Update: Dancing in the streets. The email authentication for SwimISCA.org has passed with 3 green checks!
Whew.
This is sending via Constant Contact from the email address, ISCAVideos@.
auth-61138@auth.emailsmart.com
DNS Steps taken by MR
- put in a _dmarc record for SwimISCA.org
- Did the following:
Host name:
2020313035._domainkey.swimisca.org
TXT record:
k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCreVmEOSd1/6f+bXUe0d84Y/k2UX4Yi9x8cwp5mEHZjjbEvqkf/lGJbKkbZ3x7qqmzEsUfSbbmCiW4h1lOZoam6dNHF+mD5RxGBYmjpeOmgblBCX1uzH4dgoELvjgGzbdK4icbMu0RrFHpvzdbHf4oTsQRlyj4B+szB8AVrTuYywIDAQAB
Then there is this from Pair.com, our server host.
- All domains have the SPF setting turned on.
Working notes / to do yet:
All the other domains.
Help info from Constant Contact on DMARC
What is a DMARC policy and why do I need one?
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a policy that a domain (or website) publishes in their public Domain Name System (DNS) to let a receiving mailbox provider know how email sent from that domain should be authenticated and whether it should be delivered to the spam folder or rejected if it fails that authentication. DMARC was first introduced to protect domains from being the victims of spoofing and phishing.
Why do I need a DMARC policy record?
How do I create a DMARC record?
How do I publish my DMARC record?
How is DMARC alignment checked by mailbox providers?
How do I resolve bounces caused by DMARC?
Why do I need a DMARC policy record?
Recently, Yahoo! and Google announced that starting in February of 2024, they will tighten requirements on inbound email to their users. One of these requirements is that all email sent to their users must come from a domain that is authenticated and has a published DMARC policy.
Light Bulb IconNote: If you haven't authenticated your domain yet, be sure to set up self-authentication within your Constant Contact account, in addition to publishing a DMARC policy, to comply with the latest authentication requirements.
A DMARC policy is also good for your brand, as a strong policy will protect your brand from phishing attacks. If you want to do a quick check to see if your domain already has a DMARC policy in place, you can do a lookup here.
How do I create a DMARC record?
What you should include in your DMARC record depends on a lot of factors. If you’re just looking to get something published to comply with the new requirements, Constant Contact recommends that the following TXT record be added to your DNS settings:
HostnameValue
_dmarc.yourdomain.com v=DMARC1; p=none;
For a DMARC record, the hostname will always start with “_dmarc.” followed by your domain. This is standardized so that the receiving mailbox providers can easily look up if you have a record.
The “p=” tag within the Value is what tells the receiving server what to do if the message fails a DMARC alignment check. There are three possible values:
none - Does not specify what to do with failures.
quarantine - Tells the receiving server to put unsigned or failed email into the junk folder.
reject - Tells the receiving server to bounce unsigned or failed email back to the sender
Note: This is just a “bare necessities” type of record. If you have other email streams that are not yet authenticated, using this example record with a p=none value should not cause them any harm.
Exclamation Point IconImportant: For additional information about drafting a DMARC policy, please see dmarc.org. If you need help publishing your DMARC policy, your IT department or webmaster can assist you.
If you want to take more control over your DMARC policy, you can choose to create the record with additional optional tags. For example, there are two types of reporting tags which allow the receiving domains to send reports back to an address you select regarding any alignment failures. You would use that, combined with p=none, to track down all the systems that are sending email on your behalf. Once you know that all legitimate email sent using your domain will pass a DMARC alignment check, you can upgrade the policy to p=reject.
If you want to start getting DMARC reports to determine all the systems sending email from your domain so that you can lock them down and upgrade to a strict (p=reject) policy to prevent phishing and spoofing of your domain, then you should consult with an IT professional or your hosting provider.
For more detailed information on the various tags and how you may utilize your record, please check out these additional resources:
https://dmarc.org/
https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record
How do I publish my DMARC record?
Once you have your DMARC record, you need to enter it into your DNS settings at your hosting provider. If you’re not sure where that is, try this handy tool at MXtoolbox to look up your domain and find out who hosts your DNS settings. You should have a login for that provider, but if not, reach out to your IT department or person who helped you set up your website.
Every provider has a slightly different interface, so you’ll need to log in and follow the support prompts there. Our article for updating your DNS records may help you locate the support pages for how to enter records with the top providers.
Once you find where you need to enter the information, there are three things you need to select or enter:
Record type: TXT (some interfaces may call it DMARC)
Hostname: _dmarc.yourdomain.com (don’t forget the underscore)
Value: v=DMARC1; p=none;
Note: Some hosting providers automatically add your domain to the record, in which case you’ll only need to enter “_dmarc” for the hostname.
How is DMARC alignment checked by receiving mailbox providers?
When a mailbox provider receives a message, they’ll first look at the domain found in the visible “friendly From” email address of a message. This domain is the foundation of DMARC.
Email in Gmail with From address domain
There are two ways to pass a DMARC check. Messages can be DMARC aligned either by DKIM or SPF:
DKIM alignment - The “From” domain must match the domain found in the DKIM signature, and the DKIM signature must pass. Within Constant Contact, this can be accomplished using self-authentication via TXT record or CNAME.
