SPF and DKIM

I sent an email to myself from GetResponce and got this.

I wrote to GetResponce and got this.

Our Deliverability Team has had a look into this for you and according to their feedback, the message was sent within one email address [email protected] (both from and to fields were the same), but with GetResponse IP addresses in the middle. Receiving servers were expecting different sending IPs, so this lead to a false positive spam/spoofing alert. We recommend whitelisting the GetResponse Ip addresses in your domain’s settings or using a different from field.

I wrote to BlueHost where I have my domain and they said this.

You will need to add both of these records as TXT on the DNS manager for the domain yourthedoor.com on the end of Cloudflare

SPF record is v=spf1 a mx ptr include:websitewelcome.com ?all

DKIM record is below v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3p4cTBd+f7Zb9hsZglRTVgdfeSWfH5ZKKzmaxn/o94U0rfB9JLMYKcgw/ittlwkumYhrroYWcjqIePZsyuH+h1hhEwO90Io0vRITtoCLv6yGna1V8TNLtRctFQtCm9kuNtf8ha85uIkmmtLbMDFdaL/Hpsnw67bKAuKZTQJflcu8AV2yEkLy0Rii2qe+kCZ7LmlEKmOwee8hOPyNqCXcLd8sh86qBohr0vm8hvcQEPBod0hcdOCaoh0YxZx6GewwWLs/gGfQE+hPhi/m6L7GreRUVf4bybh3liSunU0NvBSuj9rbC97GMUI4/qWeDGjP/x7rdbuGfTmnUvsNSJg3+wIDAQAB

How do I do this?

Thank you,
Mariana

What does it mean to whitelist the GetResponse IP adresses in your domain settings?

You add those records in the DNS dashboard, follow this tutorial (they are both TXT records, but the second one is missing the name you need to add, ask your host which knows the answer).

Addition, the fact that they are telling you to add ptr to you SFP policy is not a good sign… Also, ?all means that it’s neutral for all other senders which doesn’t completely solve sender spoofing.

Some more info:

https://support.dnsimple.com/articles/spf-record/

1 Like

Your current SPF policy is invalid, as it results in too many DNS lookups. It also appears that it does not include the mailing service you are using (GetResponse). As the policy is already invalid, you cannot just add the GetResponse include.

Your SPF record needs to include all the services that send mail claiming to come from your domain, and nothing else. If you only send email from GetResponse and from Google/GMail, then your record should look like this:

v=spf1 include:_spf.google.com include:_spf.getresponse.com -all

(Please do not blindly copy/paste that value, it may result in other services you are using failing! Verify that you have included ALL email services you use for sending.)

ptr should not be needed, so should be removed. Even the RFC says you should not use ptr!

Your MX records are for google, which is covered in the include, and Google probably don’t send mail from those addresses anyway.

Your domains A record is :orange:, and the Cloudflare IP address will never send email from your domain, so having a in your SPF does nothing for you.

-all is a hard fail, and if you are not sure what is sending mail on your behalf ~all is a safer choice initially. Deploy a DMARC policy with a free reporting service (such as Dmarcian) to gather some telemetry before changing from ~all to -all.

For DKIM, you need to create a TXT record somevalue._domainkey. The instructions will be in your GetResponse administration panel.

2 Likes

Thank You Michael for taking your time with this.
It has been very helpful : )

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.