Showing posts with label spf. Show all posts
Showing posts with label spf. Show all posts

Thursday, November 10, 2022

[FIXED] How to configure SPF and DKIM to prevent mail going to spam folder

      , , , ,      No comments   

Issue

x-store-info:4r51+eLowCe79NzwdU2kR0zqpsRfiBoycNOl1Rdc4Wf7430jtHWQcYIrKJBAYArutl6yTQ5VQNWAmHikfoeKC6OfxZYs5RQXt5EONp5Fb+tgLbPo7J+jhd2D/FrCdQyzXUlVTtfPnBo=
Authentication-Results: hotmail.com; spf=softfail (sender IP is 184.168.200.138) smtp.mailfrom=no-reply@.com; dkim=none header.d=.com; x-hmca=fail header.id=no-reply@.com
X-SID-PRA: no-reply@.com
X-AUTH-Result: FAIL
X-SID-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD00
X-Message-Info: 3c21WZ1hAlvCXlgKMA/ssa/7uuyagef91LCbCD/6jerOOAesLoOF4khK55lv2648aOXN6IForiFWbNDXvt/F9pKgiEmQYyMILkICTpe+/i4pqZfOZymIYT4r8X/NfvkTbHXIijHuSgajahEKBV0qUiO6J/PlRheu+fHREz1zY9V0xz2tq5KTm2vBIQsSTbcG/VCzyglz1h9bRD91eSWpB+xt4cfKRwkgKlCJsJhnftc=
Received: from p3nlsmtpcp01-01.prod.phx3.secureserver.net ([184.168.200.138]) by SNT004-MC2F6.hotmail.com with Microsoft SMTPSVC(7.5.7601.22751);
     Wed, 26 Nov 2014 15:19:28 -0800
Received: from p3plcpnl0474.prod.phx3.secureserver.net ([50.62.176.1])
    by p3nlsmtpcp01-01.prod.phx3.secureserver.net with : CPANEL :
    id LPHH1p01e02B8ka01PHHME; Wed, 26 Nov 2014 16:17:17 -0700
Received: from kumani11 by p3plcpnl0474.prod.phx3.secureserver.net with local (Exim 4.84)
    (envelope-from <no-reply@.com>)
    id 1Xtlrr-0002Gt-Tx
    for *EMAIL*@live.co.uk; Wed, 26 Nov 2014 16:19:27 -0700
To: Neil <*EMAIL*@live.co.uk>
Subject: Ad Reply on
X-PHP-Script:.com//adreply.php for 5.151.130.2
Date: Wed, 26 Nov 2014 23:19:27 +0000
From: <no-reply@.com>
Reply-To: <no-reply@.com>
Message-ID: <d6832c41b94a8dcf73b6660427bfbd46@.com>
X-Priority: 1
X-Mailer: PHPMailer 5.2.4 (https://github.com/Synchro/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="b1_d6832c41b94a8dcf73b6660427bfbd46"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - p3plcpnl0474.prod.phx3.secureserver.net
X-AntiAbuse: Original Domain - live.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [940112 956] / [47 12]
X-AntiAbuse: Sender Address Domain -.com
X-Get-Message-Sender-Via: p3plcpnl0474.prod.phx3.secureserver.net: authenticated_id: kumani11/from_h
X-Source: 
X-Source-Args: /usr/sbin/proxyexec -q -d -s /var/run/proxyexec/cagefs.sock/socket /bin/cagefs.server 
X-Source-Dir:.com:/public_html/
Return-Path: no-reply@.com
X-OriginalArrivalTime: 26 Nov 2014 23:19:28.0495 (UTC) FILETIME=[6CFA07F0:01D009CF]

--b1_d6832c41b94a8dcf73b6660427bfbd46
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When creating a mail with PHPMailer my emails are getting sent to the spam folder of my recipients mailbox

I have been told I need to configure my SPF and DKIM correctly, I think I have done this already on my GoDaddy account for SPF - @ v=spf1 a mx ptr include:secureserver.net ~all

Has anyone else got any ideas why my mail might be going to spam? Have I missed out any headers that you can tell?


