If I have a domain example.com that is using gsuite (DNS settings at registrar has gmail cnames, spf & txt records etc) and I have another service sending on behalf of the domain (Klaviyo). Do the gmail DKIM and DMARC settings help to strengthen the deliverability of those emails sent by the other service (Klaviyo)?
To answer your question: A DMARC reject or quarantine policy helps improve deliverability for all parties that send on behalf of your domain AND properly authenticate by SPF or DKIM, in alignment with your domain.
DKIM consists of a cryptographic key pair. You publish the public key on the Internet and you use the private key to sign headers of your outbound emails. This signing is done on the sending server. So unless Klaviyo is using Google servers to relay your messages, those messages are not being DKIM signed by Google.
You should follow the instructions provided by Klaviyo here, so that the emails you send from their platform, using your email domain, will authenticate properly and will NOT fail DMARC.
Update:
Say you own the domain myexample.com, then you should publish a TXT record at the root of that domain that looks like "v=spf1 include:_spf.google.com ~all". Additionally you can add any other services or servers to this record as you see fit. You don't need to add Klaviyo to your SPF record as they will try to authenticate from the send.myexample.com domain used in the bounce address. That is what you created the first CNAME for. It redirects to an SPF (and MX) record hosted at Sendgrid. Additionally, Klaviyo will authenticate those emails using DKIM.
In order to make DMARC work, you need to publish another TXT record at _dmarc.myexample.com, if you haven't already, looking like: "v=DMARC1;p=none;rua=mailto:DMARC#myexample.com;". Then you'll start receiving aggregate reports at the mailbox you supplied. Once you're confident you've included all required parties in your authentication scheme, you can move to a p=reject policy in order to protect your domain.
Yes, DKIM and DMARC settings do help deliverability.
I assume that Klaviyo does what my company Autoklose is doing as well, and that's using Gmail API to send the email in your name. That means that they only indirectly affect the sending process and the email itself is sent from Google servers and not Klaviyo's servers.
Also, you have to be aware that DKIM & DMARC are only two of the factors in successfully delivering your email. For example, having DKIM & DMARC correctly set gets you positive points but if your domain is blacklisted, it still might not get delivered.
Related
I've bought a domain and I'm hosting Cloudflare as my DNS host. I mainly use this domain for sending emails.
I use Google workspace for receiving and sending emails, but I also use the Sendgrid API to send one automatic email a day from a simple python program (using Sendgrid's python library) I keep running.
I have correctly authenticated my domain in Sendgrid and added the CNAME records to Cloudflare as Sendgrid advises. I have also configured Google correctly with my domain using their info. I've tested both configurations with their tools.
I'm now in the process of adding extra security to my emails. I've configured SPF, DMARC and DKIM using the simple instructions Google provides. Added all the records once again to my DNS provider (Cloudflare) and started to observe my daily DMARC reports.
I'm using URIports (https://app.uriports.com/) to make sense of these reports :P
Apparently, everything is ok with the mails I send from Google. But not ok with the emails sent via Sengrid. The DMARC analysis is the following:
We have received the following report from google.com about 1 message that was received in the following timespan: 02-13 0:00 (24h). This email was received from IP address xxx.xxx.xxx.xxx with hostname something.outbound-mail.sendgrid.net supposedly from <user>#<mydomain>.
DKIM validation passed because at least one signature is valid
Signature 1 for domain <mydomain> passed. The message was signed, and the signature passed verification tests.
Signature 2 for domain sendgrid.info passed. The message was signed, and the signature passed verification tests but the DKIM signature domain sendgrid.info does not align with the Header-From domain <mydomain>.
SPF and DMARC validations are ok.
I confess I'm lost and I'm searching everywhere without success. Can anyone help me understading in what direction to go?
Can it be a problem with the python program?
Many thanks! Cheers!
Gil
To set your mind at ease, your setup is fine! Nothing to worry about.
DKIM is, among other things a reputation tool. SendGrid is adding two signatures to your emails, one for your domain, which will help pass DMARC authentication. And one for their domain / service. This second one is optional from the DMARC perspective, but may improve Inbox delivery.
There are many services that operate in a similar fashion, adding an additional DKIM signature to outbound emails.
I'm using PHP mail() to send an email from my server to two different accounts, one which is my Gmail account, which SPF passes with, and one to an account hosted by my domain provider, which is then forwarded to my Gmail account. That causes SPF to fail because the originating IP is different.
But, there's no way to tell if the email address you send emails to is the recipient, or forwards them elsewhere. So is there any way to allow SPF to pass through any (unknown) relay?
It's unclear exactly what you mean here. Are you using arbitrary From addresses?
