DNS Records - SPF update

We are running WordPress through WP Engine via Cloudflare. We have a rather big list as our CMS, Gmail and Constant Contact are all in there. For the most part we don’t see a lot of bounces, everything seems to be working, but I’m not sure who to ask for confirmation that my 18 entries are correct. . . .

we are a small site with low funding, as I work my way through this the SPF record is suspect.

You would normally ask:

  • The person (or people) taking care of your tech stuff.

  • The individual providers that have provided you these records, should be able to verify if your set up is correct.

That said:

Your two first CNAME records, the ctctX._domainkey ones appears to the DKIM set up for Constant Contact.

The fourth CNAME record, the neonone._domainkey appears be the DKIM set up for Neon CRM, however, you do not appear to have any SPF inclusion for them.

The second TXT record, the google._domainkey one, appears to be the DKIM set up for Google / Gmail.

So that sounds to me like the DKIM should be playing well for you, under the condition that all of these record(s) are an exact match, to the ones the individual provider have told you to add.

I would personally suggest looking look in to all of this:

  1. Change your SPF (TXT) record, the third from the bottom to:

v=spf1 include:_spf.google.com include:_spf.neonemails.com include:spf.constantcontact.com -all

  1. Send several test messages, both from Google, from Neon One, and from Constant Contact.
    Using multiple providers as the destinations for these tests would be good, too.

  2. Verify on the destinations for these test messages, that they all have a DKIM-Signature header at the destination, and that the DKIM signature passes perfectly fine, and that the header From: domain is a 100% match to the domain from the “d=” parameter of the DKIM-Signature header.

  3. Once #3 has been tested, and verified to be successful, change the “p=none;” of the “_dmarcTXT record (fifth from the bottom), to “p=reject;”.

You can also use the DMARC reports you may be receiving, to verify #3, however, the DMARC reports may not appear to be so human-readable.

If you see that all of your legitimate messages, for example through the DMARC reports, appears to be passing DKIM, as well as having proper alignment to your own domain, you should be good to move on with #4.


Thank you for the second set of eyes. I am the the “Tech Stuff” person and did my best to learn/ follow my directions, thank you for pushing that further.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.