Solution

Your SPF record is v=spf1 a mx ptr include:secureserver.net ~all

This allows sends from:

  • a → domain.com host (23.229.191.2)
  • mx ➜ mail.domain.com. (a CNAME for domain.com, so 23.229.191.2 too)
  • ptr → Any ip matching your domain when doing a reverse lookup. As 184.168.200.138 is p3nlsmtpcp01-01.prod.phx3.secureserver.net, it doesn't match your domain.
  • include:secureserver.net → include secureserver.net email policy, which is

v=spf1 ip4:207.200.21.144/28 ip4:12.151.77.31 ip4:69.64.33.132 ip4:68.233.77.16 ip4:184.168.131.0/24 ip4:173.201.192.0/24 ip4:182.50.132.0/24 ip4:170.146.0.0/16 ip4:174.128.1.0/24 ip4:173.201.193.0/24 include:spf-ss1.domaincontrol.com -all

in turn including spf-ss1.domaincontrol.com:

v=spf1 ip4:174.128.7.0/24 ip4:206.252.132.65 ip4:24.75.14.201 ip4:144.202.243.25 ip4:68.232.128.0/19 ip4:216.55.155.13 ip4:216.55.162.41 ip4:195.246.112.0/24 include:spf-ss2.domaincontrol.com include:spf.messaging.microsoft.com -all

and spf.messaging.microsoft.com

v=spf1 ptr:protection.outlook.com ptr:messaging.microsoft.com ptr:o365filtering.com -all

The sending ip 184.168.200.138 is not on any of those ranges. Thus SPF verification fails.

It's odd that 184.168.200.138 isn't listed on the secureserver.net spf. It could be a mistake, or maybe they don't intend users to include their policy on their domains, and thus only list their own email-sending ips, and not user servers.

How to make spf pass? The simplest way is to explicitely list the sending ip:

ip4:184.168.200.138

However, given that your server ip could change unexpectedly you may also want to allow all secureserver.net hosts with

ptr:secureserver.net

In summary, I would use the following p

v=spf1 a mx ip4:184.168.200.138 ptr:secureserver.net ~all

I have removed ptr (since you don't seem to have a dedicated ip whose reverse dns you could set) and the include:secureserver.net that wasn't working.



Answered By - Ángel
Answer Checked By - Terry (PHPFixing Volunteer)

Wednesday, November 9, 2022

[FIXED] How do I setup SPF to Pass for Mailchimp, SES and EC2 so that DMARC doesn't partially failing due to misalignment

      , , , ,      No comments   

Issue

One of my websites sends emails from various sources including:

  • Mailchimp
  • Mandrill
  • Mailgun
  • Amazon SES
  • From the server itself

We have correctly configured SPF & DKIM settings for all of the sources so we decided to add DMARC too and at the same time we changed ?all to -all.

All of our emails have been going through just fine but we've noticed our Mailchimp emails are "SPF Incapable" and as such don't fully pass.

Most email clients / accounts show that DMARC has passed, however DMARCian & a few email clients throw up DMARC Fail-alignment

For example:

enter image description here

DMARC.io does however say the following:

SPF: SPF is not possible as MailChimp uses their own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. To work-around this without having to include Mailchimp servers, try including only 'ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.8.0/21' in your SPF record.

So, I added those to my SPF however it still shows:

enter image description here

All of the following IP's are all covered by those CIDR notations so I am unable to work out why the SPF is still misaligned for SPF, but it fixes DKIM...

  • 198.2.185.161
  • 198.2.185.245
  • 198.2.141.4
  • 198.2.175.233
  • 198.2.185.245
  • 198.2.142.122

I did find the following on stackoverflow: https://stackoverflow.com/a/50471866/2487602 however that seems to be slightly wrong in advice because the bounce server is nearly always different. They've got hundreds of servers.

My SPF looks like:

v=spf1 +a +mx +ip4:94.237.30.75 +ip4:94.237.30.85 +ip4:94.237.30.86 +ip4:94.237.30.87 +ip4:54.77.177.67 +ip4:34.246.233.211 +ip4:52.18.62.128 +ip4:34.241.119.225 +ip4:205.201.128.0/20 +ip4:198.2.128.0/18 +ip4:148.105.8.0/21 include:servers.mcsv.net include:spf.mandrillapp.com include:mailgun.org include:amazonses.com -all

What have I done wrong/can I improve in order to get the SPF aligned?

