Setting up SPF and DKIM records

[magicalwonders]

I'm trying to improve the deliverability of my email from a domain on my server to Hotmail and MSN addresses.

So far I have assigned the domain a dedicated IP address, and have requested the host to apply reverse DNS.

My autoresponder vendor has advised that I should also enable SPF and DKIM records. I understand that I do this through the Advanced DNS Zone Editor in cPanel. However, I don't know what to put in the various boxes! Can anyone advise me where I get this info from?

Hope someone can help.

Myles

 

[kdean]

Actually you do it through the Email Authentication option under the Mail section.

 

[magicalwonders]

Actually you do it through the Email Authentication option under the Mail section.

It seems to be a bit more complicated than that. The Email Authentication option under the Mail section applies to incoming mail.
I'm trying to set up DKIM for out going mail.

I've found one reference which says it is done through the Advance DNS Zone Editor, but doesn't really explain much more. Then there are these instructions /http://www.digitalsanctuary.com/tech-blog/debian/setting-up-spf-senderid-domain-keys-and-dkim.html which seem to apply to smpt mail whereas I'm using Exim.

It might be time to find an expert and pay someone!

 

[Infopro]

Open your cPanel, find Mail section, find Email Authentication icon and click. On this page click the enable buttons.

 

[magicalwonders]

Open your cPanel, find Mail section, find Email Authentication icon and click. On this page click the enable buttons.

See my post No.3

The Email Authentication icon only applies to incoming email. I need to setup DKIM for outgoing email.

 

[Infopro]

See my post No.3

The Email Authentication icon only applies to incoming email. I need to setup DKIM for outgoing email.

Enable those. Send an email from the account to this address: [email protected] wait a few moment for a result email back to you.

What does that email tell you?

 

[magicalwonders]

I got the following report -

==========================================================
Summary of Results
==========================================================
SPF check:          neutral
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    neutral
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  avasout02.plus.net
Source IP:      212.159.14.17
mail-from:      myles@domain removed

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: Neutral)
ID(s) verified: [email protected]
DNS record(s):
    magicalwonders.com. SPF (no records)
    magicalwonders.com. 12796 IN TXT "v=spf1 mx ip4:198.23.157.249 mx:magicalwonders.com ?all"
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: 

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         neutral (SPF-Result: Neutral)
ID(s) verified: [email protected]
DNS record(s):
    magicalwonders.com. SPF (no records)
    magicalwonders.com. 12796 IN TXT "v=spf1 mx ip4:198.23.157.249 mx:magicalwonders.com ?all"
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249
    magicalwonders.com. 12797 IN MX 0 magicalwonders.com.
    magicalwonders.com. 12796 IN A 198.23.157.249

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.3.1 (2010-03-16)

Result:         ham  (0.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at [url=http://www.dnswl.org/]dnswl.org - Protect against false positives[/url], low
                            trust
                            [212.159.14.17 listed in list.dnswl.org]
 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                            [score: 0.4570]

==========================================================
Explanation of the possible results (from RFC 5451)
==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.

It looks like it's saying I have no SPF record - I entered "v=spf1 mx ip4:198.23.157.249 mx:magicalwonders.com ?all" So not sure what's gone wrong?

 

[Infopro]

So far I have assigned the domain a dedicated IP address, and have requested the host to apply reverse DNS.

Have you done this as well?
Changing the Sending IP for Outbound Email in Exim - cPanel Documentation

I entered "v=spf1 mx ip4:198.23.157.249 mx:magicalwonders.com ?all"

Why? You might try removing all changes you've made, disable both SPF and DKIM and then enable once again.

 

[magicalwonders]

Have you done this as well?
Changing the Sending IP for Outbound Email in Exim - cPanel Documentation

No I haven't done that yet



Why? You might try removing all changes you've made, disable both SPF and DKIM and then enable once again.

Well that was the output when I used the microsoft wizard for creating a SPF record.

I think I'm using cPanel 11 - So I'll see about upgrading to latest version and start again.

 

[Infopro]

I used the microsoft wizard for creating a SPF record.

cPanel takes care of this for you, with a few buttons.

 

[magicalwonders]

cPanel takes care of this for you, with a few buttons.

O.K. thanks. Maybe this will be easier than it first looked!

I removed the changes, then re-enabled them. This time I got this result -

DKIM
Status: Enabled & Active (DNS Check Passed)

It still seems to be referring to just incoming mail though -

This feature works to prevent incoming spam messages.

I checked my version of cPanel and I'm running 11.34.1

The SPF record is now showing as follows -

Status: Enabled & Active (DNS Check Passed)
Your current raw SPF record is : v=spf1 +a +mx +ip4:198.23.157.248 ?all

The IP address it is showing though is the main server address and not the dedicated IP address for the domain. Is that how it's supposed to be?

 

[Infopro]

Did you check out that other link I posted about changing the IP?

 

[Infopro]

More Info here that you might find useful as well:
Authentication - Documentation - cPanel Documentation

 

[magicalwonders]

Did you check out that other link I posted about changing the IP?

Yes, I've looked at the page, but I haven't implemented the changes yet. Should that really be done before creating the SPF and DKIM records?

The first part of the instructions are fine, but I've not created files from the command line yet, so I'll need to read up on that.

....I've just had a look using Bitvese SSH Client. As well as a command line it displays all the files on the server, very much like FileZilla. I can see under /etc that the two files mailhelo and mailips already exist, and were created on 7th Feb. They are showing file size 0. Is my next step to download them, edit them with nano, vi, or vim, and upload back to the directory?

I don't suppose a regular text editor like Notepad will work?

 

[Infopro]

Should that really be done before creating the SPF and DKIM records?

In doing so it will add the account's IP to the record.

Your suggested steps are outlined in the docs.

You probably should not edit anything like this in notepad, or MS wizard or anything else other than from the command line, logged in as root. There are plenty of threads on this forum, and docs and how-tos via Google to get you going in the right direction. You should read up a bit before making any changes to be safe.

 

[magicalwonders]

O.K. Thanks for all the help. It's much appreciated!

I'll have a good study over the next few days before doing anything!

 

[Infopro]

Good luck! It's not so bad.

 

[SrVeteranAdm]

I'm curious why the person with the original question needed to ask the same question over and over again.
Why couldn't the Product Evangelist have given all the instructions in one entry?
It seems to have been unnecessarily drawn out.

 

[Infopro]

I'm curious why the person with the original question needed to ask the same question over and over again.
Why couldn't the Product Evangelist have given all the instructions in one entry?
It seems to have been unnecessarily drawn out.

The original question was actually answered twice.

Question:

...
So far I have assigned the domain a dedicated IP address, and have requested the host to apply reverse DNS.

My autoresponder vendor has advised that I should also enable SPF and DKIM records.

...

Answer:

Actually you do it through the Email Authentication option under the Mail section.

Answer:

Open your cPanel, find Mail section, find Email Authentication icon and click. On this page click the enable buttons.

The Email Authentication page is where this is enabled.

Is there something you're stuck on here or was this thread useful to you?

 

[magicalwonders]

I'm curious why the person with the original question needed to ask the same question over and over again.
Why couldn't the Product Evangelist have given all the instructions in one entry?
It seems to have been unnecessarily drawn out.

Well, I am the OP and I don't believe I asked the same question over and over again. Lol. I was stuck with a problem that has conflicting advice from around the internet. So I posted on this forum. Was it wrong to engage in a dialogue and seek clarification on a subject I was confused about?

Whilst on the subject of curiosity however, I'm now curious as to why someones first post resurrects a thread that has been dormant for three months! Lol