DKIM and DMARC set up on dedicate 1and1 server - email

I am having a little trouble figuring out this process. I can manage to get the DNS records set up for the DMARC, DKIM and SPF. I get lost with what i am trying to do with the private key for the DKIM. Currently i am using a dedicated server offered by 1and1.com. if someone can give me a quick walk through i would really appreciate it.
The website i am currently making sends out scheduled emails plus emails on behalf of users. Some of them are being blocked by Hotmail and other email providers. I understand that adding these protocols will increase the likelihood that the emails reach their intended targets. If there are any other mechanisms that can accomplish this as well, i would greatly appreciate a heads up.
i use the built in php mail method to send emails (i do not want to incorporate a third party plugin to do something that php already does and works pretty well)
thanks

Yes, you can set DMARC on 1and1. Set:
Type: txt
Prefix: _dmarc
Value: v=DMARC1; p=none; sp=none; rua=mailto:yourmail#hotmail.com;
ruf=mailto:yourmail#hotmail.com; rf=afrf; pct=100; ri=86400;
Change the 2 emails

You can't set up DMARC or DKIM on 1&1 DNS, they don't allow underscores (_) in sub-domains in their DNS records.
Sorry for the bad news. They are the only hosting provider I know about that doesn't allow underscores (unless something changed recently)
DMARC is easy to set up just use this DMARC Wizard
DKIM is something that you need to set up with email software program you're using to send mail (which you didn't tell us what you're using) - I'm guessing postfix or exim?

Related

DKIM validation warning when sending e-mail from Sendgrid API

I've bought a domain and I'm hosting Cloudflare as my DNS host. I mainly use this domain for sending emails.
I use Google workspace for receiving and sending emails, but I also use the Sendgrid API to send one automatic email a day from a simple python program (using Sendgrid's python library) I keep running.
I have correctly authenticated my domain in Sendgrid and added the CNAME records to Cloudflare as Sendgrid advises. I have also configured Google correctly with my domain using their info. I've tested both configurations with their tools.
I'm now in the process of adding extra security to my emails. I've configured SPF, DMARC and DKIM using the simple instructions Google provides. Added all the records once again to my DNS provider (Cloudflare) and started to observe my daily DMARC reports.
I'm using URIports (https://app.uriports.com/) to make sense of these reports :P
Apparently, everything is ok with the mails I send from Google. But not ok with the emails sent via Sengrid. The DMARC analysis is the following:
We have received the following report from google.com about 1 message that was received in the following timespan: 02-13 0:00 (24h). This email was received from IP address xxx.xxx.xxx.xxx with hostname something.outbound-mail.sendgrid.net supposedly from <user>#<mydomain>.
DKIM validation passed because at least one signature is valid
Signature 1 for domain <mydomain> passed. The message was signed, and the signature passed verification tests.
Signature 2 for domain sendgrid.info passed. The message was signed, and the signature passed verification tests but the DKIM signature domain sendgrid.info does not align with the Header-From domain <mydomain>.
SPF and DMARC validations are ok.
I confess I'm lost and I'm searching everywhere without success. Can anyone help me understading in what direction to go?
Can it be a problem with the python program?
Many thanks! Cheers!
Gil
To set your mind at ease, your setup is fine! Nothing to worry about.
DKIM is, among other things a reputation tool. SendGrid is adding two signatures to your emails, one for your domain, which will help pass DMARC authentication. And one for their domain / service. This second one is optional from the DMARC perspective, but may improve Inbox delivery.
There are many services that operate in a similar fashion, adding an additional DKIM signature to outbound emails.

What is the best method for avoiding email blacklists in a VPS that has several websites?

We have a powerful VPS currently having various websites. This websites although they do not spam have had their i.p. emails blacklisted in the past? we keep fighting against getting the i.p.. delisted because it otherwise affects all websites email deliverability. It seems too vulnerable that if the I.P. gets blacklisted then everybody loses business not being able to contact their clients. I know large websites have strategies to avoid this, not sure how they do it. I would like to know an experts advice on how to deal with this problem. In summary what are recommended best practices for business email deliverability when depending on one I.P.? or is there such thing as dynamic I.P.s? Open to any options to solve this critical problem for us.
There are many steps you can take to insure that your IP does not get blacklisted in RBL's.
You can assign a unique IP for each website and you can assign same unique IP for outgoing mails so all the domains will not be affected if IP gets blacklisted.
Make sure you have enabled SMTP authentication for all the domains.
You can set SPF records for all the websites. You can create an SPF record from below URL.
http://www.spfwizard.net/
Create Domainkey (DKIM)
Use strong password for email accounts as weak password are more prone to get compromised.
Hope this helps.

How to send email ( in this case external smtp server 'turbo smtp') that doesn't end up in spam on hotmail

We are involved in the project which is designed to gather UK hotels details that our client needs to create a paper guide with most popular and top rated places in the country.
At the begining of each year we automatically send emails out to hotel owners in order to ask them to update their hotel details.
Unfortunately Client reported that some of hotels never received any of the emails nor that email ended up in spam, especially on hotmail mailbox.
Is there any known approach which could help us to overcome that situation?
One of the solutions we tried was to resign from local SMTP server and purchase external SMTP server on turboSMTP, but without effect.
How would you advise us to you deal with that problem or what have you advised to other companies in the past? Surely there must be a way to resolve that problem completely and we would appreciate your prompt help with that.
Sending an email to multiple recipients within the same company may sometimes have that effect. That company’s email firewall often assumes it’s a spam attack.
There's a lot of factors that come into this. Thankfully, by going for an external SMTP relay, you can offload most of the issues to them.
What you can do, is make sure your domain and emails are configured to increase their validity. Two really key things for this:
SPF records
DKIM signing
SPF
SPF is basically a whitelist of IPs that can send email for your domain. SPF records are added to your DNS server. There are plenty of SPF generators online that can help (like this one). Your SMTP provider will also need to be included in your SPF record.
DKIM
DKIM digitally signs your email to verify that it's been sent by an authorised sender. Your SMTP provider will have info on how to set that up (turboSMTP docs).
If you want to explore more, I recommend Jeff Atwood's (co-founder of SO) article on how horrible email is: http://blog.codinghorror.com/so-youd-like-to-send-some-email-through-code/

Emails not going through properly to a single domain

I've searched all around, made several changes over the past two weeks, and still no luck so here I am.
We just put up a new site, and there are 3 different forms. Each form sends to a different email of theirs, a forwarder that sends to the same email of theirs (I had to make this after I figured out there was a problem with them not receiving emails from the website), and one of our emails.
Currently, they use office 365 for their email. A few days ago I figured out to change the SPF record, so I added the IP of their current website.
Here is the current SPF record:
v=spf1 include:spf.protection.outlook.com ip4:23.229.157.193 a ~all
I'm stumped. I've sent test submissions, and they receive the forward, and I receive it from my email, but the email that it's supposed to be sent to doesn't receive it.
I don't have access to their office 365 account. I tried a different option of sending the emails through swiftmailer, but GoDaddy doesn't allow me to connect to their smtp details, so that's a bust.
Has anyone encountered this problem before and know of a solution? All help is greatly appreciated.
THE SOLUTION:
After hours of calling, I was able to get the problem solved. I should have edited this earlier, but better late than never. In cPanel, there is an area for routing mail. It was set to local, rather than remote. Every email that came through went to the local emails, and since their were none, they were discarded. After changing the option to remote, the emails started flowing through. After the 3rd or 4th call, I reached someone who's actually dealt with this problem because he explained what was happening and the fix in under two minutes, unlike the others. I hope this helps anyone in the future with the same problems I encountered.
If you've configured SPF on your sending smtp server, you can configure a _dmarc
DNS record with an email address for the receiving server to send mail reports to...
Better yet, if this 'new' server is not required to be fully operational while you set up everything - you can set the _dmarc record to tell the receiving server to reject anything that doesn't pass the SPF test.
In any case, if you are setting up an email server that will send messages to any outside Internet address, and you have the ability to install software on the server - you should install and configure:
SPF, DKIM, and have a dmarc DNS record.
If you don't have these items, it's very likely much of your site's notification email will end up in the subscribers' spam box, or worse rejected by the receiving server.
Several good websites that have helped me:
unlocktheinbox.com
dmarcian.com
emailsecuritygrader
protodave.com dkim key checker
appmaildev.com domainkeys test
gettingemaildelivered.com

Gmail thinks our email is NOT from the FROM domain and puts it in Spam Folder, how to solve this?

We have a website where we allow you to reset your password (say if you forget your password). This is standard on many websites. Basically you enter your email address which you've used to register on our website, then we send you an email containing an email reset link.
This is all standard stuff. However, the problem is: Gmail somehow thinks this email we send to the user is spam, and puts it in the Spam folder.
The specific message Gmail shows is:
Be careful with this message. Our systems couldn't verify that this message
was really sent by xyz.com. You might want to avoid clicking links or replying
with personal information.
Let me explain how we send the email. We use the company sendgrid.com to deliver
the emails. xyz.com is a domain we control. (xyz is a pseudo-name here.)
The email's from address is: do-not-reply#xyz.com
We have changed xyz.com's SPF record to include "sendgrid.com" (and "sendgrid.net" "sendgrid.me").
There's no website associated with xyz.com, however.
My question is: what else can we do to make Gmail believe the email is from the domain xyz.com? So it doesn't put the email in the spam folder?
Thank you.
Did you end up publishing DKIM with Sendgrid? Also, I have a feeling your SPF record isn't quite right as generally there's one official entry per email provider. You mention adding several. I'd recommend looking at their docs for exactly what they recommend publishing in your SPF. Do this for any provider you use for any kind of email.
Since you mentioned Sendgrid as your ESP, here are Sendgrid's instructions. Once you've done the DNS you have to ask Sendgrid to "sign" it. Since DKIM uses cryptography you'll need them to do their side.
DKIM's less complicated than it sounds. The DNS records you have to add will take a few minutes then presumably open a ticket to Sendgrid to have them do their side.
Also, as an aside, could you post what you have for your SPF record here? I don't mean your domain but what the value is? It's not directly causing the problem but it's a key component of email authentication.
Once you've completed SPF and DKIM, it is critical you validate them both. Do a search for SPF validates and DKIM validator to find online tools.