On a side note, I assume for the first 4 IP's I could just use: +ip4:94.237.30.75/28 which would include those 4 IP's as well as a 14 or so other IP's which isn't really that risky is it especially when they won't have DKIM and as a result DMARC passing? To make it a little more secure I could just reduce those 4 records down to +ip4:94.237.30.75 +ip4:94.237.30.85/30 which would only include 1 IP that we don't use.

I do also want to send emails via EC2, rather than SES for some emails (potentially to replace Mailgun/SES) however when we send emails from those servers they get sent to spam for not having a reverse DNS.

I assume, the fix for that would be to request a PTR record to be setup by Amazon for the 3x EC2 instances that we use?

I did request one of these before, but I wasn't sure if it is supposed to be pointing to my main website's IP or the IP of the server that it's sending the emails from...

As for SES, even after adding the SPF include and the DKIM record, our SPF record shows "Neutral" rather than "Pass" for example the following is from the "Test Email" feature for SES/EC2

  • SPF: NEUTRAL with IP 54.240.7.46

So to recap...

  1. How do we make Mailchimp fully pass on SPF so that DMARC is aligned
  2. How do we correctly setup a PTR record for a reverse dns, should the subdomain be pointing to the server it sent the email from or the server of the main domain?
  3. How do I get Amazon SES to throw a SPF Pass, rather than SPF Neutral?

Solution

  1. You can't. The answer in the thread you mentioned is correct. Mailchimp will set the bounce address to its own domain. So adding the ranges to your own SPF record will not change anything (SPF is checked on the bounce address, not the header.from address). While you're not authenticating fully redundantly, you're still passing DMARC and it should not impact reputation for your domain (or nobody would be using MailChimp).
  2. Only the owner of the IP address can set the PTR record in DNS. It should point to the name of the server sending the emails, preferably the name in the EHLO/HELO. This thread has the correct answer, I think, though I've never set it up personally.
  3. What is the bounce address domain used in your AmazonSES emails? Did you set up a Custom MAIL FROM address as explained here? A Neutral result is usually returned for an SPF record ending in ?all and not passing on anything that is on the left of it. Another thing that might be happening (if the SPF Domain is your own domain) is that you're hitting the "characters-per-string limit" for DNS TXT records. If you haven't cut the record up in at least 2 strings, the check might not get executed beyond the Mailchimp include. And with the absence of an all modifier (not evaluated), it defaults to neutral. You can see what your SPF record looks like with any lookup tool, but querying your domain with https://dns.google.com for TXT records should show you (escaped) double quote (") marks for where the string has been cut. As an example you can check this SPF record to see what it looks like: […]ip4:185.211.120.0\"\"/22 ip4:185.250.236.0/22[…]

One last thing to note is that you're close to the DNS lookup limit. It looks like you're at 8 lookups already. Beyond 10 lookups will cause the SPF check to result in a PERMERROR



Answered By - Reinto
Answer Checked By - Willingham (PHPFixing Volunteer)

[FIXED] How can I fix the problem with Gmail? Gmail marked email with passed SPF, DKIM and DMARC as spam

      , , , ,      No comments   

Issue

Gmail moves messages to spam folder. PTR records for ipv4 and ipv6 are available. I have the headers: SPF: PASS с IP-адресом 2a05:480:0:992f:0:0:0:2. DKIM: 'PASS', domain drom.com.ua DMARC: 'PASS'

