ProtonMail has rolled out support for receiving mail from custom domains, and I'm adding the necessary records to my project's Cloud DNS settings from within Google Cloud Platform. I added the MX and SPF records, and they checked out, but when I try to add the DKIM records I get a "Not Properly Set" error from ProtonMail's end. I followed the same format, putting protonmail._domainkey in the hostname, adding it as a TXT record, and including v=DKIM1; k=rsa; p=... in the record value.
ProtonMail technical support wasn't very helpful, replying with a "we don't see your TXT DKIM records, please ensure they are being properly propagated" response.
I can provide the other records I've set if anyone thinks it would be helpful.
Your DKIM record may need to be wrapped in quotes.
Try:
"v=DKIM1; k=rsa; p=..."
I had the exact same issue with DKIM on protonmail. Protonmail support suggested verifying the records via mxtoolbox.com. Since I could see that my TXT record wasn't showing up as I had written it, I emailed my domain provider for help. They added quotes to the TXT record, and then I could see the record properly on mxtoolbox.com.
Are you able to retrieve your DKIM record with this tool:
http://mxtoolbox.com/dkim.aspx
Enclosing your DKIM TXT entry in quotes may solve the issue. Many DKIM libraries have issues with spaces after the semicolons.
Did you attempt to use a key larger than 1024 bits?
If you provide the domain name that your are having an issue with, I will look at the DKIM information in the zone.
Related
Microsoft and GOV.UK recommend creating a record like the following on any domain that doesn’t send email.
TXT *._domainkey v=DKIM1;p=
As I understand it, the purpose is to explicitly fail DKIM, rather than leaving open the possibility that real emails from this domain don’t use DKIM.
But I don’t see how it accomplishes that. If the spammer includes an invalid DKIM header, then it’s invalid, not just missing, whether the DNS lookup result is no match or a conflicting match. And if the spammer omits the DKIM header, then a wildcard DNS record doesn’t tell you that there isn’t a valid DKIM record somewhere. It doesn’t communicate that the email should have used DKIM, while the following does:
TXT _domainkey o=!
So what is the wildcard invalid DKIM record accomplishing?
I am in the process of migrating our staff's email client from Window's Live Mail to Gmail. I have gone through the process of connecting each staff's email from our domain to their respective Gmail accounts (so each staff has two valid email addresses, e.g. bob.our_domain#gmail.com and bob#our_domain.com). I am able to receive and send mail from the linked account, but emails sent from bob#our_domain.com are tagged with an alarming red question mark and read "Gmail could not verify that our_domain.com actually sent this message (and not a spammer) ". I understand that this is an error with SPF configuration but for the life of me cannot figure out what the correct configuration looks like.
The domain in questions is evergreensupplyonline.com.
Step 1 - Ensure SPF is enabled.
Our server is managed through cPanel, so I navigate to the authentication tab and enable both DKIM and SPF. The default SPF record is
v=spf1 +a +mx +ip4:166.62.38.87 ~all
Sending email with this configuration generates the error: SOFTFAIL with IP 208.109.80.60. Seems reasonable enough, the IP isn't listed and the ~all specifies a soft fail for unknown IPs (as far as I am aware)
Step 2 - Add the sender's IP to the SPF record
I add 208.109.80.60 to the record and my SPF record becomes
v=spf1 +a +mx +ip4:166.62.38.87 +ip4:208.109.80.60 ~all
Sending email with this configuration still generates a SOFTFAIL error but with a different IP (208.109.80.60). Based on this change I assume I won't be able to add a static IP for all of google's mail servers - not too much of a surprise.
Step 3 - Add Google's _spf domain
Following the instructions from https://support.google.com/a/answer/33786?hl=en
I removed 208.109.80.60 and instead include _spf.google.com domain. My SPF record now looks like
v=spf1 +a +mx +ip4:166.62.38.87 +include:_spf.google.com ~all
If I run my domain through https://toolbox.googleapps.com/apps/checkmx/ I get some some non-critical errors but everything relating to the _spf.google.com domain seems to check out. If I send an email with this configuration I still get a SOFTFAIL error.
