Help! Emails I send from our email blast system are showing up as Unverified
How to verify your emails
I’ve been seeing a common issue faced by many companies. They send emails through a bulk email provider like Mailchimp, Ticketmaster, Brevo, Hubspot, etc. and their emails are getting flagged as possible spam or as unverified.
So let’s break this down to show what’s happening. DeployDepot is sending email using their Mailchimp Account. That should be legit right?
Let’s check the mail header (warning we’re about to get technical)
Authentication-Results: spf=pass (sender IP is 198.2.144.59) smtp.mailfrom=mail59.atl301.rsgsv.net; dkim=pass (signature was verified) header.d=mailchimpapp.net;dmarc=fail action=none header.from=deploydepot.ca;compauth=fail reason=001
Pulling out the important info:
SPF Passed
DKIM Passed
dmarc Failed
fail reason = 001
So why did DMARC fail? Unfortunately they missed a simple configuration step! They forgot to perform Domain Authentication:
Set Up Email Domain Authentication | Mailchimp
The above lists some simple steps to take for Mailchimp. Still need help? Read below or contact us.
What if I don’t use Mailchimp and my provider doesn’t have easy instructions? I’ll break down a method for trying to figure out what the appropriate DNS records should be. Keep in mind this is assuming that the bulk email provider did things properly, and not everyone does.
First a bit of background. What is DMARC, DKIM, SPF?
DMARC definition & how it works
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Its goal is to increase email security. Here’s how DMARC works:
Authentication Standards:
SPF: SPF checks if the sender’s IP address is authorized to send emails on behalf of a domain. It specifies which servers are allowed to send mail for a domain.
DKIM: DKIM adds a digital signature to outgoing emails. The recipient’s server can verify this signature to ensure the email hasn’t been tampered with.
DMARC Implementation:
DMARC allows domain owners to set policies for handling emails that fail authentication checks.
An organization can publish a DMARC policy that says, “If you send mail from my domain, it must pass SPF and DKIM checks.”
DMARC also creates a feedback loop between the sender and receiver. If an email fails authentication, the receiver can send a report back to the sender, detailing why it failed.
Actions Based on DMARC Results:
If an email fails DMARC checks:
The receiver can reject the message outright.
Alternatively, the receiver can send it back to the sender with an explanation of why it failed authentication.
Legitimate emails still get through, but fraudulent or spoofed messages are more likely to be blocked.
In summary, DMARC enhances email security by ensuring that legitimate emails are authenticated while reducing the risk of email compromise. Both senders and receivers benefit from its implementation.
In the Mailchimp example, the CNAME record you create is actually pointing at their TXT record which holds the public key used to verify the DKIM signature applied by the Mailchimp mail server.
A proper TXT record should be formatted like this:
[selector]._domainkey.[domain]
With a value of:
v=DKIM1; p=[insert public key here]
To find the appropriate values, you need to jump through some hoops.
Step 1. Find the Selector
In your email you need to open the message details, or header (in outlook you can right-click -> View -> Message Details).
Scroll to the DKIM-Signature section of the header and take note of a couple important items.
d= is the Domain: mailchimpapp.net
s= is the Selector: k3
v= is the version
a= is the algorithm used to apply the dkim signature. In most cases you only care about d, and s.
Head over to www.mxtoolbox.com and fire up their Super Tool. Select the DKIM Lookup from the drop down and pop in the d value and s value separated by a colon (:)
ex. mailchimpapp.net:k3
This shows the k3 DKIM record for Mailchimp. When you create your CNAME record this is what you are pointing to. This has the public key used to verify the dkim signature.
Take note of the value as you’ll want to create a TXT record in your own domain’s DNS records that matches this value. Depending on your dns provider, the next instructions may vary a bit, but I’ll show what it looks like in GoDaddy because of how prolific it is.
In your DNS provider, you’ll create a TXT record with a name of the s (selector) value ._domainkey and a value of the dkim record we found in mxtoolbox. That way the receiving mail server can lookup your dns, find the public key and use it to verify the signature used by the sending mail server.
Is it fixed? … maybe
This should resolve it for anytime mail is delivered from their mail server that uses the k3 selector/dkim signature, but what if they have multiple servers? Mailchimp, AmazonSES and others have requirements for high availability and reliability, they can’t just have a single sending mail server. For that reason you’ll often see they hand out multiple dns records. Each one of those records will correspond with a different DKIM record that needs to have it’s public key referenced by your domain.
If you use a 3rd party tool, you will likely need to contact them to confirm what DKIM records they have so you can create ALL of the records in your dns zone, otherwise you might intermittently be flagged as unverified while using their platform.
What about dmarc records?
The last piece of the puzzle, and really the whole point of this thing. You’ve got all the public key dkim records in your dns, and things are being validated, but now what?
You should really create a mailbox or distribution list to collect dmarc reports and set your DNS dmarc to reject or quarantine emails that don’t pass DMARC.
I will preface this by saying you should be 100 percent sure you’ve got all the dkim records in place or email traffic will fail delivery (and you should make sure dkim signing is turned on for your domain/mail provider too!).
You would do that with a DMARC dns record and I’m going to quote the wonderful people at Cloudflare for their wonderful explanation:
example DMARC txt dns record:
v=DMARC1; p=quarantine; adkim=s; aspf=s; rua=mailto:dmarcfailure@yourdomain.ca
What does this mean?
v=DMARC1indicates that this TXT record contains a DMARC policy and should be interpreted as such by email servers.p=quarantineindicates that email servers should "quarantine" emails that fail DKIM and SPF — considering them to be potentially spam. Other possible settings for this includep=none, which allows emails that fail to still go through, andp=reject, which instructs email servers to block emails that fail.adkim=smeans that DKIM checks are "strict." This can also be set to "relaxed" by changing thesto anr, likeadkim=r.aspf=sis the same asadkim=s, but for SPF.Note that
aspfandadkimare optional settings. Thep=attribute is what indicates what email servers should do with emails that fail SPF and DKIM.relaxed vs strict is the difference between match the domain AND subdomains (relaxed) or only the exact domain (strict)
ex. cool.domain.com with dkim from domain.com - passes with relaxed, fails with strict because only domain.com has a dkim record. To pass both with a strict policy you would need a separate dkim signature for cool.domain.com and corresponding dns records.
rua=mailto:xxxx this sends dmarc reports to this email address, which helps you monitor for legitimate traffic that fails dmarc, but also will give you a sense of how many emails are trying to impersonate your domain.
Hunter Tech is here to help. Call us today at 825 415 6990 or email info@huntertech.ca.