Jump to content

Community

VladTheGreat

DMARK / DKIM / SPF - What Do You Know!?

Recommended Posts

Posted (edited)

Just noticed one problem and I'm looking to solve it, I noticed my messages going to spam folders and come across DMARK (Domain-based Message Authentication)

Anyone set this up that could share any tips? I've watched and read a few hours and I'm getting it more but all I would like to achieve is to get messages which are sent from my website to users not land in the spam folder which is obviously damaging to user confidence etc which I need to go through as normal, any recommendations or advice would be fab, if I understand this correctly, when interacting with users on the website,  a notification is sent from my site to them for say something like a message reply or password reset and the email goes in their spam folder, does DMARK solve this problem? IPS has the incoming and outgoing emails, what would be the best way to set that up to work well with DMARK, I'm using linux Cpanel, how do you tie that into IPS?

Thanks in advance, I know it's a big ask, maybe a support question? 

ps, I'm really tired, I'm not even sure if that all makes sense 😛 

Still watching this 1H+ tutorial 

 

 

Also watched this (NOTE THIS VIDEO IS SLIGHTLY LOUDER INCASE ITS 4AM):

 

 

I think I'm near completion, how would I do a proper test to see if things as they should be? P.s I'm rolling with it right now updating this thread as I go.

 

In Godaddy DNS ZONES I've added this TXT RECORD

 

SPF

TXT        @        v=spf1 include:spf.em.secureserver.net ~all        1 Hour

Now changed to:

TXT        @        v=spf1 include:www.seekandsupply.co.uk ~all        1 Hour

ACTUALLY not working so back to

TXT        @        v=spf1 include:spf.em.secureserver.net ~all        1 Hour

DMARK 

 

TXT       _dmarc        v=DMARC1;     p=reject       1 Hour

 

The website MXTOOLBOX says everything's fine other than some DNS error though this seem minor

REPORT HERE

++++++++++

UPDATE LOL....

++++++++++

 

Not sure if I gone a little too far? I didn't even think about email servers and how the work and what I'd need to actually send mail from a personal email server on my pc, which DKIM is all about?  Basically not what I'm trying to do here haha, I'm not even sure what needs to be done to make it straight so I'll just leave this mess here...... get a few hours in and you'll see another random 5 hour messy post later 😛

 

One error I keep seeing is: SOA Expire Value out of recommended range

Seems this is the TLL on Godaddy email server is too low or something, apparently can't be changed and mxtools throws a warning

Edited by VladTheGreat

Share this post


Link to post
Share on other sites

You shouldn't set the dmarc to reject until you have tested it. Configure it to send reports to your email first - you'll get quite a few but you need to check them to confirm whether you're passing or failing, as if your mailserver or spf is configured incorrectly, right now all your mail will be rejected. 

See here for more info on how to configure it with a policy of none, and how to add your email address:
https://www.dmarcanalyzer.com/dmarc/create-dmarc-record/

This site allows you to upload reports for free, so you can check them:
https://dmarcian.com/dmarc-inspector/

Share this post


Link to post
Share on other sites
Posted (edited)

I've looked at them already (I searched for 6 hours) 🙂 

Would I, to test this, create an email and sign up for the site, see if the email goes through or just look at the report saying it's going through?

Edited by VladTheGreat

Share this post


Link to post
Share on other sites
Posted (edited)

I work with SPF and DKIM and DMARC on a daily base.

At first, you should set up good working SPF records before you start anything else.

You could use the SPF Wizard to create it for you, makes life a lot easier.

This way you will see you are missing the MX record which should be included if you are sending mail from the system where your website is residing.

It should look like this:

"v=spf1 mx a ip4:144.xxx.xxx.xxx -all"

This is an example of my site which explains that the mx system where the site is residing is allowed to send mail and also a system with ip 144.xxx.xxx.xxx and nobody else.

There is also the ?all and ~all which can be used in the beginning to test things out. The SPF wizard is a good thing to create correct SPF records for you. Do not just create some self invented SPF record that you think might be correct and test it. You could get lucky like know and maybe still having the wrong SPF to be used.

Create one with the SPF Wizard so you will be a lot more sure that you are using the correct values.

I don't know if you're on a VPS or something. But when using panels like Directadmin or Cpanel they will provide the SPF and DKIM records for you. Makes live also a lot easier. But if that is not the case you have to create them yourself.