I'm not sure where to go from here - I've tried all that my preliminary understanding of SPF will permit. Any suggestions, observations, or tricks are greatly welcomed. Cheers,
This does all look correct, apart from one thing. I looked up both the IPs you mentioned (using whois) and they belong to... GoDaddy, not Google, which entirely explains your problem. It's quite likely that GoDaddy is redirecting your outbound email traffic since they don't allow direct SMTP sending, so you may need to add GoDaddy's SPF as well, or move to a more enlightened hosting provider.
A minor thing: put the ip4 mechanism first as it's fastest to match for receivers (it requires no extra lookups), and you don't need the + qualifiers because that's the default action.
I'm trying to add SPF records on my DNS zone. The SPF records are from mailjet (spf.mailjet.com), the domain is brazilian (.com.br hosted on uolhost) and my server is on DigitalOcean. When i try to add the TXT record, mailjet says "Your SPF record is missing".
I added this TXT (suggested by mailjet) on my DNS zone (at uolhost):
v=spf1 include:spf.mailjet.com ?all
But i have some questions about it (i'm really a beginner on this subjects).
The TXT should be on digital ocean, uolhost or both?
I really have to wait 48h?
The TXT above is correct?
Sorry for my bad english. I really appreciate any help.
First you should make it -all instead of ~all, the whole reason to set up authentication is to prevent people from spoofing your domain.
v=spf1 include:spf.mailjet.com -all
Where you're SPF record goes, depends on where the SPF record is being sent from, or the 5321.From Which is the "Return-Path", etc. Not the "FROM" line.
So view the headers of your email and look for the return path email address.
Whichever domain that is, is the place in DNS you will add the TXT record above, if you don't know how to see the headers of your email just send an email to mailtest#unlocktheinbox.com it will send you your header information on top of the report, just look for "Return-path". There is also an SPF Section, when you have it set up right it will show "PASSED".
BTW, if you have multiple SPF records (one of an email service provider and the other of mailjet); then instead of adding 2 TXT records, please use a single TXT record with a combination like below:
v=spf1 include:spf.mailjet.com include:spf.protection.outlook.com ~all
(since we use outlook email service, hence outlook in our case).
I have been experiencing some trouble when using cPanel and DKIM keys at my DNS provider.
The problem (From their opinion) was that my DKIM key inside the TXT file made all other DNS records stop working when the DKIM key expired (after 7 days)
My question is:
Is this true-> Will an expired TXT DKIM record make my A, Cname and MX records stop working ?
No. That makes absolutely no sense at all. The content in a TXT record cannot possibly affect any other resource record. At least not in DNS, I cannot say anything about whatever strangeness the provider may have implemented in their own system.
I am having issues with my SPF records and I am not very familiarized with that. I need to add 2 additionnals SPF records to my current SPF records. At first, I just created 2 others TXT records but it seems it's not correct. I can only have 1 SPF records.
So, i need your help, i need to merge together those 3 SPF records :
v=spf1 +a +mx +ip4:184.170.132.66 +ip4:184.107.73.236 ~all
MS=ms46042964
v=spf1 a mx include:freshbooks.com -all
The first one is from my hosting provider, the second one is for my Office 365 (my emails are managed with office exchange online) and the third one is for preventing that the invoices sent by freshbooks don't go in the junk of my clients.
Any help is appreciated, thank you very much!
Jean-Philippe
First, you probably want to look at a resource like this one: SPF Introduction. Once you've got an understanding of what SPF does and what a valid record looks like, try deleting the other 2 existing records and updating 1, for example:
v=spf1 +a +mx +ip4:184.170.132.66 +ip4:184.107.73.236 MS=ms46042964 include:freshbooks.com ~all
Then use an SPF validation tool to check the record. You're likely going to run into a "Too many DNS lookups" error though, which means you'll need to pare down the record to include only the information you absolutely need. See this post for more insight. And this is a good tool to see exactly where the record is exploding.
A few years late...
But MS=ms46042964 is not part of an SPF, this is a Office 365 validation token, and should not be included in an SPF record, this will cause an error, both for MS doing the validation and performing a SPF test.
Also since you are switching to Office 365, you can remove the SPF from your hosting provider as you will not be using their email hosting. So the only SPF you would need is Office 365's.