Delivered-To: vostoknefteproduct@gmail.com
Received: by 2002:a9d:522:0:0:0:0:0 with SMTP id 31csp351612otw;
        Fri, 5 Apr 2019 05:26:18 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzWa1UxYEepV1tor3akYHi1DLXojOZnr61fkANdKlbOkDM880aGrAB9RzQdjipusdfEcAVt
X-Received: by 2002:a2e:87d2:: with SMTP id v18mr7262855ljj.4.1554467178382;
        Fri, 05 Apr 2019 05:26:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554467178; cv=none;
        d=google.com; s=arc-20160816;
        b=TTDI9m3Rt73dRkcImzRRAM5n98TJgwNxCnrbvKNVMAIOdrWk/iG+NU2OrR3/vDr7Gp
         fQmPmqt5QyEdZpO1G+He8uYckwETdCQFhVACDVcC5FJ8GWnWsys5p9vbFYzlYh89OZR+
         gFfJkt+lb5z607n03Sr9zMW9HiJVBGKLr+SFCsG8u/AOmZCF9wZtGwaP69E+7b916njn
         WZ+Pz9Q/+DyDKaCOQWrdUlTS5GvrfK/c86/5lA0AjoZN90/Rj+uGlbIROqKUXoLbA/z3
         G9LM9df3a6/kfAZBkzHB3PqCaiUhEKbSrcpLj1gT1fKHZKWOnkqb9hlcYwMX2OcHbpA8
         zTtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-language:thread-index:mime-version:message-id:date:subject
         :to:from:dkim-signature;
        bh=qI0pd1OCLQLqqFvztD8zxwZ0XJBtraToDzc2t4i88s0=;
        b=uLJIPEtdroC8P6tqoyfOikNhNzEmtmNRGpgoOefyyN/0wdAqExsSoUxZ9UKLL31lST
         AT7J8/ZOEMuGa/wn1dSUHfwRqiZl7d/rxM+AtT2a1PaSSLulOgz9HQDGw1r81QXKnZMI
         XzsGpuPmz9e3apEtczYBM0E3zYjm5Z2ITmpnrk9MluAnEuqE370R/24ixS1W2+EEG4mY
         FXZ6AsImGfZGFr75zc9kLTPgBxa1hxghD0mu6RIACf45b5ljQZQuspj8kRyhw5NX30SA
         FRwg1TwRjm3N+kmaUiDv4M64Y7s1d/PU7Gr4rb33v8Ia/aEOpeFfKLs2NfKmiiuvqBh7
         94vg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@drom.com.ua header.s=dkim header.b=G8nYIwzB;
       spf=pass (google.com: domain of shop@drom.com.ua designates 2a05:480:0:992f::2 as permitted sender) smtp.mailfrom=shop@drom.com.ua;
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=drom.com.ua
Return-Path: <shop@drom.com.ua>
Received: from drom.com.ua (drom.com.ua. [2a05:480:0:992f::2])
        by mx.google.com with ESMTPS id z24si17168655ljj.124.2019.04.05.05.26.18
        for <vostoknefteproduct@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 05 Apr 2019 05:26:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of shop@drom.com.ua designates 2a05:480:0:992f::2 as permitted sender) client-ip=2a05:480:0:992f::2;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@drom.com.ua header.s=dkim header.b=G8nYIwzB;
       spf=pass (google.com: domain of shop@drom.com.ua designates 2a05:480:0:992f::2 as permitted sender) smtp.mailfrom=shop@drom.com.ua;
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=drom.com.ua
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=drom.com.ua ; s=dkim; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender: Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qI0pd1OCLQLqqFvztD8zxwZ0XJBtraToDzc2t4i88s0=; b=G8nYIwzBB+jpn8qK83ZCo7vu+m AM/RFrxq/PP8dITX1PNXqINAjHPSu2rBVsdE5QTMPDoaHYPbOeC9wFHFMfYspdy/JyQAh4A8hmSNz HgtnwRBVR14Nht8DAqeql7CCrOom0KNS0SQ95dTnOy42/5bFommziwUghHGgzyzjUav4=;
Received: from [176.98.31.190] (helo=DESKTOPV2831BB) by drom.com.ua with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <shop@drom.com.ua>) id 1hCNvF-0000Rn-J9 for vostoknefteproduct@gmail.com; Fri, 05 Apr 2019 15:26:17 +0300
From: "DROM - служба обработки заказов" <shop@drom.com.ua>
To: <vostoknefteproduct@gmail.com>
Subject: Test title
Date: Fri, 5 Apr 2019 15:26:17 +0300
Message-ID: <005901d4ebaa$c4b3ea80$4e1bbf80$@drom.com.ua>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_005A_01D4EBC3.EA0197B0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdTrqr/vXGG/i/4HRdu0LENUGEwBuw==
Content-Language: ru
X-Scanned-By: ClamAV 0.101.1; Fri, 05 Apr 2019 15:26:17 +0300

Where can be the problem? Thanks


Solution

Unfortunately this seems to be business as usual with gmail. Their spam filter seems entirely arbitrary and uncontrollable by recipients - for example adding addresses to your address book, marking messages as "not spam", or repeatedly moving messages from spam to your inbox does not help, and nor does following their guidelines, which include implementing measures such as SPF, DKIM and DMARC, just as you've done. On my own gmail account, I often find messages sent to myself end up in spam!

