DKIM
A method of validating that the content of a message has not changed since it was sent. This is done by making a unique signature (also known as a hash) of the subject and message body and adding it to the message. When the signature is added to the message, it is added to the message headers (typically not displayed) which are used by systems for processing messages. The end result is the recipient's email system can quickly verify nothing has changed since the message was sent.
Site: http://www.dkim.org
By creating the white label records in your DNS configuration, you allow us to manage and rotate DKIM keys on your behalf so you do not have to make frequent DNS updates.
Whitelabel
DNS records which allow messages to appear as if they were sent directly from your domain. Revinate will also be using these records to provide custom SPF and DKIM records for messages we send on your behalf.
Bind9 – Create CNAME Records
https://help.ubuntu.com/community/BIND9ServerHowto#Address_Records
BlueHost – Create CNAME Records
https://my.bluehost.com/cgi/help/559#add
GoDaddy – Create CNAME Records
HTTPS://WWW.GODADDY.COM/HELP/ADD-A-CNAME-RECORD-19236
Microsoft DNS – Create CNAME Records
https://technet.microsoft.com/en-us/library/ff625726(v=ws.10).aspx
RackSpace – Create CNAME Records
https://docs.rackspace.com/support/how-to/creating-dns-records-with-cloud-dns/
POTENTIAL ISSUE: DNS Provider Does Not Support Underscore Characters In DNS Records
Some DNS providers such as Network Solutions do not allow you to enter an underscore (_) characters for DKIM keys in DNS Records. This limitation is specific to the provider’s website and not DNS. If you have issues entering the requested records, we recommend contacting their support. Several of our clients have quickly resolved this issue after calling their DNS provider.
Should your DNS provider need, you can provide the following technical references stating underscore characters are supported in DNS and suggested for DKIM records:
https://www.ietf.org/rfc/rfc2181.txt, section 11, page 12
https://www.ietf.org/rfc/rfc6376.txt, section 3.6.2.1
https://www.ietf.org/rfc/rfc4871.txt, section 3.6.2.1
SPF
A DNS record is created to protect you from people sending unauthorized emails from your domain. The creation of an SPF record allows the recipient’s mail server to see who is authorized to send on behalf of your domain and to reject any emails that are from senders that you have not given permission to do so. Without a valid SPF record that includes the NAVIS SPF you risk becoming blocked or blacklisted by the recipient’s mail server.
Site: http://www.open-spf.org
DMARC
DMARC: Create, publish and monitor DMARC email authentication for your sending domain.
What is DMARC? DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on SPF and DKIM. DMARC communicates a policy to mailbox providers letting them know what they should do when they receive an email that fails an SPF, DKIM, or SPF and DKIM check purporting to be from your domain (possibly spoofed). Starting February 1, 2024, both Gmail and Yahoo! (includes AOL and Verizon domains) will implement new requirements for bulk email senders, including requiring SPF, DKIM and DMARC records.
“DMARC, which stands for ‘Domain-based Message Authentication, Reporting & Conformance’ is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.” (Source: https://dmarc.org/)
Each DMARC record needs to define a policy, which can be one of three options: none, quarantine, or reject. Although Gmail’s and Yahoo’s minimum requirement for DMARC is to set it at p=none, this is a minimum bar. P=none instructs the receiving mailbox provider to take no action on an email that fails an SPF/DKIM check.
The best, and most secure setting is called DMARC at enforcement, p=reject or p=quarantine. However, this requires additional work to ensure that this record incorporates all of the 3rd parties sending on behalf of your domain - this is why you should always start with p=none to monitor the activity of your domain BEFORE implementing enforcement. Publishing the record incorrectly could cause your mail from these providers not to be delivered. Work with your technical personnel to ensure that your DMARC is properly formatted and affords you the greatest level of protection.
What is DMARC Monitoring
DMARC monitoring is the act of reviewing DMARC reports to check for unauthorized senders spoofing your domain.
When you first create a DMARC record, you include an email address that will receive the DMARC reports. The reports are incredibly valuable but aren’t easy to interpret. Raw DMARC reports are simply XML data dumps with lines of detail about the IP addresses.
Valimail*, a leader in zero-trust email security, offers free access to its DMARC Monitoring tool. After you create an account, you can add your sending domain(s) and update your DMARC record so that the DMARC reports are sent to Valimail. You can create your free account here.
How to Set Up DMARC Monitoring
Follow the steps below to update or create your DMARC record so that it points to the Valimail* Cloud. This allows Valimail to receive your DMARC aggregate reports. Add this value to the end of the DNS value to use Valimail* for DMARC Monitoring - ;rua=mailto:dmarc_agg@vali.email; - Go to the “DMARC Monitoring” section here for more information on DMARC monitoring.
If you already have a _dmarc TXT record: just add mailto:dmarc_agg@vali.email to the "rua" parameter:
The “Value” part of your TXT record should look as follows:
v=DMARC1; p=none; rua=mailto:dmarc_agg@vali.email; |
If you don't have a _dmarc TXT record: create the following TXT record in DNS:
Type | Host | Value |
TXT | _dmarc. exampledomain.com | v=DMARC1; p=none; rua=mailto:dmarc_agg@vali.email; |
Example: If your domain name was hotelrevinate.com, the host/name value to create for the TXT record would be _dmarc.hotelrevinate.com
No change to your email flow will occur.
*Valimail, is a leader in zero-trust email security, offers free access to its DMARC Monitoring tool. After you create an account, you can add your sending domain(s) and update your DMARC record so that the DMARC reports are sent to Valimail.
You can create your free account here. When you create that record, include Valimail’s reporting inbox in the rua tag so that the DMARC records feed directly through to Valimail. If you have additional domains, they can be added to the same account.
Authentication status of each email (example below)
Instead of running through XML data dumps, you have free access to a dashboard (example below) that provides all the necessary data you need to make informed decisions around your DMARC policy, including every third-party service that sends from your domain.
Valimail Monitor (About DMARC & delegation tutorial) - Valimail
Google Postmaster Tools (Optional)
Google Postmaster Tools is also a great resource that allows you and us to troubleshoot deliverability hiccups and monitor complaint rates at Gmail. The tools deliver essential insights into important metrics that can identify problem areas in email-sending practices.
According to Gmail, using these tools can determine the health of your email program.
Even if Gmail isn't your primary target, understanding how your mail is viewed by Gmail can give you a better understanding of how you're perceived elsewhere.
Once you get set up and running, Google gives insights into several data points organized into different dashboards.
- Spam rate
- IP reputation
- Domain reputation
- Authentication
- Encryption
- Delivery errors
Source: Microsoft (https://learn.microsoft.com/en-us/dynamics365/customer-insights/journeys/google-postmaster)
For your domain’s DNS record:
Type | Host | Value |
TXT | @ | (Contact Deliverability Support for this entry @ deliverability@revinate.com - include the domain name) |
*Your use of any Valimail or other 3rd party tools is subject to their terms and conditions and it is your responsibility to review and comply with those terms.