Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Configuration > Archive > SPF DKIM DMARC Authentication - DNS

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Configuration  / Archive  /

SPF DKIM DMARC Authentication - DNS

[Mathis, Chris]
Chris Mathis
Newbie
Newbie
Posts: 1
Chris Mathis - 07:12am, Jun 16 2020

My MDaemon Pro 16.04 Setup Windows 2012 R2 (domains and IP's changed)

mail.PrimaryDomain.com IP: 208.56.125.25

I have a number of other domains on the same server, each domain pointing to/using the same SMTP host name and IP under Setup > Domain Manager.

domain2.com > mail.PrimaryDomain.com IP: 208.56.125.25

domain3.com > mail.PrimaryDomain.com IP: 208.56.125.25

So all mail domains are using the primary domains SMTP settings: mail.PrimaryDomain.com IP: 208.56.125.25

Is this ok?

-----

Next under Security Settings > Sender Authentication

I would like ALL mail to go through SPF verification so SPF is enabled. The
Do not verify authenticated sessions/IP's are un checked

Same for DKIM, enabled but Do not verify authenticated sessions/IP's are un checked

ADSP Message Disposition all un checked as it is depreciated ( ? ) so not used and not in DNS

DKIM is selected/checked - each mai.domain on the server has it's own selector and public and private keys.

I have defined all messages to be signed, and setup content filters to sign all mail from domains:

From *@domain2.com s=domain2 d=domain2.com
From *@PrimaryDomain.com s=PrimaryDomain d=PrimaryDomain.com
From *@domain3.com s=domain3 d=domain3.com
To *@domain2.com s=domain2 d=domain2.com
To *@PrimaryDomain.com s=PrimaryDomain d=PrimaryDomain.com
To *@domain3.com s=domain3 d=domain3.com

DMARC is enabled - All boxes are checked except Refuse to accept messages from incompatible DMARC
-----

DNS - Problem?

How should dns be setup if you have the primarydomain.com on IP address: 208.56.125.25

But you have the other domains using the same IP address. This is what I have:

SPF Record for primarydomain.com will return: "v=spf1 mx a ip4:208.56.125.25/32 -all"

Domain Key DKIM:

primarydomain._domainkey.primarydomain.com.

"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAFDKFYSDUSYGWHDTXDFTHISKEYHASBEENCHANGEDztdoPVpGl8DIDYOUSPOTTHIS?9xXdH8XddtqaAmGo9U+BanVjjDLfPT8wgLoAzHa0lk7X99lyC2lKr4N1V/DLSKJDSJGDSKDHLSJDKSJIDWIJDPEJCLMM71b/91WwIDAQAB"

DMARC

"v=DMARC1;p=reject;pct=100;rua=mailto:easy3434049@easydmarc.com,mailto:admin@primarydomain.com;ruf=mailto:ruf@rep.easydmarc.com,mailto:admin@primarydomain.com;fo=1"

??? Is the above all setup correct?

Big question, is the SPF record above setup correctly how do I setup the other domain SPF records to be able to authenticate through the primarydomain.com's DNS?

I currently have for domain2.com > v=spf1 mx a ip4:208.56.125.25/32 -all

and the 3rd domain: I currently have for domain3.com > v=spf1 mx a ip4:208.56.125.25/32 -all

Mail does not seem to authenticate through SPF. How do you setup SPF for the add on, (2nd and 3rd) domains in MDaemon if you are all using the same SMTP mail host?

If the SMPT mail host is mail.primarydomain.com, should that address be entered into the SPF DNS record?

Is this correct:

primarydomain.com. IN TXT "v=spf1 ip4:208.56.125.25/32 a:mail.primarydomain.com a:mail.domain2.com a:mail.domain3.com -all"

Can you "please" let me know if anything is incorrect or looks off?

I just can’t seem to get all domain to authenticate via SPF and signed via DKIM.

Thank you.

