SPF records
(look in DNS section of webdesign.xlsm “preventing email spoofing”)
365 – settings / domains
[this example is “inspectionsupport.com” sends email on behalf of gfengineers.com. Add this as a txt record to the giles domain]
This allows domain owners to explain who is allowed to send email on their behalf. You can add the ISN to your SPF record for your domain by adding the following include:
include:spf.inspectionsupport.com
Thus, let’s say your SPF record is currently:
v=spf1 include:_spf.google.com ~all
After the update it would be:
v=spf1 include:_spf.google.com include:spf.inspectionsupport.com ~all
Thank you for the clarification. The Email Deliverability section in WHM relates to the hostname of the server host.digitalinfocloud.com. The respective SPF and DKIM records have been added to the DNS zone of host.digitalinfocloud.com, however these will need to be added at your registrar for the records to be properly seen by the internet due to the server having no authority over the DNS of the domain.
—
$ dig host.digitalinfocloud.com txt @170.249.236.223 +short
“v=spf1 +mx +a +ip4:170.249.236.223 ~all”
$ dig default._domainkey.host.digitalinfocloud.com txt @170.249.236.223 +short
“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGrwDg/jJ1U6gmNSxqbElW8+KuZ8cXRSqMh60Jipcb8+YYK6aVZiQoZZ8bpAm8wcIXnRRKLhCn2ng6QSURQzzw0gRMTmh9Fp4CDO0R+OLoLh8e/PQrPArvYpVNRt+Li+n7xpll/10/qwF/Ma+X1yYYlLFeoT3eKrsrxeSlBU/GeYM3NUhVnaAQ3WPGfzvb2bD” “f32Jkrffs4MRiQkxI16VlJoPiewuh57s31ROogssruVVjmQEdKe8T6asZLwNfFXTTenl+JHRDaTAk7v53R+b++wGtUAAcfu6xrEq9UJAXrgUF4x8iiZxr+bEcxu2BbvlCS2gWla4++3knb3ATv3fwIDAQAB;”
—
Preventing email spoofing | mxtoolbox.com to validate – “email health” | mxtoolbox – analyze header (copy from gmail) | ||||||||||||||||||
if soa | ||||||||||||||||||||
SPF | TXT | @ | openspf.org | usually get from microsoft for 365 | ||||||||||||||||
all servers authorized to send mail on your behalf | ||||||||||||||||||||
v=spf1 include:spf.protection.outlook.com -all | need -all, make sure not +all | |||||||||||||||||||
v=spf1 include:spf.myconnectwise.net include:spf.protection.outlook.com ~all | ||||||||||||||||||||
guarantees should only come from your email server | ||||||||||||||||||||
if you want any domain’s mail servers to be able to send on your behalf | ||||||||||||||||||||
pink thermos bag | ||||||||||||||||||||
DKIM | doesn’t encrypt, just validates sender to minimize email spoof | |||||||||||||||||||
makes sure message isn’t changed from source to destination. Uses keys | set up alias “dnsdmarc@digital-info.com” as alias for me for these reports | |||||||||||||||||||
365 / security / policies&rules / threat policies / email authentication settings / DKIM / click on domain / create keys if not already created | ||||||||||||||||||||
enable “sign msgs with dkim” | ||||||||||||||||||||
this gives an error that gives 2 cname records that you need to add to dns | ||||||||||||||||||||
dkimvalidator.com | ||||||||||||||||||||
dns | type | CNAME | use the address to send a message to, a few minutes view results | |||||||||||||||||
name | selector1._domainkey | selector2._domainkey | look for dkim & spf “pass” | |||||||||||||||||
value | (copy from error message in 365 when turned it on) | selector1-stallsmedical-com._domainkey.stallsmedical.onmicrosoft.com | ||||||||||||||||||
it usually takes several hours after adding cnames before 365 dkim enable will work | ||||||||||||||||||||
365 / turn on later when don’t get error | ||||||||||||||||||||
once can enable | ||||||||||||||||||||
send to gmail and show header dkim should be good | ||||||||||||||||||||
https://mxtoolbox.com/dmarcrecordgenerator.aspx | then say “check DMARC” and it lets you create one | |||||||||||||||||||
check dkim | https://mxtoolbox.com/dkim.aspx | |||||||||||||||||||
DMARC | domain-based message authentication reporting & conformance | sends you reports on who sends on your behalf | ||||||||||||||||||
(need spf set up first) | dnschecker.org / _dmarc.stallsmedical.com | |||||||||||||||||||
TXT | ||||||||||||||||||||
v=DMARC1;p=reject; (or p=quarantine) | this tells destination mailserver what to do with email that doesn’t come from your spf server | |||||||||||||||||||
if netsol says “already have dmarc”, use classic view | ||||||||||||||||||||
netsol this is txt record “other host” | Host: | ttl 1 hr | ||||||||||||||||||
this is all you need | _dmarc | v=DMARC1;p=quarantine;rua=mailto:dnsdmarc@anniengo.us;ruf=mailto:dnsdmarc@anniengo.us; | ||||||||||||||||||
v=DMARC1;p=reject;rua=mailto:dnsdmarc@anniengo.us;ruf=mailto:dnsdmarc@anniengo.us; | ||||||||||||||||||||
sends to you when someone send email on your domain | ||||||||||||||||||||
|
||||||||||||||||||||
reports are sent to anniengo | ||||||||||||||||||||
anniengo.us needed this DNS to accept reports | ||||||||||||||||||||
TXT | ||||||||||||||||||||
host | stallsmedical.com._report._dmarc.anniengo.us | |||||||||||||||||||
value | v=DMARC1 | |||||||||||||||||||
TXT | (subdomains) | |||||||||||||||||||
host | *.stallsmedical.com._report._dmarc.anniengo.us | |||||||||||||||||||
value | v=DMARC1 | |||||||||||||||||||
|
||||||||||||||||||||
Any domain that would be sending from the server would have the same SPF record:
v=spf1 +mx +a +ip4:170.249.236.223 ~all Any domains using the IP 170.249.232.173 can have this SPF record instead: v=spf1 +mx +a +ip4:170.249.236.223 +ip4:170.249.232.173 ~all