SPF Records, DKIM, DMARC and DNS and Whitelist for email delivery
In an ongoing effort to reduce spam as well as virus, malware, ransomware, etc. attacks, filters and quarantines have been put in place to screen for certain file attachments types and authenticate incoming messages. The unintended consequence of these provisions is that certain legitimate mail is failing the tests and not reaching intended recipients.
DKIM = DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. (Adds a digital signature to outgoing messages)
SPF = Sender Policy Framework (Allows you to specify which IP addresses / servers in your domain are authorized to send email)
DMARC - Domain-based Message Authentication, Reporting and Conformance record (Spells out for a receiving email server what to do if a message fails authentication)
To make exceptions and allow messages to authenticate properly, updating SPF and DKIM records is recommended. Below are some resources about these types of records as well as details on our current configuration.
SPF Records - https://dmarcian.com/what-is-spf/
DKIM Records - https://dmarcian.com/what-is-dkim/
DMARC Records - https://support.google.com/a/answer/2466563?hl=en
DMARC works with the two email authentication methods - SPF and DKIM. The receiving server uses SPF to authenticate and DKIM to verify that that message has not been altered en route.
About DMARC - https://support.google.com/a/answer/2466580?hl=en&ref_topic=2759254About DKIM - https://support.google.com/a/answer/174124
The settings to configure the filtering and quarantine at the administrative level is managed in G-Suite. Log into the Admin console (http://admin.google.com), > Apps > Google Apps > Gmail > Advanced Settings > Content Compliance.
One of the rules defined there looks for "X-CairnCustom: Whiltelist". This rule corresponds with code written into the Tuition Payment PHP scripts on the website because in spite of various efforts, I was unable to get them to reach our system as Authenticated.
When messages are quarantined by Google at the administrative level, the quarantine can be viewed/monitored at https://email-quarantine.google.com/adminreview#
SPF and DKIM records are TXT/CNAME records in DNS. The following records are in place for cairn.edu (on DNSmadeEasy), assuming this Wiki is kept current
Record cairn.edu.
will return "v=spf1 ip4:71.185.26.135 ip4:206.107.42.254 ip4:206.107.42.25 ip4:132.174.29.20 ip4:167.89.81.202 include:usb._netblocks.mimecast.com include:relay.mailchannels.net include:spf.mymusicstaff.com include:_spf.google.com include:spf.protection.outlook.com ~""all"
NOTE: the Hosts/IP addresses referenced in this record are accounted for as follows:
71.185.26.135 - ex2.ad.pbu.edu / mail.cairn.edu
71.185.26.172 - esign.cairn.edu
206.107.42.254 - Online Computer Library Center in Dublin, OH(used by library - don't delete)
206.107.42.25 - Online Computer Library Center in Dublin, OH (used by library - don't delete)
132.174.29.20 - Online Computer Library Center in Dublin, OH (used by library - don't delete)
167.89.81.202 - (used by library - don't delete) (added 9/24/19 due to false positives in Admin Quarantine Summary - BB) TEMPORARILY REMOVED on 10/7/24 to troubleshoot record length - BB.
104.239.163.149 - cairn.wpengine.com / cairn.edu (main website)
23.253.183.0/24 - "mailgun" server; part of WPengine (main website); affects PHP scripts such as the Web Tuition Payment script/process.
* 24.73.102.0/24 - DataGlyphics in Clearwater, FL (???)
66.151.109.0/24 - IP range for Symplicity (Career Center web portal)
34.194.230.233 - IP range for Symplicity (Career Center web portal) as of 12/15/17 - see ticket #12259
34.230.107.215 - IP range for Symplicity (Career Center web portal) as of 12/15/17 - see ticket #12259
184.106.13.89 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 2/16/19 - see ticket #16110
3.128.236.80 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
3.139.232.78 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
3.223.100.88 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
34.200.182.36 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
54.151.112.86 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
50.18.89.44 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
54.214.32.131 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
52.35.81.117 - IP address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427
141.193.213.20 - Removed from SPF on 2/2/24 in an effort to clean it up. Not known what this is for. - BB.
66.150.245.180 - Removed from SPF on 2/2/24 in an effort to clean it up. Not known what this is for. - BB.
13.224.214.106 - Removed from SPF on 2/2/24 in an effort to clean it up. Not known what this is for. - BB.
