I've a small SaaS where each client gets a subdomain (stackexchange.my-saas.com)
I've a mailgun account where my main domain is setup and I've created a wildcard SPF record in my DNS and if I add additional domains to my mailgun account with a subdomain, they all verifies correctly.
My question is, do I need to add every new clients subdomain as a new domain in mailgun when I have the wildcard SPF record set or can i "legally" just create a from-address for each new client so the header of the emails will be from: Stack Exchange On My SaaS<noreply#stackexchange.my-saas.com>
Sending:
For sending, there is no need. As you point out, you can have the SPF records set so your email can be sent From: whatever subdomain. Note however that Mailgun will add a Sender: header with your Mailgun registered address if your specified From: address has a different domain.
From: Stack Exchange On My SaaS <noreply#stackexchange.my-saas.com>
Sender: noreply=stackexchange.my-saas.com#my-saas.com
Receiving:
For receiving emails, it's a different story. This is a Mailgun limitation and has been answered in this other question.
Basically, Mailgun uses the same MX servers for everybody, so when they get an email they need to look up to which customer the email belongs to, much like any regular multi-host mail server.
(UPDATE) They allow to register wildcard subdomains, combined with a wildcard MX, it might just work for every subdomain. Note however that because of how DNS works, there is no standard way to define BOTH a wildcard MX and a wildcard CNAME in the same domain. CloudFlare is currently supporting this but it will fail for most other DNS providers.
Alternatively, for receiving emails in your SaaS, you have to register each of your subdomains with Mailgun independently (possible through their API). Note that this also implies verifying the domains adding TXT records for each one on your DNS.
Let's start with understanding how email works. Receiver of the email checks for the dns records of sending domain for example your primary domain is yourdomain.com and email is sent from yourdomain.com will work since you have record created under this already when your email is sent from saas.yourdomain.com then DNS record for saas.yourdomain.com should exist or else it will fail to deliver to inbox. Mailgun asks to verify to make sure it is delivered to inbox and receiver makes sure by checking DNS that it is coming from authentic person by looking up at the DNS.
So the answer is as long as your sending domain is same then you will not create it but if your sending domain is different then you will have to create
Hope this answers your question.
Related
If I add a default DKIM key (default._domainkey....) for a domain, could that interfere with email sent on behalf of that domain from 3rd part mailing services such as Google and Outlook?
To give context and clarify what I'm asking, I host multiple different websites in WHM/cPanel hosting. Many of these websites have contact forms that use PHPMailer on the local web server to send emails from the websites. I was going through all the accounts adding the default DKIM records to improve email deliverabity for these emails sent from the websites. Then I noticed this message in cPanel: "If you send email from another server, you must use this server’s DKIM key on the remote server." Many of these domains use a third party service for email. So that got me wondering if adding the default domain key could cause DKIM to fail when email is sent from those 3rd party services.
I realise that a different (from the default) DKIM key can optionally be added for such services (e.g. google._domainkey....) but if these 3rd party DKIM keys are not added to the DNS records for the domain, then what I'm wondering is if the default DKIM key comes into play for emails sent from those 3rd party services. And if it does come into play, then I guess it would cause a DKIM fail?
DKIM verifies the sender and the integrity of a message. In addition, it allows an email system to prove that spammers did not alter an incoming message while in transit. DKIM also verifies that the messages your domains receive come from the specified domain.
DKIM are important for ensuring that your domain is not delivered to your recipients spam folders or even outright rejected. Mostly hosting providers enables these by default for all cPanel accounts. Third-party DNS providers may require you to add these records manually.
So, answering your question is yes having wrong DKIM record will be a problem. You should add your 3rd party DKIM record in your cpanel.
However missing/ not having DKIM is different scenario as it shouldn't be a problem. Having the DKIM key on your messages is a 'advantage' as to indicate the spam filters and other mail servers that these messages are valid messages. But, not having the DKIM key would not be considered a 'Fail'.
I'm trying to setup a SPF record on Microsoft Azure, because currently our emails are considered as spam.
This is the record I've added:
But it doesn't seem to work, since https://www.kitterman.com/spf/validate.html returns this when I test the SPF record for my domain:
SPF record lookup and validation for: check-in.green
SPF records are published in DNS as TXT records.
The TXT records found for your domain are:
fidelise-rpfc.azurewebsites.net
Checking to see if there is a valid SPF record.
No valid SPF record found of either type TXT or type SPF.
Can anyone please tell me what I'm doing wrong?
It might be marked as SPAM not just because of SPF record but because of DMARC & DKIM as well.
