I absolutely agree with so many of the other comments here. After watching 4 or 5 other videos on setting up DKIM and DMARC I found yours. It is to the point and easy to follow. Thank you! and keep up the good work. Cheers!
I've been in IT for 35 years and this has to be one of the top five instructional videos I have ever seen! Easy to follow, very informative, and I am thankful that it's out there! THANK YOU!
Just like everyone else…such a helpful and easy to understand presentation. The ease with which you worked through what has otherwise been such a pain in the rear made that 20 minutes very well spent. Thank you!
VERY well done video! I'm a messaging admin (as are most of your viewers I suspect) and this is the best tutorial I've found on the subject. Thorough information without being bloated. You've made a subscriber out of me. Thank you for the great content!
Wow ! I must say I am deeply impressed. Not only does the video give a clear answer to the problem, but it also taught me a lot. I love it! Thank you very much mate !
As many others already said, it is very easy to perform thanks to your guidance. Thank you so much! I have subscribed to your channel. Keep up with your marvelous job!
@@thecloudgeezer I would appreciate if you can prepare another tutorial that explains how to analyze the reports and how to determine when it's the time to change the policy from none to quarantine and reject. Thanks 🙏🏻
Hey I am circling back to drop a thanks/like. I followed this guide, leveraged MXToolbox, and Proofpoints generator and got it rolling. I appreciate you The Cloud Geezer.
Wow, this has been a great video. I needed to add these records for a client. I followed your video and it worked perfectly. Thanks for the great content. I'm a subscriber for life.... I'll be looking for more videos.
So Great content here! Thank you for this very helpful video 🙏 > I'm fighting with those records (especially DMARC and DKIM in Office 365 admin centre...) for a while now. Thank you again and please keep on! 👍
That's good to hear. I do try and make them as easy as possible. Only showing what you really need to know without going off on too many tangents. Thanks for your comment.
Wow, that was very well done. I do have a question as I am getting an error but I don't think it is a bid deal. When I do the checks I get this in several locations DMARC Policy Not Enable DMARC Quarantine/Reject policy not enabled. Any thoughts?
Thank you. You may have set the DMARC policy to do nothing rather than reject/quarantine. Some tests will fail if there is no call to action on the DMARC like that, even thought the DMARC record is in place. Definitely good to set to reject.
Great video, I have been setting up so many MS365 Exchange online and according to the admin portal everything was fine. Just learned something new, even though I have been a sysadmin for over 10 years. :D
Hi, thanks for this, slightly confused as you set the dmarc policy to none, I did the same and get the message that quarantine/reject policy is not enabled. Your report showed that the policy was enabled at the end. Did you change the setting from none at some point?
Hi Stephen. Yes I did. The ‘none’ would normally be used for the initial testing as obviously it doesn’t do much except for having reports confirm that a DMARC policy exists. Setting it to ‘reject’ is generally accepted as the best practice. Thanks for picking that up and I appreciate the comment.
Short and crisp. Easy to follow and implemented it after watching your video. and the last part DKIM Authenticated still show in red. how to enable it.
@@thecloudgeezer it was very. I just finished implementing everything just now for my dissertation. About to implement CA and screenshot. Merry Christmas! 🥳
Great video. A couple of questions. Firstly, if I’m using Microsoft 365 for email, but Hostgator for DNS hosting, where would I configure DKIM? Also, once configured, what do I do with the existing DKIM in Hostgator (there is a DKIM entry there)? Do I delete it?
Hi. Using Hostgator for DNS hosting is all good, there will be some settings in your account to change the DNS entries for your domain. They will be in the Hostgator control panel. Look for an items talking about DNS Zones. When you are in there, you are correct, the Hostgator DKIM entries can be removed. Drop me a note to mark@thecloudgeezer.com if you want to chat more privately and I can certainly help you out with this. Mark.
Thanks for the excellent video! I've now added DKIM to my domain and will add DMARC later. One quick question if I may relating to the mxtoolbox AnalyseHeaders check I've just carried out: my DKIM DNS changes appear to have replicated, but AnalyseHeaders currently shows DKIMAlignment with a green tick and DKIMAuthenticated with a red cross. I believe I have completed DMARK setup correctly so I'm wondering if there is a delay and it will turn green later? Incedentally, I actually noticed this exact state in your video at 13:42! I thought you might do a further AnalyseHeaders later in the video and we would see DKIMAuthenticated had changed to a green tick, but you didn't do a further AnalyseHeaders. Thanks for any light you might be able to shed on this.
