From c17a9bad04137ac8da173dc20bacc1aae08e6eb9 Mon Sep 17 00:00:00 2001 From: BjarneVO Date: Fri, 24 Jan 2025 10:46:34 +0100 Subject: [PATCH 1/6] Converted all DNS elements to proper tags and added example of DKIM. --- turbostack_configuration/Mail/Deliverability.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/turbostack_configuration/Mail/Deliverability.md b/turbostack_configuration/Mail/Deliverability.md index e346079e..fb49eb0b 100644 --- a/turbostack_configuration/Mail/Deliverability.md +++ b/turbostack_configuration/Mail/Deliverability.md @@ -19,7 +19,7 @@ SPF is an email authentication protocol designed to prevent spoofing by specifyi 1. **Define Your Sending Sources:** Identify all the mail servers and third-party services you use to send emails, such as your website hosting, CRM, or marketing platforms. 2. **Create an SPF Record:** Use your DNS manager to add a TXT record for your domain. An example SPF record might look like this: -v=spf1 include:mail.example.com ip4:64.186.18.168 -all +`v=spf1 include:mail.example.com ip4:64.186.18.168 -all` - `v=spf1` indicates the version. - `include:` lists authorized servers. @@ -30,7 +30,9 @@ v=spf1 include:mail.example.com ip4:64.186.18.168 -all ### 2. DKIM (DomainKeys Identified Mail) DKIM adds a digital signature to your emails, allowing the recipient’s server to verify that the message hasn’t been altered in transit and that it genuinely came from your domain. -- **How it works:** The sending server attaches an encrypted signature to the email’s header. The recipient’s server retrieves the public key from your DNS records to verify the signature’s authenticity. +- **How it works:** The sending server attaches an encrypted signature to the email’s header. The recipient’s server retrieves the public key from your DNS records to verify the signature’s authenticity. Example: + +`cloud._domainkey.example.com IN TXT "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2SyMwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3GfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB"` !!! Info Activating DKIM on Turbostack is easily done via the [TurboStack App](https://my.turbostack.app "TurboStack App")! Simply navigate to your host and go to the 'Advanced' tab. Follow the instructions under 'Mail Settings' to set up DKIM. @@ -61,7 +63,7 @@ Enforce SPF compliance with the `aspf` tag: (*) In relaxed SPF Alignment, the MailFROM domain and the Header From domain must be an exact match or a parent/child match (i.e. example.com and child.example.com). The parent/child match type allows any subdomain and parent domain pair to generate a PASS result. Also worth noting, in the parent/child match scenario either the MailFROM domain or the Header From domain can be the parent or the child domain. 2. **Create a DMARC Record:** Add a TXT record to your DNS. Example: -_dmarc.example.com IN TXT "v=DMARC1; p=reject; aspf=s; rua=mailto:dmarc-reports@example.com;" +`_dmarc.example.com IN TXT "v=DMARC1; p=reject; aspf=s; rua=mailto:dmarc-reports@example.com;` This record will strictly reject mails that do NOT originate from an SMTP server included in the origin domain's SPF record, and send a report to dmarc-reports@example.com. From f85dbe45859b367c75e4740d5214606518fe1e24 Mon Sep 17 00:00:00 2001 From: BjarneVO Date: Fri, 24 Jan 2025 10:54:09 +0100 Subject: [PATCH 2/6] Added section on lookup limits for SPF + added a and mx tags for SPF. --- turbostack_configuration/Mail/Deliverability.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/turbostack_configuration/Mail/Deliverability.md b/turbostack_configuration/Mail/Deliverability.md index fb49eb0b..89d8377f 100644 --- a/turbostack_configuration/Mail/Deliverability.md +++ b/turbostack_configuration/Mail/Deliverability.md @@ -19,14 +19,28 @@ SPF is an email authentication protocol designed to prevent spoofing by specifyi 1. **Define Your Sending Sources:** Identify all the mail servers and third-party services you use to send emails, such as your website hosting, CRM, or marketing platforms. 2. **Create an SPF Record:** Use your DNS manager to add a TXT record for your domain. An example SPF record might look like this: -`v=spf1 include:mail.example.com ip4:64.186.18.168 -all` +`v=spf1 a mx include:mail.example.com ip4:64.186.18.168 -all` - `v=spf1` indicates the version. - `include:` lists authorized servers. - `ip4:` lists authorized servers, but based on IPv4 address. - `-all` specifies that any non-listed server should fail the SPF check. +- `a` includes the hostname's A record(s) in the SPF lookup. +- `mx` includes the hostname's MX record(s) in the SPF lookup. + 3. **Test Your SPF Setup:** Tools like MXToolbox can validate your SPF record and ensure it’s correctly configured. +!!! Important +SPF records are limited to 10 DNS lookups per authentication check! Exceeding the 10-lookup limit results in a permanent error, causing SPF verification to fail. + +To stay within this limit, we advise the following: + +- Minimize include mechanisms by consolidating authorized senders. +- Avoid unnecessary use of a and mx lookups. +- Replace mechanisms with static IP ranges when feasible. +- Use SPF record flattening tools to generate a single, simplified record. +!!! + ### 2. DKIM (DomainKeys Identified Mail) DKIM adds