Do NOT use a DMARC record without a valid DKIM record because this will cause issues. A correct DMARC record is build from a combination of a good SPF and DKIM record.

 

Edited by Black Tiger

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks for the reply, I'm using Godaddy Linux Ultimate with cPanel, no options to auto add DKIM but I got access to DNS so adding one isn't a problem (though as I understand it, this is a Encryption key which the email server uses to verify and I could use the public key in bulk mail server / software? Which verifies the sender by accessing and decrypting from the private DKIM in the DNS record? ) 

Because I use Godaddy email server, which is the only one that will ever be used, I set up the DNS like so:

I have the A record pointing mail to IP of server (A @ mail xxx.xxx.xxx.xxx 10800)

TXT record (v=spf1 include:spf.protection.secureserver.net include:secureserver.net include:smtp.secureserver.net -all

DMARK record set up (v=DMARC1; p=reject) 

PS, didn't get far enough through the docs to fully understands it all yet but

I understand the +A allows any / all servers to send mail and -A tells the receiver to reject all, then the ?A is to tell the receiver that if that validation has failed, that they can do what they feel is best with email sent.

I've had to pause this study to get the site back up and operational as there's bug haunting me right now but I appreciate all the info you go, I see you've placed the MX option in, I've seen this in the guides a few times, I'm not sure how to use that or if it would work with what I got

Edited by VladTheGreat

Share this post


Link to post
Share on other sites
Posted (edited)
On 7/26/2019 at 2:57 PM, VladTheGreat said:

I've looked at them already (I searched for 6 hours) 🙂 

Would I, to test this, create an email and sign up for the site, see if the email goes through or just look at the report saying it's going through?

If you add your address to the dmarc dns entry, you'll receive reports from google (gmail), yahoo, hotmail etc every 24 hours on the email being sent from your domain through their systems. 

You should really only set dmarc to reject all mail without valid a valid dmarc after you've been receiving these reports a while. Best practice is to start with dmarc with a policy of none, then after a short while, assuming the reports are ok, start having a percentage either set to block or filter, and to then slowly raise that percentage as you become more confident that all is configured correctly and no legitimate mail is going to be blocked. 

Edited by Dll

Share this post


Link to post
Share on other sites

You should really only set dmarc to reject all mail without valid a valid dmarc after you've been receiving these reports a while.

Again, DMARC is -only- set AFTER a correct SPF and DKIM record is set. If you don't have a DKIM record and your mails are not signed with DKIM then DMARC has totally no use.

First things first otherwise things get messed up.

 

@VladTheGreatI don't know how Godaddy set it up, but you might find some things via Google.

I found this video on how to set up DKIM with Godaddy, I hope it will help you:

 

Share this post


Link to post
Share on other sites
Posted (edited)

Just found the best topic for SPF and Godaddy: 

https://www.godaddy.com/community/Managing-Email/What-are-the-correct-GoDaddy-SPF-Settings-For-DNS-to-send-mail/td-p/5645 

Though there's some serious confusion there (or everywhere) about SPF settings, in my case all I want it to do is Pass mail from my None Dedicated server which is the standard server that comes with cPanel (secureserver.net) (unlike any people that use the extra software like Office 365 etc) to users email accounts, which seems this is the correct setting:

TXT        @        v=spf1 include:spf.em.secureserver.net ~all        1 Hour

 

Also, need to work out how to use rDNS, is that a service which checks my IP?

 

When I wake up a bit I'll dig deep into into it, let you know some more results (maybe this thread will help someone else whom maybe having issues)

Edited by VladTheGreat

Share this post


Link to post
Share on other sites
Posted (edited)

Oke I will do this once, but it's in fact real easy. People should use the SPF wizard I pointed to.

 

Quote

ll I want it to do is Pass mail from my None Dedicated server which is the standard server that comes with cPanel (secureserver.net)

Oke that is understandable.

Quote

TXT        @        v=spf1 include:spf.em.secureserver.net ~all        1 Hour

In that case it's still in fact not correct as it should be. If you had used the SPF wizard as I suggested, you would have known.

And the reason I know this, is because I'm working with it on a daily base as I told you.

As you could have seen then, the MX and A was even recommended.

Firstly, look at what is you MX address for the domain seekandsupply.co.uk which is your domain.

We already get a bit of an odd naming result

seekandsupply.co.uk.    3600    IN      MX      0 mailstore1.secureserver.net.
seekandsupply.co.uk.    3600    IN      MX      10 smtp.secureserver.net.