  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Arron Caruth - Jun 17, 2020 7:50 am (#1 Total: 1)  

Guest User  

Photo of Author
Posts: 1

> So all mail domains are using the primary domains SMTP settings: mail.PrimaryDomain.com IP: 208.56.125.25
>Is this ok?

 

Yes.

 

> I would like ALL mail to go through SPF verification so SPF is enabled. The
>Do not verify authenticated sessions/IP's are un checked

 

This may cause you issues.  Generally you do not want to require messages being received from local IP addresses to pass SPF because then you would have to add private IP addresses to your SPF record in order to allow them to send mail using your domain name.  The same applies to Authenticated sessions.  Generally authenticated sessions are local users that are sending mail, and in many cases may be sending mail from IP addresses that are not allowed in your SPF record. 

 

> Same for DKIM, enabled but Do not verify authenticated sessions/IP's are un checked

 

Again, this might cause issues as email clients do not DKIM sign messages.

 


>How should dns be setup if you have the primarydomain.com on IP address: 208.56.125.25
>But you have the other domains using the same IP address. This is what I have:
>SPF Record for primarydomain.com will return: "v=spf1 mx a ip4:208.56.125.25/32 -all"

You will need to setup an A, MX, and SPF record for each domain.  For example:

 

A - Mail.domain1.com -> 208.56.128.25

MX – domain1.com -> mail.domain1.com

SPF – domain1.com -> v=spf1 a mx -all

 

A - Mail.domain2.com -> 208.56.128.25

MX – domain2.com -> mail.domain2.com

SPF – domain2.com -> v=spf1 a mx -all

 

I removed the ip4:208.56.125.25/32 from the SPF record because based on the info I have it is not required.  It may very well be required and I just don’t know it, you’ll have to make that call. 

 

> primarydomain._domainkey.primarydomain.com.

 

If you are ok with your selector being “primarydomain” then this should be fine as long as you have also created selector records for the other domains.

 

>"v=DMARC1;p=reject;pct=100;rua=mailto:easy3434049@easydmarc.com,mailto:admin@primarydomain.com;ruf=mailto:ruf@rep.easydmarc.com,mailto:admin@primarydomain.com;fo=1"

I’d suggest chaning it to p=none until you get everything tested and its working.  And then I would suggest p=quarantine instead of reject. 

 

> Big question, is the SPF record above setup correctly how do I setup the other domain SPF records to be able to authenticate through the primarydomain.com's DNS?

 

You need an SPF record for every domain.  If you don’t want to be able to make changes without having to edit the SPF record for every domain you could do something like this for the other domains:

 

“v=spf1 include:domain1.com –all”

 

> Mail does not seem to authenticate through SPF. How do you setup SPF for the add on, (2nd and 3rd) domains in MDaemon if you are all using the same SMTP mail host?

 

I’m not following the question.  There are some really helpful tools at www.mxtoolbox.com that might help though.  An example along with a snippet of the inbound SMTP log that shows what is happening would be helpful.

 

> If the SMPT mail host is mail.primarydomain.com, should that address be entered into the SPF DNS record?

 

SPF records allow an administrator to tell other servers what IP addresses are allowed to send email for a domain.  If you are sending mail from an IP address to the public, the IP needs to be included in your SPF record somehow.  That does not mean that you have to specifically list the IP address or the host name, you can use mechanisms such as “a” and “mx” to allow all IPs to send email that have an A record or an MX record for the domain pointing at them.. 

 

I hope that helps.

--
Arron Caruth
Vice President of Product Development
o: 817-601-3222    e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email
Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server

From: md-configuration@mdaemon.com [mailto:md-configuration@mdaemon.com] On Behalf Of lists-md-configuration@mdaemon.com (Chris Mathis)
Sent: Tuesday, June 16, 2020 7:13 AM
To: md-configuration List Member <md-configuration@mdaemon.com>
Subject: [md-configuration] SPF DKIM DMARC Authentication - DNS

 

My MDaemon Pro 16.04 Setup Windows 2012 R2 (domains and IP's changed)

mail.PrimaryDomain.com IP: 208.56.125.25

I have a number of other domains on the same server, each domain pointing to/using the same SMTP host name and IP under Setup > Domain Manager.

domain2.com > mail.PrimaryDomain.com IP: 208.56.125.25

domain3.com > mail.PrimaryDomain.com IP: 208.56.125.25

So all mail domains are using the primary domains SMTP settings: mail.PrimaryDomain.com IP: 208.56.125.25

Is this ok?

