Email Sender Authorization

TL;DR

This guide explains how to allow a third-party service (like an envelope sender) to send emails *as if* they are coming from your domain’s usual email address. This involves setting up SPF, DKIM and DMARC records in your DNS settings.

Step 1: Understand the Problem

When a third-party service sends an email on your behalf, receiving servers need to verify it’s legitimate. Without proper configuration, these emails might be marked as spam or rejected. The key technologies involved are:

• SPF (Sender Policy): Lists which mail servers are allowed to send emails for your domain.
• DKIM (DomainKeys Identified Mail): Adds a digital signature to emails, verifying they haven’t been tampered with during transit.
• DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers what to do if SPF and DKIM checks fail (e.g., reject the email, quarantine it).

Step 2: Get Information from Your Third-Party Service

You’ll need specific details from the envelope sender you’re using. Typically, they will provide:

• SPF Record Details: The hostname or IP address(es) of their sending servers.
• DKIM Selector and Public Key: Used to create a DKIM record in your DNS.

Contact their support team if you don’t have this information.

Step 3: Update Your SPF Record

1. Access Your DNS Settings: Log into the control panel of your domain registrar (e.g., GoDaddy, Namecheap) or your DNS provider (e.g., Cloudflare).
2. Find Your Existing SPF Record: Look for a TXT record with name @ or your domain name and value starting with v=spf1. If you don’t have one, create a new TXT record.
3. Add the Third-Party Service’s Information: Modify the SPF record to include their sending servers. For example:

   v=spf1 include:_spf.example.com ~all

   Replace _spf.example.com with the value provided by your third-party service.

4. Save Changes: Allow time for DNS propagation (up to 48 hours, but usually much faster).

Step 4: Add a DKIM Record

1. Create a New TXT Record: In your DNS settings, create a new TXT record.
2. Record Name: The name will be based on the DKIM selector provided by your third-party service (e.g., selector._domainkey).
3. Record Value: Copy and paste the public key provided by your third-party service into the value field.

   v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA...

4. Save Changes: Allow time for DNS propagation.

Step 5: Configure DMARC Record

DMARC tells receiving servers what to do if SPF and DKIM checks fail.

1. Create a New TXT Record: In your DNS settings, create a new TXT record with name _dmarc.
2. Record Value: A basic DMARC record might look like this:

   v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com; ruf=mailto:forensics@yourdomain.com

   • p=none: Start in ‘none’ mode to monitor results without affecting email delivery.
   • rua=mailto:postmaster@yourdomain.com: Email address for aggregate reports (SPF/DKIM failures).
   • ruf=mailto:forensics@yourdomain.com: Email address for forensic reports (individual email failures – use with caution due to privacy concerns).
3. Save Changes: Allow time for DNS propagation.

Step 6: Monitor DMARC Reports

Check the aggregate reports sent to your rua address. These reports will show you which servers are sending emails on behalf of your domain and whether SPF/DKIM checks are passing or failing.

• Analyze Reports: Identify any unexpected senders or failures.
• Adjust DMARC Policy: Once you’re confident everything is configured correctly, change p=none to p=quarantine (send failed emails to spam) or p=reject (reject failed emails). Start with quarantine and monitor closely before moving to reject.