104.195.80.30 - IP address for Campus Store / BigCommerce.net
sendgrid.net - Associated w/ WPengine. (See https://wpengine.com/support/dmarc-best-practices-get-email-inbox/)
mailgun.org - Associated w/ WPengine. (See https://wpengine.com/support/dmarc-best-practices-get-email-inbox/)
usb._netblocks.mimecast.com
relay.mailchannels.net - Associated w/ WPengine. (See https://wpengine.com/support/dmarc-best-practices-get-email-inbox/)
spf.mymusicstaff.com - No longer needed. Was previously used by Cairn Arts Academy, which is now defunct.
_spf.google.com
spf.protection.outlook.com
servers.mcsv.net - Related to Mailchimp (see https://blog.mailchimp.com/senderid-authentication-for-your-mailchimp-campaigns) - REMOVED 4/23/24 - see notes at bottom.
pbibu.iii.com - Library system cloud servers (transition to the cloud as of Sept. 2016)
spf.watermarkinsights.com- Address for EvaluationKIT (Research and Planning Course Evaluation Utility/Service) as of 3/22/21 - see ticket #24427 - REMOVED 4/23/24 - see notes at bottom.
_spf.formstack.com - Formstack forms creator service used on cairn.edu - REMOVED 4/23/24 - see notes at bottom.
spf.constantcontact.com - Related to Constant Contact - REMOVED 4/23/24 - see notes at bottom.
outboundmail.blackbaud.net - Blackbaud/Raiser's Edge - Added 2/6/24. See ticket #36174. REMOVED 4/23/24 - see notes at bottom.
* Not sure what this entry is. Email log searches showed that mail was sent to our users from 24.73.102.4 from noreply@yourmembership.com (subject of "Association of Christian Schools International Job Alert". There were also messages sent from 24.73.102.14 and 24.73.102.15 and 24.73.102.16 that were from the same domain.
** Messages are also whitelisted by going to G-Suite > Gmail > Advanced Settings > Compliance > Content Compliance [add rule]
OR
G-Suite > Gmail > Advanced Settings > Spam, phishing and malware > Email whitelist [add IP]
(related tickets may include the following: 16951, 18152, 28231)
OR
G-Suite > Gmail > Advanced Settings > Spam, phishing and malware > Spam > Edit > Domain Bypass > Edit [add] (This is to whitelist a specific email address OR domain)
(related tickets may include the following: 18249, 18299, )
There may also be corresponding entries in Exchange under Organization Configuration > Server Configuration > Hub Transport.
For consideration when establishing mail policy...
The following sites/organizations are known to generate mail as or on behalf of cairn.edu users:
- symplicity.com (career center portal)
- bigcommerce.net (Campus Store)
- hubspot.com (blog.cairn.edu or blog@cairn.edu)
- formstack.com (form service on cairn.edu)
- standard.com ?? (cairn retirement plan provider - for sending secured portal emails)
- various listserves ?? (when our users send to a list that they are subscribed to)
DKIM/SPF-related CNAME records -
Name: ctct1._domainkey Alias to: 100._domainkey.dkim1.ccsend.com (Constant Contact - https://knowledgebase.constantcontact.com/articles/KnowledgeBase/5932-self-publishing-for-authentication)
Name: ctct2._domainkey Alias to: 200._domainkey.dkim2.ccsend.com (Constant Contact - https://knowledgebase.constantcontact.com/articles/KnowledgeBase/5932-self-publishing-for-authentication)
Name: _dmarc.sl Alias to: _dmarc.m2.sendlayer.net (SendLayer - Works with WP Mail SMTP website mailer) (Feb 2023)
Name: h2rfni5hs3fsohaktugeonxtzpeerxj2._domainkey Alias to: h2rfni5hs3fsohaktugeonxtzpeerxj2.dkim.amazonses.com (Used by Library; EBSCO Support Case #5368136 SI 2568924; 3/15/23)
Name: hs1-23289173._domainkey Alias to: cairn-edu.hs20a.dkim.hubspotemail.net. (Deprecated ???)
Name: hs2-23289173._domainkey Alias to: cairn-edu.hs20b.dkim.hubspotemail.net. (Deprecated ???)