If you are using 3rd party mail delivery provider - check their dash board for values. If you are sending emails yourself directly, here is a my cheat sheet:
1) DNS _dmarc record:
TXT/_dmarc/v=DMARC1; p=none; fo=1; rua=mailto:dmarc_agg#check-in.green; ruf=mailto:dmarc_afrf#check-in.green
2) DNS spf record: your is fine
TXT/#/v=spf1 a mx include:_spf.perfora.net include:_spf.kundenserver.de ~all
but usually you have to specify only one type of outbound ip address (you can check IP in actual messages that been delivered, e.g. Gmail have 'show original' option on email):
a - when you send from IP that can be resolved as A record (check-in.green web server itself)
mx - when you send from the same IP as in your MX record (if you have dedicated mail server for incoming emails and the same server sends outgoing for your project)
includes - usually for 3rd party mail delivery services, like mailgun etc. So, receiver will continue query for another record until it get a full list of IP or until 10 queries made.
ip4:xx.xx.xx.xx - when you have specific IPs for your outgoing relays (or your web servers have dedicated interface for this to avoid exposing real server address behind CDN)
3) DNS DKIM record: generate an RSA key pair (e.g. http://travistidwell.com/jsencrypt/demo/)
Set the public part to your DNS record:
TXT/rec1._domainkey/v=DKIM1; p=MIIBITANBgkqhkiG9w0BAQE....TsddAgMBAAE==
4) Make sure you message have DKIM-Signature header made with private key and marked s=rec1 (as in DNS DKIM record).
Also, do not forget to check your message in test recipient mailbox (e.g. gmail). Here you can check if all 3 validation are passed:
you are using azure, so, keep in mind they can block outgoing SMTP or redirrect via their own servers
I switched to use Mailgun from Sendgrid for email sending, we have several domains which would like to send email via Mailgun, to verify a domain, it requires for lot of DNS configuration like TXT, CNAME, MX... while with Sendgrid, it just asks me for 3 CNAME.
I'm not sure why Mailgun requires to configure much DNS information like that, does it take any advantages over SendGrid with just CNAME, if not, I think they should investigate and apply the Sendgrid way.
To clarify the use of each type of record for such mail service, For sending an email all you need to do is verify that you own the domain from which you are sending the email, they way these companies verifies the domain is by checking the DNS entry for either a CNAME or TXT record. Ideally post this verification you should be able to send email from either of the service.
The requirement of adding the additional records in the DNS zone are for use cases like -
TXT records - DKIM and SPF records, Adding these records ensures that your emails doesn't go to spam as the other email service providers verify if its a valid email from a valid sender using DKIM and SPF records. So you need to add the DKIM and SPF records.
CNAME record - Now a days everyone wants to track the email activities done by the users on the email sent to them. Activities like email opens, link clicks etc. These can be done by the email service providers but the urls of the links are converted to the email providers domain urls for tracking. If we want to have our own domain name for all links in the email including the tracking links, thats where a CNAME record for a subdomain is mapped to email providers domain and than that subdomain is used for all links.
MX record - This is required in case you want to receive emails via the email provider of your choice. If you are already using some other email provider for receiving the emails on your domain, you don't need to set up this.
I am interested in purchasing a domain, say mydomain.net
My application, whose url I want to be mydomain.net, would send transactional email for authenticating new users. For this purpose I decided to choose Sendinblue.
I want the sender of my transactional emails be noreply#mydomain.net,
thus I will add a new domain at sendinblue and call it mydomain.net. Then I will add a new sender at Sendinblue and call it noreply#mydomain.net
Am I expected to add a MX record at my hosting provider (and also name registrar) to set the mail delivery destination towards Sendinblue?
The MX records are used to receive mails only. Since you will be sending from Sendinblue and you will not receive answers to noreply#mydomain.net you do not need to create MX record for this.
I have a domain hosted at Dreamhost -- foobar.com. It has Google Apps associated with it: the 50 free email accounts which are no longer available for a new domain. I just got another domain -- foobar.edu. I want foobar.edu to become my main domain, but I still want to use the free Google Apps associated with foobar.com to handle incoming mail.
My question: Can I adjust the MX records of foobar.edu so that incoming messages to anyone#foobar.edu will be redirected to anyone#foobar.com and then be handled by my Google Apps?
I can adjust the DNS for both foobar domains, but I don't think that I can ask Google's foobar.com account to also handle foobar.edu emails directly.
if you need just catch email on domain and forward to you other mailbox, you can use http://improvmx.com/ just by adding MX records to your domain
No. You can use MX records to direct mail destined for anyone#foobar.edu to any mail server you want, but when the mail is presented to the chosen mail server, it will still be destined to anyone#foobar.edu.
In other words, email forwarding can't be controlled using MX records.
It's the receiving mail server's job to re-send an email to a "forwarding" address.
As Celada saw, with DNS you can't.
You can do that with Google Apps Default Routing: https://support.google.com/a/answer/2368153?hl=en
As suggested in this question, you'd need to point your MX records to a service that supports mail redirection
It can be only done with advanced DNS routing and it is not freely available, It would be more easier if ou have had Google Apps for business. There is only one company who can allow you to manage Email DNS routing and that is ZOHO. The implementation would be a bit complicated, but possible.
Register account for foobar.edu in Zoho, Verify domain then change MX record. Manage it's Email Routing Options and Manage redirection to different accounts.
Check some of Screenshots i have tested on and it worked. Also check zoho dns email routing guide.
https://www.zoho.com/mail/help/adminconsole/email-routing.html
I hope this will help you!