How do I set up my domain to send out mails that can be validated by SPF and DKIM
Projects on Dropsolid Experience Cloud use a shared Sendgrid as mail service to send out emails. If you use a service that verifies if emails sent out in name of your domain or organisation, it is important to ensure mails are allowed to be sent by the used mail service.
Depending on the level of security you want to achieve for your project, you can allow Sendgrid as one of the allowed sender services, or to use a separate mail service for enhanced security.
SPF and sender authentication¶
Sender Policy Framework (SPF) is an email authentication standard developed by AOL that compares the email sender’s actual IP address to a list of IP addresses authorized to send mail from that domain. The IP list is published in the domain’s DNS record.
Most information below is borrowed from the documentation of Sendgrid. Original document can be found here: https://sendgrid.com/docs/glossary/spf/
If you have an SPF record set for your root domain (i.e.
yourdomain.com), you must
include:sendgrid.net before the all mechanism of
this record. If you do not have an SPF record for your domain you must
create a TXT record with the value:
v=spf1 include:sendgrid.net ~all
Do not create more than one SPF1 record for a given domain. If you need more than one SPF record, you will want to merge the additional SPF records into a single SPF record.
Already have an SPF record for your domain?¶
No problem. You simply need to add the SendGrid include mechanism lookup into your existing record.
For example, if your record looks like this:
v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com ~all
You would just need to add our lookup at the end of the string, before
~all mechanism, like so:
v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net ~all
Don't want to include another hostname lookup? (not recommended)¶
If you would rather not include SendGrid's SPF hostname lookup in your record, or perhaps you just have too many already, you can also choose to give permission to a specific IP address to send mail for your domain. This is accomplished using the ip4 mechanism.
You can choose to specify our dedicated IP address as a lookup, meaning that only mail coming from the particular IP address owned by Dropsolid will be considered a permitted sender within SendGrid for that domain. An example of such an include looks like this:
v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com ip4:18.104.22.168 ~all
For more information on SPF best practices and syntax, check out www.openspf.org
3rd Party Tools¶
These are some tools that might be useful to you. We do not own or support these tools, so use them at your own risk. However, we hope that they are helpful.
There is an experimental tool called the dmarcian SPF Record Flattener, which should be considered experimental. From their site: "[this tool] rewrites this record by removing duplicate netblocks, collapsing any overlapping netblocks, and using 0 DNS-querying mechanisms/modifiers."
If you choose to use this functionality, we suggest that you test it extensively to make sure that your customers will receive your emails and their servers can look up your records properly.
The SPF Wizard is a browser based SPF record generation tool. Fill out the form and the site generates an SPF record for you.
Dropsolid uses a global Sendgrid account for all projects on the Experience Platform. In this configuration it is not possible to have a set up that allows DKIM only for a specified domain, as that would circumvent the security you want to achieve by adding DKIM checks.
But is is possible to configure your application to send out email via a separate mail service, where the DKIM configuration can be done.
For the configuration of the mail service, there are several options
- use a self provided mailservice provided and configure the application to send mails through it.
- use a separate Sendgrid account set up by Dropsolid and configure the application to send mails through it.
For the configuration in the application, you need to ensure mails are sent through the mail service. In a Drupal site, this can be done with the swiftmailer module, or other modules implementing outgoing mail based on mail system.
Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication, policy, and reporting protocol. It builds on the SPF and DKIM protocols.
A DMARC policy allows a domain to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes (eg. reject the message). These policies are published as TXT records.
For more information on DMARC, check out dmarc.org