Their postmaster tools are also broken - this is supposed to provide a feedback mechanism that allows server admins to see why IPs or domains are being blocked or spam filtered, however, it doesn't work properly, and it's very common to see domains & IPs marked as "bad" despite having zero spam reports. There is also no support available for postmaster tools, so you can't even report such problems. It might be worth trying anyway just see what they think of you.

In short, you are entirely at google's mercy - even if you're doing everything that they ask, your messages may still get spam filtered, and you have no recourse.



Answered By - Synchro
Answer Checked By - Dawn Plyler (PHPFixing Volunteer)

[FIXED] How can you verify that an email was sent from the proper domain and that the contents of the email haven't been modified?

      , , , ,      No comments   

Issue

I'm examining my email headers (sent from Gmail) and am wondering which ones are best to verify that an email was sent from the proper domain and that the contents of the email haven't been modified?


Solution

I'll use an example message I received from Stack Overflow to illustrate what you can do to verify a message manually.

SPF isn't a great deal of use after delivery as it's a relatively minor (but important) step of verifying the origin of messages, but it's good to know that it was good at the time, and the headers tell you that. The parts of message content related to delivery are the Return-path header added by the receiver, along with the last Received header that shows where it was received from:

Return-Path: <bounces+3553988-07ba-marcus=example.com@em.stackoverflow.email>
Received: from o1.em.stackoverflow.email (o1.em.stackoverflow.email [167.89.81.234])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)

Looking up this em.stackoverflow.email domain as a TXT record in DNS gives us:

# dig txt +short em.stackoverflow.email
u3553988.wl239.sendgrid.net.
"v=spf1 ip4:167.89.81.234 ip4:167.89.85.72 ip4:168.245.32.199 -all"

and we can see that the 167.89.81.234 IP that appears in the Received header is explicitly listed in the record, so SPF checks out. Other domains might have more complex needs to verify the SPF, e.g. requiring additional DNS lookups for include mechanisms. Significantly, SPF does not even look at the address used in the From header; it can be entirely unrelated to the return path domain.

DKIM is where the real action is. You can use the information in a DKIM-signature header to verify that a message has not been tampered with. For example:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
    d=stackoverflow.email; 
    h=from:subject:to:reply-to:mime-version:content-type; s=s1; 
    bh=IgKJJZNcUhfjH6LDr4XaWr3pBwq6wwxwyrGmf+k3DVo=; b=rR4J7VyvF3i0N
    20IX9bx0LGTKpSKj7XoHJurhBjcZLLTn/hXuZ8OMehfgMNFeXaMljlOz4tfoFwit
    aJ8UtK1oMVCPiv9200hpQViCh/5VsyYbs6k3YN6R3cFxMbrb7nflodXX+4Rp4xBu
    T+CloNFEDICtWJT4bVSrs/NRAUlJWY=

Look at the From header and check that it matches the domain shown in the d field of the DKIM signature, which it does:

From: Stack Exchange <do-not-reply@stackoverflow.email>

The DKIM signature has 2 signature parts: b is a signature for the message body, and bh is a signature for the message headers. The interaction of these is quite tricky. To generate a signature, first of all you calculate the body signature, then you calculate the header signature which includes the body signature, along with the canonicalised message headers listed in the h element except for the actual value of the bh element, because that would present a chicken & egg problem. The bh signature only includes the headers listed because mail servers may add other headers that should not be included, or that are not known at the time of sending, such as Return-path and Received. Stack overflow's signature is unusual in that it does not include the Date header, so the date on a message can be altered without breaking the DKIM signature.

To verify a signature you need the public key it was signed with, which you can get from DNS using the s field, which provides the selector, in this case s1:

# dig txt +short s1._domainkey.stackoverflow.email
s1.domainkey.u3553988.wl239.sendgrid.net.
"k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyJRzkL/aRo1F1+ChY+Crt2TARqqo7tGATw3fMfzW8MXFWaoW1rSvZsq4k1EIf2iW7gO/QZjU1Td7h1aZpS63/CmpKymmqNbHnnbTxZGvZziKPcL/R2PVL0g88MFcpAuSjIsGysYTeow0mnXQ5W03z5mtWqm5nxNM40A/TIlOegwIDAQAB"

One issue with this signature is that it only uses a 1024-bit key; gmail ignores DKIM signatures with less than 2048 bits, so I would not be surprised if SO has deliverability issues with gmail.