-----

Next under Security Settings > Sender Authentication

I would like ALL mail to go through SPF verification so SPF is enabled. The
Do not verify authenticated sessions/IP's are un checked

Same for DKIM, enabled but Do not verify authenticated sessions/IP's are un checked

ADSP Message Disposition all un checked as it is depreciated ( ? ) so not used and not in DNS

DKIM is selected/checked - each mai.domain on the server has it's own selector and public and private keys.

I have defined all messages to be signed, and setup content filters to sign all mail from domains:

From *@domain2.com s=domain2 d=domain2.com
From *@PrimaryDomain.com s=PrimaryDomain d=PrimaryDomain.com
From *@domain3.com s=domain3 d=domain3.com
To *@domain2.com s=domain2 d=domain2.com
To *@PrimaryDomain.com s=PrimaryDomain d=PrimaryDomain.com
To *@domain3.com s=domain3 d=domain3.com

DMARC is enabled - All boxes are checked except Refuse to accept messages from incompatible DMARC
-----

DNS - Problem?

How should dns be setup if you have the primarydomain.com on IP address: 208.56.125.25

But you have the other domains using the same IP address. This is what I have:

SPF Record for primarydomain.com will return: "v=spf1 mx a ip4:208.56.125.25/32 -all"

Domain Key DKIM:

primarydomain._domainkey.primarydomain.com.

"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAFDKFYSDUSYGWHDTXDFTHISKEYHASBEENCHANGEDztdoPVpGl8DIDYOUSPOTTHIS?9xXdH8XddtqaAmGo9U+BanVjjDLfPT8wgLoAzHa0lk7X99lyC2lKr4N1V/DLSKJDSJGDSKDHLSJDKSJIDWIJDPEJCLMM71b/91WwIDAQAB"

DMARC

"v=DMARC1;p=reject;pct=100;rua=mailto:easy3434049@easydmarc.com,mailto:admin@primarydomain.com;ruf=mailto:ruf@rep.easydmarc.com,mailto:admin@primarydomain.com;fo=1"

??? Is the above all setup correct?

Big question, is the SPF record above setup correctly how do I setup the other domain SPF records to be able to authenticate through the primarydomain.com's DNS?

I currently have for domain2.com > v=spf1 mx a ip4:208.56.125.25/32 -all

and the 3rd domain: I currently have for domain3.com > v=spf1 mx a ip4:208.56.125.25/32 -all

Mail does not seem to authenticate through SPF. How do you setup SPF for the add on, (2nd and 3rd) domains in MDaemon if you are all using the same SMTP mail host?

If the SMPT mail host is mail.primarydomain.com, should that address be entered into the SPF DNS record?

Is this correct:

primarydomain.com. IN TXT "v=spf1 ip4:208.56.125.25/32 a:mail.primarydomain.com a:mail.domain2.com a:mail.domain3.com -all"

Can you "please" let me know if anything is incorrect or looks off?

I just can’t seem to get all domain to authenticate via SPF and signed via DKIM.

Thank you.


View/reply at SPF DKIM DMARC Authentication - DNS

 
 
--MD-Configuration---------------------------------------------------
This list is for questions about the configuration of MDAEMON. To 
unsubscribe from this mailing list send an email to 
md-configuration-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------
 
---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------

--MD-Configuration---------------------------------------------------
This list is for questions about the configuration of MDAEMON. To
unsubscribe from this mailing list send an email to
md-configuration-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user
support and discussion.  MDaemon staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------



  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.