Name: itkr4vt5rpn5xibwhdem2dtgdtaadnae._domainkey Alias to: itkr4vt5rpn5xibwhdem2dtgdtaadnae.dkim.amazonses.com (Used by Library; EBSCO Support Case #5368136 SI 2568924; 3/15/23)
Name: k2._domainkey Alias to: dkim2.mcsv.net (Mailchimp - https://mailchimp.com/help/set-up-email-domain-authentication)
Name: k3._domainkey Alias to: dkim3.mcsv.net (Mailchimp - https://mailchimp.com/help/set-up-email-domain-authentication)
Name: mms1._domainkey Alias to: dkim.mymusicstaff.com.
Name: nzzesc6dkimnaixzwhyzqqc7xnswo2br._domainkey Alias to: nzzesc6dkimnaixzwhyzqqc7xnswo2br.dkim.amazonses.com.
Name: ov3qfw7o2tykc2e54fef6eqctbhjuavn._domainkey Alias to: ov3qfw7o2tykc2e54fef6eqctbhjuavn.dkim.amazonses.com (Used by Library; EBSCO Support Case #5368136 SI 2568924; 3/15/23)
Name: pgr2._domainkey Alias to: pgr2.domainkey.u2564726.wl227.sendgrid.net. (Deprecated ???)
Name: pgr._domainkey Alias to: pgr.domainkey.u2564726.wl227.sendgrid.net. (Deprecated ???)
Name: selector1._domainkey Alias to: selector1-cairn-edu._domainkey.cairn0.onmicrosoft.com.
Name: selector2._domainkey Alias to: selector2-cairn-edu._domainkey.cairn0.onmicrosoft.com.
Name: sl Alias to: sl.m2.sendlayer.net (SendLayer - Works with WP Mail SMTP website mailer) (Feb 2023)
Name: slate-mx Alias to: sg.technolutions.net (Slate) (June 2023)
Name: sl._domainkey Alias to: sl._domainkey.m2.sendlayer.net (SendLayer - Works with WP Mail SMTP website mailer) (Feb 2023)
Name: slt2._domainkey Alias to: slt2._domainkey.technolutions.net (Slate) (June 203)
Name: slt._domainkey Alias to: slt._domainkey.technolutions.net (Slate) (June 2023)
Name: track.sl Alias to: track.m2.sendlayer.net (SendLayer - Works with WP Mail SMTP website mailer) (Feb 2023)
Name: zybpia4gcrl7kfye5pcsmngdlbnzlr4v._domainkey Alias to: zybpia4gcrl7kfye5pcsmngdlbnzlr4v.dkim.amazonses.com.
DKIM/SPF-related TXT records -
Name: sm._domainkey Value: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfbbuxyyTiaNalYgUJHeBp7aSUBGIUOd5SNEm9BOJeHu396IBb94cED11We2ktUKgTEV02Fpq4jnS/Jg+sigB6d4Dko019RP9OrDvfYYmEyIx4hmcPQJsLAfYs2A24BKVCzqjJJhVrYpqIwoVSS0nmGhCVAFh02DdoyxWUOtm7VQIDAQAB" (used by Blackbaud)
Name: (.cairn.edu.) Value: "google-site-verification=2iC_RU4xzHV9-OKxWBAQ7sE4Zb6JFKcJUmA_OfJpQOM"
Name: google._domainkey Value: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCOP0M6D1O9/gRAEPdbAS7o7sDHEp7IijrKf5hZkGOjdiNMIC7kExbhRUoN96JBDRzXS6AKn3ac42BUMDLWMWNQK+yF1suaeMiCmEMvoCsiNSjKL34+Jwg6GvgtdhSw+Va3ilyU9xmkhBUbC/x6aksNgvn6Zcu8VC1u5LmzQEBk1QIDAQAB"
Name: (.cairn.edu.) Value: "v=spf1... (See details above)
Name: _dmarc Value: "v=DMARC ... (see details below)
This info inspired changes/deletions to the SPF record on 2/20/23 (document provided by Sali)
Original DMARC record prior to changes related to MXToolbox on 2/23/24:
Name: _dmarc.cairn.edu.
