I'm sending e-mails using API provided by Mandrill/Mailchimp and trying to authenticate e-mails by adding the SPF and DKIM records for sending domains.
I have done everything according to Mandrill documentation.
For SPF record everything is going smoothly but for DKIM record authentication Mandrill is having some difficulties:
http://grab.by/JkQs
And consequently Mandrill overwrites 'from' headers of e-mails:
http://grab.by/JkQC
Has anyone faced with similar problem and could someone help me please to work around the issue?
P.S. After testing with third party DKIM validator (http://dkimcore.org/tools/keycheck.html) I got a message: 'This is a valid DKIM key record'.
Related
I've bought a domain and I'm hosting Cloudflare as my DNS host. I mainly use this domain for sending emails.
I use Google workspace for receiving and sending emails, but I also use the Sendgrid API to send one automatic email a day from a simple python program (using Sendgrid's python library) I keep running.
I have correctly authenticated my domain in Sendgrid and added the CNAME records to Cloudflare as Sendgrid advises. I have also configured Google correctly with my domain using their info. I've tested both configurations with their tools.
I'm now in the process of adding extra security to my emails. I've configured SPF, DMARC and DKIM using the simple instructions Google provides. Added all the records once again to my DNS provider (Cloudflare) and started to observe my daily DMARC reports.
I'm using URIports (https://app.uriports.com/) to make sense of these reports :P
Apparently, everything is ok with the mails I send from Google. But not ok with the emails sent via Sengrid. The DMARC analysis is the following:
We have received the following report from google.com about 1 message that was received in the following timespan: 02-13 0:00 (24h). This email was received from IP address xxx.xxx.xxx.xxx with hostname something.outbound-mail.sendgrid.net supposedly from <user>#<mydomain>.
DKIM validation passed because at least one signature is valid
Signature 1 for domain <mydomain> passed. The message was signed, and the signature passed verification tests.
Signature 2 for domain sendgrid.info passed. The message was signed, and the signature passed verification tests but the DKIM signature domain sendgrid.info does not align with the Header-From domain <mydomain>.
SPF and DMARC validations are ok.
I confess I'm lost and I'm searching everywhere without success. Can anyone help me understading in what direction to go?
Can it be a problem with the python program?
Many thanks! Cheers!
Gil
To set your mind at ease, your setup is fine! Nothing to worry about.
DKIM is, among other things a reputation tool. SendGrid is adding two signatures to your emails, one for your domain, which will help pass DMARC authentication. And one for their domain / service. This second one is optional from the DMARC perspective, but may improve Inbox delivery.
There are many services that operate in a similar fashion, adding an additional DKIM signature to outbound emails.
We've used Mailgun for 8+ years for inbound email routing, and always noticed lots of emails ended up in our spam folder(s).
After speaking to the Google team, it turns out that Mailgun is simply not compatible with Gmail when using inbound routes as it doesn't "relay" emails, but rather re-sends them modifying the headers.
This causes all emails to fail SPF! This means a certain (often large %) of your emails will end up in the spam folder for no good reason.
From Google:
"We've identified that Mailgun is re-sending those emails, while Google is expecting for those emails to be relayed. Re-sending emails causes the SMTP sender to change to [redacted]. What happens then is SPF is checked for [redacted]. Inbound gateway is telling to ignore Mailgun's IP address, so the previous one is being used instead. This would cause all emails to fail SPF.
In this scenario, it's recommended to contact Mailgun and ask them if there's a way to relay those emails, so that SMTP sender would not change."
Mailgun Response:
"Unfortunately, there isn't much that can be done to prevent this as this is how our Routes work"
Any solutions?
Has anyone managed to work around this issue?
Or does anyone have a fully-featured recommended alternative to Mailgun Routes?
If I have a domain example.com that is using gsuite (DNS settings at registrar has gmail cnames, spf & txt records etc) and I have another service sending on behalf of the domain (Klaviyo). Do the gmail DKIM and DMARC settings help to strengthen the deliverability of those emails sent by the other service (Klaviyo)?
To answer your question: A DMARC reject or quarantine policy helps improve deliverability for all parties that send on behalf of your domain AND properly authenticate by SPF or DKIM, in alignment with your domain.
DKIM consists of a cryptographic key pair. You publish the public key on the Internet and you use the private key to sign headers of your outbound emails. This signing is done on the sending server. So unless Klaviyo is using Google servers to relay your messages, those messages are not being DKIM signed by Google.
You should follow the instructions provided by Klaviyo here, so that the emails you send from their platform, using your email domain, will authenticate properly and will NOT fail DMARC.
Update:
Say you own the domain myexample.com, then you should publish a TXT record at the root of that domain that looks like "v=spf1 include:_spf.google.com ~all". Additionally you can add any other services or servers to this record as you see fit. You don't need to add Klaviyo to your SPF record as they will try to authenticate from the send.myexample.com domain used in the bounce address. That is what you created the first CNAME for. It redirects to an SPF (and MX) record hosted at Sendgrid. Additionally, Klaviyo will authenticate those emails using DKIM.
In order to make DMARC work, you need to publish another TXT record at _dmarc.myexample.com, if you haven't already, looking like: "v=DMARC1;p=none;rua=mailto:DMARC#myexample.com;". Then you'll start receiving aggregate reports at the mailbox you supplied. Once you're confident you've included all required parties in your authentication scheme, you can move to a p=reject policy in order to protect your domain.
Yes, DKIM and DMARC settings do help deliverability.
I assume that Klaviyo does what my company Autoklose is doing as well, and that's using Gmail API to send the email in your name. That means that they only indirectly affect the sending process and the email itself is sent from Google servers and not Klaviyo's servers.
Also, you have to be aware that DKIM & DMARC are only two of the factors in successfully delivering your email. For example, having DKIM & DMARC correctly set gets you positive points but if your domain is blacklisted, it still might not get delivered.
I'm sending very simple transactional emails from SES. They always end up in my Outlook's spam folder. I've enabled DKIM signing.
The email body at the moment is very simplistic, and contains a header, two dates, and a link to sign into the app.
I've attached pics of my SES email and domain settings.
SPF should provide additional verification for emails, if I understand it correctly. SES has it's own SPF records in place but I have the same problem with Outlook and spam.
I also tried setting up the 'Mail From Domain' section on Amazon SES, but again, SES emails go to spam in Outlook. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html
It seems the SES server that my emails originate from is on a few blacklists (5 out of 160). Perhaps that has something to do with it.
I can't think of anything else we can do at the moment....
DKIM signing does not guarantee your email won't be flagged a spam. I recommend reading this AWS blog post on the subject.
I made an app using parse, and am using email verification in it. I have a bug where it is not sending email verifications to #yahoo.com & #optonline.net emails. Those are the two I found to not be working. It is working for all other emails.
It says to do the following stuff below, but I am very new to web coding, and so I have no idea how to complete the following tasks. Could someone walk me through them? And if that is not even how I should fix the error, what would be the fix?
To ensure that mail providers don't incorrectly mark emails sent on behalf of your app as spam, we recommend you add DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) records to your DNS records.
Run the following in your terminal: dig +short k1._domainkey.parse.com txt for the most up-to-date DKIM value.
Add the following to your SPF or TXT record: v=spf1 include:parseapps.com ~all