a digital signature to your emails, allowing the recipient’s server to verify that the message hasn’t been altered in transit and that it genuinely came from your domain. From c2c5e1f781c4173fdf3025964f67913228b24819 Mon Sep 17 00:00:00 2001 From: BjarneVO Date: Fri, 24 Jan 2025 10:56:39 +0100 Subject: [PATCH 3/6] Added section on lookup limits for SPF + added a and mx tags for SPF. --- turbostack_configuration/Mail/Deliverability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/turbostack_configuration/Mail/Deliverability.md b/turbostack_configuration/Mail/Deliverability.md index 89d8377f..9637272f 100644 --- a/turbostack_configuration/Mail/Deliverability.md +++ b/turbostack_configuration/Mail/Deliverability.md @@ -28,8 +28,6 @@ SPF is an email authentication protocol designed to prevent spoofing by specifyi - `a` includes the hostname's A record(s) in the SPF lookup. - `mx` includes the hostname's MX record(s) in the SPF lookup. -3. **Test Your SPF Setup:** Tools like MXToolbox can validate your SPF record and ensure it’s correctly configured. - !!! Important SPF records are limited to 10 DNS lookups per authentication check! Exceeding the 10-lookup limit results in a permanent error, causing SPF verification to fail. @@ -41,6 +39,8 @@ To stay within this limit, we advise the following: - Use SPF record flattening tools to generate a single, simplified record. !!! +3. **Test Your SPF Setup:** Tools like MXToolbox can validate your SPF record and ensure it’s correctly configured. + ### 2. DKIM (DomainKeys Identified Mail) DKIM adds a digital signature to your emails, allowing the recipient’s server to verify that the message hasn’t been altered in transit and that it genuinely came from your domain. From 2bc9fba78866cdb7bbe61d50cb8e2825b1057cbd Mon Sep 17 00:00:00 2001 From: BjarneVO Date: Fri, 24 Jan 2025 13:57:04 +0100 Subject: [PATCH 4/6] Added more SPF tags. --- turbostack_configuration/Mail/Deliverability.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/turbostack_configuration/Mail/Deliverability.md b/turbostack_configuration/Mail/Deliverability.md index 9637272f..b4998608 100644 --- a/turbostack_configuration/Mail/Deliverability.md +++ b/turbostack_configuration/Mail/Deliverability.md @@ -24,9 +24,10 @@ SPF is an email authentication protocol designed to prevent spoofing by specifyi - `v=spf1` indicates the version. - `include:` lists authorized servers. - `ip4:` lists authorized servers, but based on IPv4 address. -- `-all` specifies that any non-listed server should fail the SPF check. +- `ip6:` lists authorized servers, but based on IPv6 address. - `a` includes the hostname's A record(s) in the SPF lookup. - `mx` includes the hostname's MX record(s) in the SPF lookup. +- `-all` specifies that any non-listed server should fail the SPF check. !!! Important SPF records are limited to 10 DNS lookups per authentication check! Exceeding the 10-lookup limit results in a permanent error, causing SPF verification to fail. From 8f7dbf33010930fc22e2fdc9f8259dcb06274ea1 Mon Sep 17 00:00:00 2001 From: BjarneVO Date: Fri, 24 Jan 2025 13:58:13 +0100 Subject: [PATCH 5/6] Added more SPF tags. --- turbostack_configuration/Mail/Deliverability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/turbostack_configuration/Mail/Deliverability.md b/turbostack_configuration/Mail/Deliverability.md index b4998608..0ab3e992 100644 --- a/turbostack_configuration/Mail/Deliverability.md +++ b/turbostack_configuration/Mail/Deliverability.md @@ -25,8 +25,8 @@ SPF is an email authentication protocol designed to prevent spoofing by specifyi - `include:` lists authorized servers. - `ip4:` lists authorized servers, but based on IPv4 address. - `ip6:` lists authorized servers, but based on IPv6 address. -- `a` includes the hostname's A record(s) in the SPF lookup. -- `mx` includes the hostname's MX record(s) in the SPF lookup. +- `a:` includes the hostname's A record(s) in the SPF lookup. +- `mx:` includes the hostname's MX record(s) in the SPF lookup. - `-all` specifies that any non-listed server should fail the SPF check. !!! Important From 8ccde77d63498147d0379ee4051b4b8c68d3e99e Mon Sep 17 00:00:00 2001 From: BjarneVO Date: Fri, 24 Jan 2025 13:58:59 +0100 Subject: [PATCH 6/6] Added more SPF tags. --- turbostack_configuration/Mail/Deliverability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/turbostack_configuration/Mail/Deliverability.md b/turbostack_configuration/Mail/Deliverability.md index 0ab3e992..f091513a 100644 --- a/turbostack_configuration/Mail/Deliverability.md +++ b/turbostack_configuration/Mail/Deliverability.md @@ -22,11 +22,11 @@ SPF is an email authentication protocol designed to prevent spoofing by specifyi `v=spf1 a mx include:mail.example.com ip4:64.186.18.168 -all` - `v=spf1` indicates the version. +- `a` includes the hostname's A record(s) in the SPF lookup. +- `mx` includes the hostname's MX record(s) in the SPF lookup. - `include:` lists authorized servers. - `ip4:` lists authorized servers, but based on IPv4 address. - `ip6:` lists authorized servers, but based on IPv6 address. -- `a:` includes the hostname's A record(s) in the SPF lookup. -- `mx:` includes the hostname's MX record(s) in the SPF lookup. - `-all` specifies that any non-listed server should fail the SPF check. !!! Important