Actually verifying a DKIM signature is a complicated process, especially if it uses the relaxed canonicalisation algorithms (which make the signatures more likely to survive the email journey). I wrote a PHP DKIM validator that you could use to verify your own messages.

The final layer is DMARC which ties SPF, DKIM, and the From address header together. Looking back at the Return-path, we can see that the return path domain is a subdomain of the domain used in the From header. This means that it qualifies for "relaxed" rather than "strict" alignment. We can see SO's DMARC record:

# dig txt +short _dmarc.stackoverflow.email
"v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:dmarc-aggregates@stackoverflow.com;ruf=mailto:dmarc-forensics@stackoverflow.com;fo=1"

This tells us that SO wants receivers to enforce SPF and DKIM checks strictly, and to reject any messages that do not check out, and they have set up addresses to receive summary and forensic reports of any messages that fail.

There's lots more detail but this isn't really the place for it. There's a good article on it all here.



Answered By - Synchro
Answer Checked By - David Goodson (PHPFixing Volunteer)

[FIXED] How does Sendgrid's automated security works?

      , ,      No comments   

Issue

SendGrid's automated security automate SPF and DKIM by a CNAME record. It even allows to have our own SPF and DKIM records in place directly using Domain Registrar.

How do they do it without collusion with existing SPF and DKIM records in place of domain?


Solution

Why use Automated Security

By using CNAME records provided by Sendgrid, you delegate the ownership of Sendgrid-specific SPF and DKIM records. Whenever they need to make a change (update SPF whitelisted hostname or rotate DKIM keys), they can do it without you having to touch DNS on your end.

It's convenient.

Below is my understanding of how it works for both types of records.

DKIM

You can have multiple DKIM records (public keys) as long as they use different selectors (host names).

Ex. you may already have a DKIM record for Google Workspace (G Suite):

TXT google._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

When setting Sendgrid Automated Security, they will provide you with 2 CNAMEs for DKIM managed by them. E.g.

CNAME s1._domainkey.yourdomain.com s1.domainkey.uXXX.wlXXX.sendgrid.net.
CNAME s2._domainkey.yourdomain.com s2.domainkey.uXXX.wlXXX.sendgrid.net.

Selectors do not conflict with Google's and can co-exist.

If you make a DNS lookup of the CNAME you will see a proper DKIM public key:

TXT s1._domainkey.yourdomain.com "v=DKIM1; k=rsa; t=s; p=MIGM..."

SPF

You can have only one SPF TXT record per (sub)domain. Note such record can list multiple IPs/hostnames that are authenticated. With Sendgrid Automated Security, you create a CNAME for a subdomain that points to SG servers. SPF record is hosted under that subdomain.

Ex. you may already have a SPF record for Google Workspace:

TXT yourdomain.com "v=spf1 include:_spf.google.com ~all"

Sendgrid will provide you with a CNAME similar to this:

CNAME em0000.yourdomain.com u0000000.wX0X0.sendgrid.net.

It does not conflict with your existing SPF record.

If you make a DNS lookup on that CNAME you will find a SPF record:

TXT em0000.yourdomain.com "v=spf1 include:sendgrid.net ~all"


Answered By - Max Ivanov
Answer Checked By - Dawn Plyler (PHPFixing Volunteer)

[FIXED] How would SendGrid Automated Security handle SPF record?

      , , ,      No comments   

Issue

I use SendGrid and I have 2 dedicated IPs... My website sends its emails using SendGrid.

At the same time I use G Suite and I personally send my emails using G Suite (Google Workspace)

I want to setup DKIM and SPF records. SendGrid documentation has an option called Automated Security:

Automated security allows SendGrid to handle the signing of your DKIM and authentication of your SPF for your outbound email with CNAME records. This allows you to add a dedicated IP address or update your account without having to update your SPF record.

and later on...

When Automated Security is On, SendGrid generates 3 different CNAME records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.

If you select Off, we generate 1 MX record and 2 TXT records. In a later step of setting up domain authentication, you give these records to your DNS provider, and then you verify that they upload correctly.

