Overview
SPF, DKIM, and DMARC are all ways to ensure that any mail servers which send out an email for your domain are truly authorized to do so. When correctly set up, all three will minimize the incidence of your email domain name being used in spam and phishing attacks, and also maximize proper email delivery to the intended recipient.
This article has been written to assist you in setting up your Jive installation to be able to utilize these email security measures.
Solution
The three frameworks that you should implement in order to increase email security and delivery are:
Setting up SPF (Sender Policy Framework)
SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” a particular domain. The process is different for Cloud and Hosted:
How to Configure SPF For Jive Cloud
To update an existing SPF record:
Login to your DNS management console. If you already have an SPF record for your specific email domain name, then you will need to include the Jive Cloud email servers.
-
For example, if your current SPF record was:
"v=spf1 include:_spf.google.com ~all"
-
For US Customers, you’d then insert the following:
ip4:204.93.64.116 ip4:204.93.64.117 ip4:192.250.208.112 ip4:192.250.208.113 include:sendgrid.net
-
Your final record would look like:
"v=spf1 ip4:204.93.64.116 ip4:204.93.64.117 ip4:192.250.208.112 ip4:192.250.208.113 include:sendgrid.net include:_spf.google.com ~all"
-
For EU Customers, you’d insert the following instead:
ip4:204.93.80.116 ip4:204.93.80.117 ip4:204.93.95.57 include:sendgrid.net
-
Your final record would look like:
"v=spf1 ip4:204.93.80.116 ip4:204.93.80.117 ip4:204.93.95.57 include:sendgrid.net include:_spf.google.com ~all"
Note: If you are a Jive Cloud customer planning to utilize DKIM, then Jive Support will need to switch your SMTP server from SMTP-Cloud to a SMTP-Hosted configuration to allow for this, and you should configure your SPF records with those meant for Jive Hosted customers below.
How to Configure SPF For Jive Hosted
Login to your DNS management console. If you already have an SPF record for your specific email domain name, then you will need to include the Jive Hosted email servers in the SPF record.
-
For example, if your current SPF record was:
"v=spf1 include:_spf.google.com ~all"
-
For both US & EU Customers, you’d then insert the following:
include:sendgrid.net include:spf.jivesoftware.com
-
Your final record would look like:
-
"v=spf1 include:sendgrid.net include:spf.jivesoftware.com include:_spf.google.com ~all"
Note: The entry include:sendgrid.net is not strictly needed for Jive Hosted customers, but is included here in case you are a Jive Cloud customer wanting to setup DKIM (read more about this below). Once Jive Support has set up DKIM and it's all working ok, you can remove the reference to sendgrid.net.
How to check your SPF configuration
You can manually check the SPF record using the nslookup command, which is built into all popular operating systems including Mac and Windows.
-
On Windows 10, open a command prompt by selecting the spotlight search icon, type command, then select Run as Administrator
-
On MacOS, choose the spotlight search icon, type in terminal, then select the Terminal utility.
-
Type the command
nslookup -type=text <domain name>
(replace <domain name> with your email domain name), then pressEnter
. If your DNS has been configured correctly, the output will include the SPF record (the line starting with "v=spf1"). In the example below, the domain name is google.com.
Setting up DKIM
DKIM is an acronym for “DomainKeys Identified Mail”, otherwise known as “email signing”. It relies on electronic keys; a private one, which resides on the sending mail server (at Jive Hosted Operations), and a public one held in a special DNS server record.
Since a DKIM record can be used for multiple external providers, each one is assigned a pre-agreed string called a "selector" (a sort of distinguished name).
Request creation of the DKIM keys
In order to configure DKIM, you first need to request a new DKIM public key. To do this, open a ticket with Jive Support with the subject DKIM configuration required
. Please also include:
-
The email domain (typically this is the same email domain used for the Server Admin Email setting in Admin Console > System > Settings > Email Server).
-
The "selector" - a simple identifier that can be anything, even something as simple as "jive" or "mail".
Our Jive Infrastructure Operations team will perform the implementation on the Jive side and your assigned support agent will provide you a string that should be added as a TXT record in your DNS configuration.
Field 1: TXT record Hostname or Name
Most DNS management consoles will require you to enter a hostname or name in the first field of the TXT record. If the selector you requested is "jive", then combine this with suffix prefix ._domainkey, and enter to the field like so:
jive._domainkey
Field 2: TXT record Value
In the second field of the TXT record (usually referred to as the Value field), enter the public key, which your support agent will provide to you. Below is an example:
"k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDmzRmJRQxLEuyYiyMg4suA2Sy MwR5MGHpP9diNT1hRiwUd/mZp1ro7kIDTKS8ttkI6z6eTRW9e9dDOxzSxNuXmume60Cjbu08gOyhPG3 GfWdg7QkdN6kR4V75MFlw624VY35DaXBvnlTJTgRg/EW72O1DiYVThkyCgpSYS8nmEQIDAQAB"
Problems with longer keys
The DKIM public keys issued by Jive Support are 1024-bit by default, but you can request a 2048 bit key, which will result in a much longer text string. When you try to enter the key to the value field in the TXT DNS record, you may run into this error:
Contiguous strings may not be longer than 255 characters.
To work around this, break the string up with double quotes into lengths of less than 255 characters in a text editor, like in the example below, and re-enter the value to the DNS record.
"v=DKIM1; k=rsa;""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7jLS6S0MF4kJFyJOyE4Tm/Dv583oUGkUjbBa9CXWLrP4IYoamSrTqBiOQuXsbKw0yCObgDrJ844hH+yIFlTkw0FlKx/B706fEGPr7DL8L6mdicqZX1fbVqLs7GsX9OE0FOm1rUsr/eHQPug4""F2JQ5yNDtjK0Jt07pYEpf6wWxY0HMNtq4oKwU3MBwgfsVx9XsxdDYMvs0vtVR2WQD1LAxgL20hWOPtZZ6QwhZhBFpHOuiN4WACSnGDtZhHE6Mxwy642eImQtsFjnJrIe1t0HT/dP2r5B7ptkk8ZgLbH8eiI2VY7GIV7g58sJTL86xvkYLrMXcWjow2L2Ho+MKivmawIDAQAB"
Setting up DMARC
DMARC is an acronym for “Domain-based Message Authentication, Reporting, and Conformance”. It’s an email authentication, policy and reporting protocol that’s built around both SPF and DKIM.
Once you have configured SPF and DKIM, then setting up DMARC is relatively straightforward and does not involve any configuration on the Jive side, but it is outside the scope of the Jive Support team.
In practice, it consists of an additional DNS record that defines the rules for the processing of emails for a specific domain, including reporting on any errors encountered with either SPF or DKIM, as well as the IP addresses of servers used to send email from your domain name, and so on.
We recommend you to start from the official DMARC website, and ask your IT Operations team to implement the DMarc framework.
Comments
0 comments
Article is closed for comments.