Normally the backup-mx used with 10 is not named smtp, because smtp is normally used by the smtp server, but oke it's not that big a deal.

So, your normal MX adres is mailstore1.secureserver.net. In this case your SPF record starts with

v=spf1 MX

because the server mentioned as your MX is allowed to send on your behalve. Since smtp.secureserver.net is also mentioned as MX it's allowed to send mail. You need the "a" in there to allow the ip of the hosting server to send mail just to be sure, it's common practise.

The you should be ready. The only problem is that sometimes strict mail systems also want to see the ip instead of only the a record in the SPF.

So in your case either use:

 seekandsupply.co.uk.  IN TXT "v=spf1 mx a ip4:160.153.133.221/32 ~all" 

or

seekandsupply.co.uk.  IN TXT "v=spf1 mx a ip4:160.153.133.221 ~all"

both should be correct and you have cathed it all. This will generate a softfail if mail is not send via your hosting account of via or from this server.

If things work oud well, change it to the -all setting.

This already takes care of the inclusion of both MX records, so you don't have to include them. I don't know where you got the include:spf.protection.secureserver.net setting from, but if you want to use that, you can add it. It would be like this:

seekandsupply.co.uk.  IN TXT "v=spf1 mx a ip4:160.153.133.221/32 include:spf.protection.secureserver.net ~all"

Or if you don't trust the /32 you use:

seekandsupply.co.uk.  IN TXT "v=spf1 mx a ip4:160.153.133.221 include:spf.protection.secureserver.net ~all"

And you're done. No need to include "secureserver.net" or "smtp.secureserver.net" because the MX setting takes care of it. This is the correct way to use an SPF record.

Quote

Also, need to work out how to use rDNS, is that a service which checks my IP?

You really need rDNS to prevent getting your mail flagged as spam on several systems. It's not a service that checks your ip.

rDNS stands for "revers DNS", that means that there needs to be a record, which points to your servers hostname, or rather the helo name of the mailserver.

You don't need to worry about that if you're on a shared hosting server, the hoster should have that configured correctly. However, if you are on a VPS or your own dedicated server, you should configure this in the datacenter control panel for your dedi/vps.

So I don't think you have to worry about this as you're on shared hosting if I understood you correctly.

 

Edited by Black Tiger
forgot an s in the domain name, fixed it.

Share this post


Link to post
Share on other sites
Posted (edited)

I just did some tests and it's not looking good:

Quote

The SPF value does not allow mail delivery from all mailservers in the domain. This may cause problems if you use the same servers for incoming and outgoing mail. The failing mailservers are:


warn_msg = (2) Host 'spf.protection.secureserver.net' not found. | Could not find a valid SPF record | 68.178.213.243

So I would leave out that spf.protection.secureserver.net as an include, because it's not a host. It's an SPF record. So you can't include this with an include. Leave it out.

And you have an smtp banner mismatch, so MX and rDNS are incorrect.

The helo says:

p3plibsmtp03-09.prod.phx3.secureserver.net

MX addres mailstore1.secureserver.net. is pointing to 3 different ip adresses. Only 1 ip is pointing back to p3plibsmtp03-09.prod.phx3.secureserver.net so only 1 rDNS is correct.

The other 2 ip adresses 68.178.213.243 and 68.178.213.244 do not have correct rDNS. So if any mail is send via those servers (which is very well possible since they are all mailstore1 aliases) your mail can well end up in spamfolders.

This is a Godaddy issue, they should fix it.

Edited by Black Tiger
Sorry, always have to fix some typo's.

Share this post


Link to post
Share on other sites
Posted (edited)

Hay, thanks for the reply, I just was doing some messing and though I understand what you're saying about the MX records etc, that's not what godaddy are saying,.... and I'm not saying either of you're wrong as I know each setup has it's own strings, my biggest problem right now is getting my head round how all of these tie up together (other than the DKIM I guess which is just a public / private keys)

 

PS YES SHARED HOSTING

 

Just changed the string to the one you created, I'll wait few hours and look at it again, PS more help from users than support (which is sad) but nice at the same time

Edited by VladTheGreat

Share this post


Link to post
Share on other sites
19 minutes ago, VladTheGreat said:

that's not what godaddy are saying,....