Value: "v=DMARC1; p=none; rua=dmarc-reports@cairn.edu"
Live DMARC record: (This is was configured/managed on mxtoolbox.com. We point to that via a CNAME record in DNSmadeEasy)
v=DMARC1;p=reject;pct=100;fo=1;rua=mailto:ee5d900f@mxtoolbox.dmarc-report.com;ruf=mailto:ee5d900f@forensics.dmarc-report.com
The CNAME record to point to mxtoolbox is/was: _dmarc which aliased to cairn.edu.hosted.dmarc-report.com. (TTL 1800)
Updated to the following on 4/9/24 in conjunction with 14-day trial for dmarcian: (managed on mxtoolbox interface)
v=DMARC1;p=reject;pct=100;fo=1;rua=mailto:sytmwxhu@ag.us.dmarcian.com, mailto:ee5d900f@mxtoolbox.dmarc-report.com;ruf=mailto:ee5d900f@forensics.dmarc-report.com
Update on 4/23/24: Reverted DMARC back to our own internal DNS as a TXT record rather than MXToolbox due to impending cancellation of MXtoolbox service in favor of transitioning DMARC/SPF monitoring to dmarcian.
v=DMARC1;p=quarantine; rua=mailto:sytmwxhu@ag.us.dmarcian.com;ruf=mailto:ee5d900f@forensics.dmarc-report.com; fo=1;
Update on 5/7/24: Updated to reject with pct=25 as part of plan to tradition to 100% reject, as suggested by dmarcian support. See notes below .
"v=DMARC1;p=reject; pct=25; rua=mailto:sytmwxhu@ag.us.dmarcian.com;ruf=mailto:ee5d900f@forensics.dmarc-report.com; fo=1;"
Update on 8/27/24: Updated to reject with pct=75 as part of plan to tradition to 100% reject, as suggested by dmarcian support. See notes below .
"v=DMARC1;p=reject; pct=75; rua=mailto:sytmwxhu@ag.us.dmarcian.com;ruf=mailto:ee5d900f@forensics.dmarc-report.com; fo=1;"
Update on 12/9/24: Updated to reject with pct=100 as part of plan to tradition to 100% reject, as suggested by dmarcian support. See notes below .
"v=DMARC1;p=reject; pct=100; rua=mailto:sytmwxhu@ag.us.dmarcian.com;ruf=mailto:ee5d900f@forensics.dmarc-report.com; fo=1;"
IMPORTANT NOTES:
- SPF record updated and cleaned up in April 2024 in conjunction with the counsel of the dmarcian customer support people and engineers. They recommended removing several entries as documented above (see entries with strike-through and comments). The recommendations were based on the fact that these entries will never use our domain in the return path, which is what SPF checks for. For these entries, we will authenticate with DKIM instead of SPF to get the alignment. Apparently we can see this in the dmarcian interface - where we see the application say "SPF incapable" on the Source View page, it means that the source will never align using our domain name via SPF because the source always uses its own domain in the Return Path. For these sources, since they never align via SPF, we can remove them from the SPF record and align via DKIM. The ones removed on 4/23/24 are mcv.net, formstack, watermarkinsights, constantcontact, and blackbaud.net. (4/23/24)
- We had an issue with Blackbaud emails (Campus Walk) bouncing in Sept. 2024, but it was determined to be a RBL / Spam issue, NOT DMARC compliance. Blackbaud kept insisting that in spite of that, we should add blackbaud.net to our SPF, but never really explained why in light of the info above. Our DMARC analysis (with DMARCIAN) shows 100% DKIM alignment and 100% DMARC compliance. (See emails from around 9/27/24 - Blackbaud support case #019846025 - BB)
- DKIM for mail sent through O365 is configured by going to Microsoft Admin Center - https://security.microsoft.com/dkimv2
- Office 356 requires the default domain to be set to cairn.edu to sign emails correctly. This setting can be found under domains.
-
DNS TXT records can apparently be no longer than 255 characters. This was suspected as an issue when "" were being inserted into the SPF TXT record. However, according to DNSmadEasy tech support, this should not cause problems. They said "My name is Nathan, and I'm a Technical Support Specialist at DNS Made Easy. I'm here to assist you with your issue and provide any necessary help.I understand that you are seeing quotes being entered within your SPF record. To clarify, in order to be RFC compliant, TXT records can be in no longer than 255 character strings. With this being said, TXT records that are longer will be automatically split into 255 character strings separated by quotes. These quotes do not effect resolution and will not affect your SPF record."
- The validity of our SPF record can be checked at https://us.dmarcian.com/spf-survey/?domain=cairn.edu
- At follow-up consult/meeting with Dmarcian on 5/6/24, a few action items were suggested: