Dmark, Dkim, SPF

Hello,

Thanks in advance. I am pretty much ready to give up. In WAY over my head.

When I go to mail-tester.com, everything looks great. I go to MXTOOLBOX or EasyDAMRC or name your service....I have all sorts of problems. Looks like I have an alignment problem with DKIM/SPF (this is all spanish, but I know for deliverability this is important). 


Super happy to sign up for a paid Cloudflare account if that is the best thing to do or if there is another company people would suggest. If this is 'easy' happy to keep bashing away.

Thanks in advance, I know this topic is covered constantly.

Jude

This has been fun. I can’t even figure out how to post. Apparently something I am doing looks like a link to the BB? Anyway, here is a screen. If I could find the delete button I would have started again, but alas no.

Can you show us the result of mail-tester?

Edit: I’m stupid, your domain is obviously there. I should go to bed.
The result of mail-tester would still be nice.

Edit2: And do you have any actual problems? Are you emails classified as spam when you try sending to another gmail account?

1 Like

According to this everything is fine. We send out about 70 to 100 emails/week (between two people). IE - low volume. What we are finding however is we are ending up in SPAM quite frequently for known senders. This is scaring us! We absolutely need the best deliverability possible.

Okay - DKIM fixed. Was easy (of course). Just had to authenticate in google and correct syntax in DNS. Now I have SPF to deal with.

1 Like

The email message according to the last screenshot is actually DKIM signed, but with a generic DKIM signature on the gappssmtp.com domain.

Since the domain isn’t equal (strict mode) or equal or below same domain (relaxed mode), you are missing the alignment to your own domain, making the DKIM requirement FAIL for DMARC.

This could indicate that you have started to enable DKIM signing, copied the DKIM key, but not actually checked / confirmed that you wanted to enable it.

Go to this link:

https://admin.google.com/ac/apps/gmail/authenticateemail

  1. Verify that DKIM signing is actually enabled there.

  2. Verify that the DKIM record shown there is exactly the same, as the one you have added in the DNS.

3 Likes

Thank you!

I think I’m good now?

I did check my DNS and it does actually match exactly what my Google Admin panel provides.

1 Like

I’m good other than SPF records.

DKIM seems good now, yeah.

This one is (primarily) because of all your “include:_spfcf” stuff.

64.233.160.0/19 (a subnet broadcasted to the Internet by Google) is only being duplicated 6 times in your SPF, due to these records.

+a”: Remove this one from your SPF, Cloudflare’s HTTP reverse proxies does NEVER send messages from your domain.

+mx”: Remove this one from your SPF, Google’s INBOUND mail servers are separate from the OUTBOUND mail servers, and Google’s INBOUND mail servers will NEVER send OUTBOUND messages from your domain.

include:lagrowthmachine.com”: Remove this one from your SPF, it is literally just including _spf.google.com, which you already have in your SPF yourself.

All the strange “include:_spfcf” ones you have, pointing to another record within your own domain, seems like you may have attempted to do some SPF flattening at some point, that definitely failed.

It would be a good time now, to do some SPF cleaning, and remove all irrelevant stuff from the SPF record.

Are you sending any email messages from this domain, through any other providers than Google?

3 Likes

" seems like you may have attempted to do some SPF flattening at some point, that definitely failed." LOL’d at this for real. You are correct!

We use Hubspot and LaGrowthMachine but they are hooked up to Google and everything goes out through Gmail.

I think I am using the Cloudflare Beta DMARC management, can this have any effect on my SPF records? I only ask because I just purged everything except SPF1…and then they all came back. When I originally started with this mess I only had 22 records, now 31. Oosh. Can I just delete them all?

For the flattening it looks like there are options but in fact there are none at all and I don’t know how to turn it off!

Yes, the flattening is done by DMARC management. You should just adjust your main SPF record in the way that @DarkDeviL recommended and Cloudflare should adjust the flattened records.

2 Likes

Okay, so I made the changes to the main SPF record. Then I went and deleted everything else. Go big, or go home. I believe I have broken things :slight_smile:

So I will now search on creating SPF records.

Sweet Mother Of God.

I must admit that I wasn’t aware the newer DMARC stuff would be flattening SPF records like this.

Looking more around, and considering Cloudflare splitting / flattening SPF records to _spfcf1 etc?, it doesn’t look like you’re the first to experience this.

SPF flattening can be nice in certain scenarios, if it’s actually done correct.

The Cloudflare way does however seem to deserve a :facepalm:.

Next steps I would be looking in to, if I were you:

  1. Change SPF to end with “-all” (DASH all).

  2. Change DMARC from p=none, to p=reject.

Note: Blindly changing the DMARC could cause delivery issues.

So, based on the DMARC reports that you receive (apparently both to Cloudflare, and EASYDMARC), you should be able to see some information about the authentication status of messages pretending to be from your domain.

If you’re only seeing unknown sources (e.g. if you see Microsoft, but you know for sure that you are not legitimately sending email messages via Microsoft), then you should be ready to make the changes.

On the other hand, if you see one or more providers that you recognize, for example HubSpot, as an example based on your mention above, and that messages from them appear to be failing (DKIM and/or SPF), you got work to do before changing DMARC to p=reject.

Always aim for the strictest possible policy.

1 Like

Thank you so much for this. Everything does appear to be working at the moment, reports look good etc etc. We thought we would give it a week to see how email goes then turn on reject. Thank you so much for all the guidance and above all else PATIENCE. We are a small business with 5 employees, you and the rest of the helpful people made a difference for us.

Have a fantastic day!

3 Likes