How to deliver email

This is a mix of rant about DNS GUIs and notes on SPF, DKIM, DMARC and cPanel/WHM Email Deliverability (which didn’t make a very snappy title).

cPanel/WHM Email Deliverability

cPanel delivered a much improved Email Deliverability feature in 2019 since cPanel & WHM version 78.

This is available both at the server level and for each individual account and domain and test DKIM, SPF and reverse DNS records, highlights problems and recommends solutions.

Lets do a quick simplified summary of what the relevant DNS text records are:

SPF

A Sender Policy Framework TXT record in DNS defines which servers are permitted to send email from the domain.

Email services will examine each email, checking the sending server against the email sending domain.

If the sending server does not match the list of servers authorised by the domain’s SPF record the email may be blocked or marked as junk/spam or receive a spam scoring.

A mix of ip addresses and domains are permitted in the text record, format like:

yourdomain.com. IN TXT v=spf1 mx a ptr ip4:123.123.123.123/32 include:mailserviceprovider.net ~all

As you add systems and services to your domain you need to add them to this list (eg mailchimp, CRM provider, other email provider).

DKIM

DomainKeys Identified Mail adds an encrypted signature to outgoing email.  This can then be decrypted using the public key found by querying the DNS TXT record in the format:

default._domainkey.yourdomain.com. IN TXT v=DKIM1; k=rsa; p=your-public-key-value;

Specifically the email header fields d=yourdomain.com s=selector define that the DNS TXT record selector.yourdomain.com. should hold the public key needed to decrypt the signature and validate the message.

If the email signature cannot be decrypted correctly or decrypted values do not match the expected then similarly the mail will receive increased spam scores and may be blocked or marked as junk/spam.

(Multiple keys other than the default are supported to allow multiple services/servers to send mail for the domain, but cPanel is fairly fixed to the default key despite feature requests to support multiple keys.  cPanel does support using the default key across multiple cPanel servers which helps.  Config files can also be tweaked but care needs to be taken to avoid losing any such tweaks during updates.)

DMARC

The Domain-based Message Authentication, Reporting and Conformance TXT record defines how this domain wants suspicious messages to be handled (p=none means policy is to allow delivery), where reports should be sent, in what format (fo) and what reporting interval (fi)

_dmarc.yourdomain.com. IN TXT v=DMARC1; p=none\quarantine\reject; rua=mailto:admin@yourdomain.com; ruf=mailto:admin@yourdomain.com; sp=none; fo=s; ri=86400

Where DMARC is set domain alignment is also checked and may fail even if SPF and DKIM are set correctly.  Broadly speaking this means the domain used for the From address should match the DKIM and SPF domains.

If a valid encrypted header is set, but belonging to a different domain (d= header field different from from address), the email validation result may be SPF=pass, DKIM=pass, DMARC=fail.  All three should be set and pass to give good confidence that the email is genuine and maximum deliverability for the email.

DNS User Interfaces

GoDaddy

SPF record name must be entered as Name:  @
DKIM record name must be entered as Name: default._domainkey

UK2

On uk2, the domain name is included in the TXT field Name, but with no trailing “.”, eg:
SPF: yourdomain.com
DKIM: default._domainkey.yourdomain.com

Office 365

SPF record must be entered as Host name: @
DKIM record must be entered as Host name: default._domainkey and may be set to initial Microsoft values, though Exchange itself appears to be now moving to use round robin selector1/selector2 keys.

Office 365 domains do not appear as a DNS zone in Azure at: https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones
Instead they can be found in a hidden corner of the Microsoft 365 admin center at:
https://admin.microsoft.com/Adminportal/Home?source=applauncher#/Domains

For Exchange settings visit Office365 Admin Center, Exchange, Admin, Protection, dkim.

AWS Redshift

Everything on AWS has it’s own terminology: each Domain is a Hosted Zone and each DNS entry is called a Record Set so to add a TXT entry, Create Record Set.

AWS TXT values must be entered surrounded by quotes as eg “v=DKIM1; k=rsa;”

At first sight, DKIM TXT record fails due to the error “CharacterStringTooLong (Value is too long)” – this failure is actually correct according to DNS standards, the trick is to split the key with ” ” in the middle ie the TXT value will be entered as “v=DKIM1; k=rsa;firstpartofkey” “secondpartofkey”.

The same applies on Google cloud though other interfaces are clearly managing this transparently.

Infoblox

These guys could win prizes for impenetrable user experience but at least when you know how to get around the interface, what you see is what you get, and there’s a pretty neat Powershell interface too.

Tools

good articles on tools for investigating delivery issues here:

ISP Information

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s