beatty)

Hello, I'm working on domain name email verification since email delivery is so important for activism, and we've had lots of trouble. Also, we recently saw someone spoofing our domain name to send spam. We were hoping to set up SPF, DKIM, and DMARC.

I added a SPF record, which MX toolbox confirmed as correct. However, I don't see a way to add DKIM under the DNS section of the control panel. There is ticket from 15 months ago which says there isn't yet a capacity to add it but there was a plan to get it done last summer. Was that plan derailed or am I looking in the wrong place?

Also, I want to point out something on your Wiki pages the SPF record instructions are a little hard to follow here: https://support.mayfirst.org/wiki/faq/email/add-spf-record

What I initially did was copy and paste everything it said exactly, so for example: v=spf1 a:spf.mayfirst.org a:viewsic.mayfirst.org ~all -- and this didn't provide SPF for the domain. I think it could be written differently, such as perhaps just to switch out mayfirst.org with [domainname.com] and instructions to replace this with the relevant domain name, if that is what is supposed to happen.

I am not an expert, but I researched online to try to make it work since it didn't according to MX toolbox SPF check. Below is what I did, but I don't know if it is completely right. I used an ip4 address which is supposed to be faster, as I understood it, than writing words like this: v=spf1 a:spf.mayfirst.org ~all, but then I wrote words for the include section so I don't know. This is written mainly as instructions to a random person, as I keep a document to try to remember how things were done.

SPF RECORD ENTRY: SPF RECORD TIPS HERE: https://www.dmarcanalyzer.com/spf/how-to-create-an-spf-txt-record/

  1. On control panel, select DNS, then select add new record - choose text.
  2. Enter domain name
  3. The number of 3600 is fine.
  4. Enter value, replacing brackets with ip address and minus quotations, as:"v=spf1 ip4:[enter ip address here] -all"
  5. Add another record using the same process but in the value replace as follows: v=spf1 include=domainname.com -all
  6. For number 5, I used my own domain name, but I believe you can also add others following another format (search online for how to "include" more SPF records) this is to allow commercial or other services to send email for you - I'm not there yet.

Change History (4)

comment:1 Changed 6 days ago by Kirstin Beatty

Description: modified (diff)
Sensitive: unset

comment:2 Changed 6 days ago by Kirstin Beatty

Description: modified (diff)

comment:3 Changed 6 days ago by Kirstin Beatty

Description: modified (diff)

comment:4 Changed 5 days ago by JaimeV

Cc: Jamie McClelland added
Owner: set to JaimeV
Status: newassigned

Hi Kristin, Unfortunately we have to yet been able to implement the planned changes in our infrastructure that would allow sending DKIM signed messages for members using our shared hosting servers.

Setting an SPF record should work though and most of our members find that sufficient to improve delivery for now. I'm sorry if the instructions on the wiki page are unclear. We're happy to work with you to improve them however I think there are some initial misunderstandings we should clear up.

The reason "a:spf.mayfirst.org" is included is because the spf.mayfist.org domain name in turn refers to a list of our outgoing e-mail ip numbers. "a:spf.mayfirst.org" instructs other servers to look up the ip numbers associated with that domain. There are several ip numbers and we may change them periodically so using the spf.mayfirst.org domain is actually the easiest/safest solution.

The reason you shouldn't actually include your own domain name in the record is because the DNS record you are creating is already associated with your domain. The purpose of the SPF record is to tell other servers from which servers mail can be sent on behalf of your domain. So in this case you want to tell them that mail from your domain can come from any of the servers referred to by spf.mayfirst.org.

You do not need to include viewsic.mayfirst.org. That was included as an example of the following case explained in the wiki:

If you have set up any of your e-mail addresses to be automatically forwarded to a 3rd party server or if you also send email using your domain from your web site (e.g. password reminders or new account welcome messages), you should also include your primary host, e.g.:

So in this case if you want your website to be able to send mail on behalf of your domain you would also include claudette.mayfirst.org which is your assigned primary host within the May First infrastructure. While technically you could use your own domain in place of claudette.mayfirst.org as they currently refer to the same ip number this may not be a good idea. In the future you might want to place your site behind a proxy in which case the domain would point to a new ip that wouldn't be the same one sending e-mail, using claudette.mayfirst.org would be safer for now.

Also it is not necessary to set SPF records for subdomains like www.lasttreelaws.com unless you plan to send mail from addresses like info@…

I am not certain why MX toolbox did not initially validate your SPF record as provided by the wiki instructions but the DNS records with a TTL (Time to Live) of 3600 seconds can take up to an hour to propagate so it is possible that it was not yet reading the new record.

Writing documentation that accurately covers all use cases is sometimes very difficult, especially for a subject like SPF, we would be happy hear any more suggestions based on the information above.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.