SPF alignment - SPF alignment for DMARC requires that the message header domain matches the “From” domain. SPF alignment isn't possible when sending through Constant Contact (though all of our email does pass an SPF check, it just is not aligned with the “From” domain).
How do I resolve bounces caused by DMARC?
Bounces caused by DMARC means that the domain you’re sending from has implemented a stronger DMARC policy (p=quarantine or p=reject) and email must be DKIM signed with that domain. If you own the domain you’re sending from and you have the ability to update your DNS records, then you’ll need to set up self-authentication within Constant Contact.
If you do NOT own the domain you’re sending from (free webmail or ISP domain), then you have some choices to make. If you own a custom domain for your business, but haven’t set up email with it yet, then it might be time to do that! If you’re not able to send from a domain you can authenticate (i.e. update the DNS records), then be on the lookout for updates coming in early 2024 within your Constant Contact account. We’ll be notifying customers who are not able to self-authenticate with some alternatives.
Be a better marketer: Using a custom domain email address is a best practice and makes you look more professional. The address can be created after you purchase your own domain.
Help comments from Constant Contact on SPF
Include Constant Contact IP addresses in your SPF or Sender ID record
Important: To pass a DMARC check, messages can be DMARC aligned either by SPF or DKIM. When sending an email through Constant Contact with your own custom domain email address, the email is only able to be DKIM aligned. In order to be SPF aligned for DMARC purposes, the visible "From" address and the "Header" or "Bounce" address must match. When sending through Constant Contact, or any other email marketing provider, the "Header" or "Bounce" address is that of our email server and will never match your visible "From" address.
Sender Policy Framework (SPF) and SenderID are authentication mechanisms that allow a domain to publicly state which IP addresses (email servers) are allowed to send email on its behalf.
If you don't have an SPF or SPF2 record, there is no requirement to create one. If your domain publishes an SPF or SPF2 record, you can choose to include Constant Contacts servers to your record. This is easily done by adding the following to your existing SPF record within your DNS settings:
include:spf.constantcontact.com
Reply from Pair.com
If you are using a third party mailing service you would need to not use our default SPF and instead create a custom SPF record via custom DNS records.
First you can disable the default SPF with the following steps.
1. Log into the Account Control Center (https://my.pair.com/)
2. Click "Domains"
3. Click "Manage Your Domain Names"
4. Click the name of the domain name
5. Click "Change SPF Settings"
6. Click "Deactivate SPF"
Once disabled you can create the custom SPF record with the following steps.
1. Log into the Account Control Center (https://my.pair.com/)
2. Click "Domains"
3. Click "Manage Your Domain Names"
4. Click the name of the domain name
5. Click on "Manage Custom DNS Records"
6. Click "Add DNS Record"
7. Select TXT from the drop down menu
8. Enter the following record information
Record Type: TXT
Hostname: @
Record Text: v=spf1 include:webmail.pair.com include:relay.pair.com include:pairlist.com a:qs4062.pair.com include:spf.constantcontact.com ~all
9. Click "Create TXT Record"
Please note in the "Record Text" field above this should all be on one
line. However, due to formatting of this E-Mail it may wrap to multiple lines.
Also note our DNS has a TTL of 1 hour. It can take up to this time for the new TXT record to be recognized.
Interaction with Help Desk at Pair.com
If you are using a third party mailing service you would need to not use our default SPF and instead create a custom SPF record via custom DNS records.
First you can disable the default SPF with the following steps.
- 1. Log into the Account Control Center (https://my.pair.com/)
- 2. Click "Domains"
- 3. Click "Manage Your Domain Names"
- 4. Click the name of the domain name
- 5. Click "Change SPF Settings"
- 6. Click "Deactivate SPF"
Once disabled you can create the custom SPF record with the following steps.
- 1. Log into the Account Control Center (https://my.pair.com/)
- 2. Click "Domains"
- 3. Click "Manage Your Domain Names"
- 4. Click the name of the domain name
- 5. Click on "Manage Custom DNS Records"
- 6. Click "Add DNS Record"
- 7. Select TXT from the drop down menu
- 8. Enter the following record information
- Record Type: TXT
- Hostname: @
- Record Text: v=spf1 include:webmail.pair.com include:relay.pair.com include:pairlist.com a:qs4062.pair.com include:spf.constantcontact.com ~all
- 9. Click "Create TXT Record"
Please note in the "Record Text" field above this should all be on one line. However, due to formatting of this E-Mail it may wrap to multiple lines.
Also note our DNS has a TTL of 1 hour. It can take up to this time for the new TXT record to be recognized.
with p=none you actually give instructions to the receiving server that they can do with failing email whatever they want.
And this is NOT what you want.
The ultimate goal is to reject (or quarantine) every message failing tests.
Why? If you implemented SPF, DKIM, and DMARC properly, that would mean you didn’t send the email and it should be rejected.
So yes, you want to have as strict policy as possible. As soon as possible. Yesterday.