DKIM, SPF, and Dmarc HELP needed!

[rfwilliams777]

Ok, over the past year or so I keep discovering new surprises of DNS entries that I need to have. It started with an SPF record. After finally coming across a website that helped me build the proper SPF record, I tested it. It had said I was fine. But now I am failing.
After doing a mountain of research on how to create a DKIM, I finally had someone literally give me the steps on how to do it. I thought I was a DKIM expert...Now I am failing.
All of which means that now I just discovered today a new thing "dmarc" and because DKIM and SPF are failing, now I cannot get that to work. I am using the newest version of ME Enterprise and Windows DNS. As a side note, my mail server hosts a number of domains which means hundreds of email accounts. Additionally, I run DNS for not only for my domain, but all the domains I host. So not only will I have to know (or better someone fix) how to fix these issues, but know how I should properly have things for the other domains so they resolve correctly as well. Please Help.
Please do not refer me to blogs, laborious text pages that only a C programmer can understand, or whatever. I need step by step of exactly how to do it right with the necessary options, switches, whatevers added to make it right. You are welcome to test "mail.williamswebsolutions.net" and "mail.boller.com" as the two domains for testing purposes.

[Garre]

Robert,

I know how you feel. I spent quite a bit of time figuring out how to set up all these new email links. The big thing is that you will have to set them up in the 'Host Records" file for each domain at your registrar. Each of the three files are added as a txt file under each domain. The spf file is just a txt file entry, but the DKIM and Dmarc txt files require a host header name identifying that they are either a DKIM txt file or Dmarc file.

--------
SPF
example of a spf txt file for a given domain: v=spf1 ip4:thedomainIP1 ip4:thedomainIP2 ip4:thedomainIP3 ~all

You need to add all the IP addresses that the domain will be sending from, thus the 3 different IP's . Use as many as you need.
----------
DKIM
example of DKIM txt file: v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcTyUxQRQKKhSCCaBvXo+JQvLkOcXqPC/HW1zpRK6CxXGjSEQ1xHk1K0O7m8RdDmS5n15d7vJAGaL/OKsriND1jLfFOhjiCfZkjU0JpB8q/zJMOkCeQHUKDUnWJyu1b1sF0hY5T5tYPfKyxbYlwoMTPxFrg3UznZ9/y3dYq6JoBwIDAQAB;

You will need to add a host header to the txt file that looks like this: yourdomainwithoutextension._domainkey

Also don't forget to turn on the DKIM function inside MailEnable.
---------
Dmarc
example of dmarc txt file: v=DMARC1; p=none; rua=mailto:youremail@yourdomain

You will need to add a host header to the txt file that looks like this: _dmarc

Each major domain will then send you a Dmarc report of your email traffic telling you how your system is working. There are website that will tell you how to interpret the file, but the file is relatively simple to understand.
----------------------------
You do not need a program to generate the SPF or Dmarc files, just add the information as outlined.
However you will need a external program to generate the DKIM txt file. Try this utility:

https://www.socketlabs.com/domainkey-dk ... on-wizard/

Enter the full domain name with extension in the "Domain" field.
Enter the domain name without the extension in the "Selector" field.

Then add the results to the txt file in the host records.
--------------
Your can then test your system with the test found at this URL:
https://www.had-pilot.com/py/had.html

Good luck,

Garre

[Garre]

Robert,

You will also have to setup the out going DKIM file for each domain inside MailEnable to match the "Selector" and txt file information you put in and received from the DKIM utility. Set the information into the outgoing DKIM file as outlined in the MailEnable documentation below.

http://www.mailenable.com/documentation ... ys%29.html

Garre

[Garre]

Robert,

After I gave you the information on how to setup SPF, DKIM, and Dmarc, I thought I would help you by giving my interpretation of how these items actually work. As an engineer, I wanted to try and understand how these items work. This is my best interpretation from what I could gather from my internet research and trial and error working with them.

SPF:
The SPF file is a text file that is added to the domain host file. It identifies which IP addresses that your domain will use to send and receive email. This file is only setup inside the domain host file. You do not have to do anything inside of Mailenable except to identify if you want to use it as a check for incoming valid SPF email. This check doesn't use your outgoing domain host file text file in any way.

My experience with SPF by itself is not very effective. Since spammers have access to the domain host file they can easily setup a list of IP addresses being used by the email server. I use Spamassassin as my SPAM checker. Spamassassin normally gives negative points to domains passing a SPF test. My experience is that many spammer pass the SPF check, so I actually give a positive value to my SPF check in Spamassassin.

DKIM:
DKIM is a more sophisticated in that you have an identical text file inside your domain host file and also inside of your domain postoffice in Mailenable. This check then verifies that the email you are sending contains the same information inside the email and within the domain host file. Since most Spammers don't have access to their email server it is a better check to verify that the email is coming from a valid email server and it is not SPAM.

The DKIM text file is generated by an on-line utility that uses two keys. These keys are your "domain name" and a "selector" name. These two keys generate the DKIM text file. Inside the domain host file you add a "host header" identifying the "selector code and that the associated text file is a DKIM file. This "selector" name and the DKIM text file must also be placed inside the Mailenable domain postoffice.

Dmarc:
The Dmarc text file contains your your maintenance email account. Th text file goes only within the domain host file. The text file needs to have a host header that identifies the text file as a Dmarc email address.

The major email providers then send the Dmarc email account a report when your email server sends them email. This Dmarc report tells you if the SPF and DKIM conditions were met from the email they received from your domain. A "pass" means that everything was OK. If however someone is trying to spoof your domain (or your setup files are incorrect) you will get an "fail" report that says that they received and email from your domain and the IP address of the spoofed email. This gives you information to help you fight the illegal email or to correct a bad setup.

I hope that this will help you setup these items.

Again - Good Luck,

Garre

[SamiSam]

Hey guys,

I have a question.. We can't figure out how to configure spf and dkim properly for the life of us.. We have a client that is hurting real bad from having to use an online booking tool (that's very important to their business) coupled with their mailservers and Infusionsoft servers.

Is there anyone that provides this type of assistance even if it's paid? We really need the assistance if possible.

Thank you

[hifall]

For those who stumble upon this old thread because they are having issues implementing SPF/DKIM/DMARC, there is a nice self-contained article on this very topic from DMARCLY: How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definitive Guide.

It covers the basics of SPF/DKIM/DMARC, and offers actionable steps for a full implementation.

Check it out: https://dmarcly.com/blog/how-to-impleme ... tive-guide.

If anyone is interested in paid service, we can offer that too. Simply reach out to us at: https://dmarcly.com/services.