So When Automated Security is ON I won't need to add any SPF and DKIM record, instead I have added the 3 CNAME records that is required for Automated Security...

On the other hand I am also using G Suite and G Suite wants me to add DKIM and the following SPF record:

v=spf1 include:_spf.google.com ~all

From what I understand, the above SPF record means that _spf.google.com is the only server that should be sending my emails...

So my question is: Is adding G Suite SPF record conflicting with SendGrid Automated Security? My SPF record is saying the My SendGrid's dedicated IPs are not allowed to send email?

Imagine Yahoo mail server receives an email from one of my dedicated IPs (SendGrid)... how would Yahoo know that I am using Automated Security and the SPF record is handled by SendGrid? Because If Yahoo checked the SPF record, the SPF record is telling it that only _spf.google.com is allowed to send my emails?


Solution

Just a note: Your question would probably do better at the Server Fault forum.

To answer you questions: No the SPF record where you list G Suite is not conflicting with your SendGrid setup.

What is important to understand is: SPF says absolutely nothing about who is allowed to send emails FROM your domain. SPF authenticates the Return-Path address instead, and you're creating a subdomain for the bounce messages (what the Return-Path header is used for) with the CNAME delegation records in "Automated Security".

So, basically, Sendgrid is asking you to create a sub domain for them, e.g. em123.yourdomain.com by means of CNAME record. You delegate that subdomain over to them, targeting your personal Sendgrid tenant zone in DNS, where they create an SPF record and MX record at the root of that zone. A typical email from Sendgrid will then look like this:

from: you@yourdomain.com, Return-Path: bounces@em123.yourdomain.com

Thus, the receiving server will check the SPF record at em123.yourdomain.com to see if your IPs are allowed.

The other two CNAMEs are for the DKIM selector records. They point to TXT records that Sendgrid manages and rotates periodically.

So why not have Sendgrid use their domain in the Return-Path and not bother with the CNAME setup at all? DMARC demands that your Return-Path domain aligns with your FROM domain, OR that the domain used in your DKIM signatures aligns with your FROM domain. Preferably both.



Answered By - Reinto
Answer Checked By - Robin (PHPFixing Admin)

Wednesday, February 2, 2022

[FIXED] Sending SMTP emails reliably from Wordpress

      , ,      No comments   

Issue

I have a Wordpress site hosted at Cloudways. I have installed their Elastic Email SMTP add on. In theory I only need to activate the add on, and then the server will take care of STMP relay and authentication. Which means I don't need a SMTP plugin for Wordpress.

I have added a SPF value of v=spf1 a mx include:_spf.elasticemail.com ~all and a DKIM value of k=rsa;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbmGbQMzYeMvxwtNQoXN0waGYaciuKx8mtMh5czguT4EZlJXuCt6V+l56mmt3t68FEX5JJ0q4ijG71BGoFRkl87uJi7LrQt1ZZmZCvrEII0YO4mp8sDLXC8g1aUAoi8TJgxq2MJqCaMyj5kAm3Fdy2tzftPCV/lbdiJqmBnWKjtwIDAQAB to my DNS settings, acording to Elastic emails own guidelines.

If send some test email trough a small PHP scrip on my server:

$to = "web-XXXXXX@mail-tester.com";
$subject = "Testing";
$txt = "Hello world!";

mail($to,$subject,$txt,'From: noreply@mydomain.se ','-f noreply@mydomain.se ');

I get excellent score at www.mail-tester.com, and the email also arrive without problems at two different inboxes of mine.

But when I try to send email from wordpress, trough the plugin "check email" I get crappy score at www.mail-tester.com... It's says I'm not fully authenticated and I get -3 minus score for this line in particular: We didn't find a mail server (MX Record) behind your domain name xxxxxx.cloudwaysapps.com.

How comes I get so bad score when sending test email trough Wordpress compared to a simple php test script, and what should I do to get reliable score on outgoing mail from Wordpress?


Solution

The problem is that Wordpress has a default behavior of setting Return-Path to the server address, in my case: xxxxxx.cloudwaysapps.com instead of xxxx@mydomain.com. The solution and what also makes the email much more likely to reach an inbox is to modify the default behavior of Wordpress with this tiny plugin. It sets the Return-Path header of outgoing emails to equal the from email address.



Answered By - Anders Östman

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...