You can use strings a bold way or a decent way. I prefer to to use the decent way. And that's not what godaddy are saying?

Then check this:

https://nl.godaddy.com/help/add-an-spf-record-19218

from Godaddy themselves and the example:

For example, enter

v=spf1 mx -all to indicate that all email is sent from this server and no other mail servers are authorized.

So Godaddy -is- saying the same. 🙂
But it's no problem.

Anyway, since it's shared hosting Godaddy is causing a rDNS issue with your mail. Godaddy is certainly not my choice for forums in the first place anyway, neither is any other host not implementing SPF by default, but everyone must now that for themselves. The rDNS issue is a lot worse. Because you can't fix that.

 

DKIM is a complete different ballgame and the mailserver has to support it and sign your emails otherwise it's totally no use to have DKIM records. I also wonder why Godaddy in the past has decided to remove the automatic SPF implementation.

Just changed the string to the one you created, I'll wait few hours and look at it again, PS more help from users than support (which is sad) but nice at the same time

1.) I hope you did remove the include:spf.protection.secureserver.net line as I suggested.

2.) It's quite logic that support is not answering here. This is not an Invision issue, it's a hosting issue. And it's also holiday time. So you have to have a combination of somebody present, and also knowing enough about SPF, DKIM and DMARC to be able to help.

Share this post


Link to post
Share on other sites
Posted (edited)

reading many MANY threads, so much conflicting information (for something so simple 🙂 )

https://ph.godaddy.com/community/Managing-Email/What-are-the-correct-GoDaddy-SPF-Settings-For-DNS-to-send-mail/td-p/5645

 

PS, they removed this to push the Office365 perhaps? Which apparently has this all sorted automatically (PS IM A NOOB so don't take what I say as fact) (because all the threads I read, even godaddy don't know half the time)

Edited by VladTheGreat

Share this post


Link to post
Share on other sites

PS support in all of these establishments are crap 😛 ... anything standardized is a customization 😛 from what supports say, since I'm new to semi control of the whole site workings I'm learning slowly but obviously can't learn a whole internet way in a year

Share this post


Link to post
Share on other sites
Just now, VladTheGreat said:

I'm learning slowly but obviously can't learn a whole internet way in a year

Nobody expects you to. But SPF are just a few lines. The spf wizard is something around for years and nows better then any support forum or desk and is easy to use. One just has to know what to fill in.

It's also easy to find that DKIM does sign your messeage, hence the mailserver has to cooperate to do this for you.

And when looking around what Dmarc is, it's fastly found that Dmarc relies on spf and dkim, so won't work standalone. 😉

But it's no problem, I'm glad to be a bit of help and explain about this, but don't get too confused about things (which can happen easily with this mailstuff). Patience and checking is a good thing.

Share this post


Link to post
Share on other sites
Posted (edited)

After I used your line, I get 7 warnings (mxtoolbox), when I use my line I only get 4 for the SMTP banner, not sure at this point, maybe need to just back off this for a minute and clear my head, I'll leave the settings over night and see tomorrow (though I think the rDNS is my main problem in the end / I'm guessing at this point though) 

Edited by VladTheGreat

Share this post


Link to post
Share on other sites

Hold on, I'll check it.

Maybe it's a cache issue on your side. The SPF check on MXtoolbox gives me all green. I see you still incuded secureserver.net, but oke no big deal, just take care you don't add to much.

Also the mailserver check gives me all green:

image.thumb.png.8e0bb14d51c14d8efed744bd5037151d.png

These 3 I've seen before too. They are not related to my SPF line.

 

Share this post


Link to post
Share on other sites
14 hours ago, Black Tiger said:

And when looking around what Dmarc is, it's fastly found that Dmarc relies on spf and dkim, so won't work standalone. 😉

Dmarc is actually a reporting mechanism for both of those. It's also a very useful tool for finding out whether spf and dkim is setup correctly. Dmarc with a policy of none won't block any emails, so essentially allows you to test and get reports on whether your records are configured properly. It's only once it has the reject or filter options set that it informs email providers to take action on incorrectly signed / non-spf server based email. 

Share this post


Link to post
Share on other sites
3 hours ago, Dll said:

Dmarc is actually a reporting mechanism for both of those.

That's why I wrote it relies on both. I did not want to write the complete technical story, it has little use when there is not even a correct SPF setup and DKIM maybe not possible when the mailserver does not support it.

But your description of it is correct.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...