Generally, SPF control over email sources is handled in a few different ways:
Authorise your domain provider's servers to send from your domain (i.e. add them to your SPF record)
Hope that your hosting provider's mail servers support SRS, the Sender Rewriting Scheme, which they should
Allow any IP to be a source of email for your domain by adding +all to your SPF record (clearly a bad idea!)
I have an email address forwarding to a gmail account. I then use SMTP to send a response from gmail via the domains SMTP server. This is all set up fine. However some recipients are not receiving the emails? Is there further configuration I need to do on the domain side?
I am told I need to configure the SPF, DKIM and DMARC records but I have no idea what the configuration/values should be?
Having SPF, DKIM and DMARC set up is seldom a prerequisite for having your email delivered. If your email domain and servers have a decent reputation, you won't, generally, run into to much trouble.
However, it is best practice to set up all three, to start authenticating your emails and making it harder for others to impersonate your email domain without authorization. I'll outline the basics for you:
Why Authenticate
Phishing: Email Authentication will make it harder to impersonate your email
domain, without authorization. It (somewhat) protects your colleagues, partners and customers against phishing.
Brand Reputation Protection: Phishing from your domain can harm the reputation of your brand.
Deliverability: Authentication improves deliverability because it's weighed heavily in determining whether or not the email is legit.
DMARC
DMARC will try to find successful authentication for servers sending on your behalf. Specifically, it will look for a Pass on SPF or DKIM, in alignment with the email address (domain) that is being showed to the recipient in his email client. This is known as the Header.From field. (Not to be mistaken with the Sender field, the Reply-To field or Return-Path).
SPF
SPF is basically a list of IP addresses, published as a TXT DNS resource record, listing all servers that are authorized to send email for the domain the record lives in. This does not include subdomains, those require additional SPF records. One of the (many) problems with SPF: Receiving servers need to check the Return-Path email address to lookup the SPF record, instead of the Header.From domain. There is no need for the Header.From email address and the Return-Path address to share any of the domain part, according to the SMTP RFC. Thus where DMARC comes in.
DKIM
Signing an email message with a DKIM private key, requires you to publish a matching public key in the subdomain _domainkey for the domain your signing for. The receiving server will look for d= value and the s= value in the DKIM signature to construct the correct DNS TXT resource record to query, holding the public key. Example d=stackexchange.email s=s1 will result in a DNS query for the TXT record s1._domainkey.stackexchange.email. The same applies here as with SPF: The d= value does not have to match with the domain portion of the Header.From email address.
Unfortunately the configuration and values are very specific, depending on which parties are allowed to send on behalf of your domains, the subdomains you use and how you use them, etc. Especially SPF has a few limits that will make the setup harder.
We have bought the google apps account for the domain www.amarramesh.com hosted by bluehost.com
As per the google apps suggestion, we altered the CNAME records in bluehost for the domain www.amarramesh.com to sync with google apps.
There is an issue when I send the mail through a PHP file stored in my Bluehost server. I tested the email quality through mail-tester.com and it says the DKIM signature is not valid because in the DKIM signature selector = "default" and suggests I should change to "google.domainkey". Due to this, many of the emails sent from the server are going into people's spam boxes. How do I make this change? This problem doesn't happen when email is sent from Gmail.
I have tried Php-mailer and it worked for some time but Bluehost has now blocked it.
Why do you want to send mail from another host if you're using GoogleApps?
DKIM's purpose is to allow remote hosts to authenticate that your mail was really sent by the server(s) you permit to send them. This prevents a spammer from forging your domain name on spam he is sending out. If it wasn't bounced off of servers you authorized in your DKIM DNS record, remote mail servers won't deliver it -- or maybe send it to the spam folder (provided they look at the DKIM header and DNS record).
It does this by putting a private key encrypted header on the mail, and the public key to decrypt it on the DNS record. If it can be decrypted successfully, then it is assumed to be legit (because the sender knew the private key).
This might help if you want to enable mail being sent from both hosts.
https://blogs.msdn.microsoft.com/tzink/2013/04/26/how-to-set-up-your-dkim-records-if-you-are-outsourcing-some-or-all-of-your-email/
From the definition of SPF, SPF only authorizes IP address. For one of our domain name, we have created an SPF record to allow only A and MX IPs as genuine sender. This domain is hosted in a shared-hosting environment along with many other customers.
In such setup, owners of other domains on same host can spoof my emails easily. Is there any way SPF still work?
(correct me if my understanding abt SPF is wrong)
Yes they can spoof them but it would be very very unlikly.
If you are concerned about your personal mails that you send out or automatic mails from any system you provide on said host, you might consider signing them cryptographicaly to enable recipients to check if they are genuine.
I think there techniquies implemented in some mailservers to sign mails automaticly AND there is of course DNS signatures but what the status there is is bejond my knowledge.