The DKIM authenticated in MXToolbox can be a little misleading as sometimes it will fail that test, then pass it an hour or so later. The way to confirm is to send to a different email address, like a gmail.com or outlook.com, and rerun the test. There are other tools available which can check it too, which I have started to favour to be honest. I put one on my blog page to make it easier too. Check this one out. thecloudgeezer.com/dkim-dmarc-spf-scanner/
@@thecloudgeezer Thanks for responding, I really appreciate that. In case it's of any use to anyone, I did uncover the reason I appeared to be having trouble. It turned out that the issue is with the way I was copying the message when I emailed my own personal gmail account prior to pasting into the mxtoolbox/AnalyseHeaders screen. I did what seemed correct in gmail webmail by using ' Show original' then 'Copy to clipboard'. I was thinking it might be a propagation delay, but the next day I still had a red cross for 'DKIM Authenticated'. It turns out to be nothing to do with DNS propagation delay. I then tried a different tack: instead of using 'Copy to clipboard' in the gmail ' Show original' screen I thought I'd hit the 'download original' alternative over on the LHS which saved the EML file on my desktop. I then used notepadd++ to open the EML file then SelectAll then copy and finally paste that into the mxtoolbox/AnalyseHeaders screen. The clicking 'AnalyseHeaders' then shows 'DKIM Authenticated' with a nice green tick! Hope this background saves people some time when they hit the same issue.
Yes, and I have seen it stay red on certain headers too. This does depend on how the inbound service is reading the DKIM cert. The DKIM record in all the validator checks, in Google Mail, in M365 and other third party tools reports as being 100% compliant. From those checks I was happy that the records were all correct. However in some cases the MXToolbox reports that issue. As a test for this I setup my mailout through HubSpot and added the SPF entries to allow them to act on my behalf. When I checked the header coming through, it actually passed the DKIM authenticated check in MXToolbox which I thought was extremely interesting. Anyway, what I am saying is that your DKIM record should be checked by other third party tools as well, like dkimvalidator.org, or www.dmarcanalyzer.com/dkim/dkim-checker/ for more results. Hope this helps.
Great Vid. But I'm thinking you'll still get a warning for no DMARC policy set if you're passing p=none. And the only step you seem to have skipped over is setting a DMAC policy. Something you seem to have done retrospectively? v=DMARC1; p=reject; pct=100
Yes, you are right. Setting DMARC policy to 'none' isn't really much good, however it is a good start and things really should be either quarantine or reject.
Hi. Thanks for that. You don't need to have an 'A' record in your DNS that is correct, but the NS records (Name Servers) would automatically be there and are important for Public DNS Health overall. They point to the servers that are providing the lookups for DNS queries so those ones are required for any DNS operations. Hope that helps. Mark.
It is down to how the MXToolbox toolset looks at the different records. They are correct, but have a look at the article on thecloudgeezer.com as I have placed a newer checker tool in the SPF DKIM DMARC article. Feel free to email me at mark@thecloudgeezer.com if you need to. Mark.
Hi. Yes I respond to all comments. :-) And you are right, it don't address it specifically as I have found that the DKIM and DMARC checks for the domain itself all pass. Sometimes I see the alignment in the tool possibly fail from an M365 sent email due to the selector1/2 entries. Always on the delivery side it goes through fine. Perform the DKIM and DMARC checks against the domain with mxtoolbox have shown more accurate results.
Thank you very much. I have implemented all SPF, DKIM, and DMARC. Our cloud service desk sends emails as from our domain and they are now sitting in the junk folder. Is there a way of allowing these emails? Thank you. Wessam
Hi. Quick question, is the third parties outbound server added to your SPF record? What you can do is look at the header of the email that appears in junk and check what part of triggering the spam designation. Email me at mark@thecloudgeezer.com and we can chat more.
Yes, that is certainly OK. The DKIM validation and selectors validate differently from provider to provider but as long as you get the Green tick on DKIM then you are good to go. I have put a checker tool on the website now. Here is the link - thecloudgeezer.com/dkim-dmarc-spf-scanner/ It will show how things are looking for any domain. Mark
I found we already had DKIM in place, but not DMARC. The DKIM keys were 2 years old("Last Checked March 2021") so I rotated them. Any idea how long will it take to actually rotate before I can proceed? Will the CNAME's be updated automatically by Microsoft?
If you rotate the keys it bounces between selector1 and selector2. You should have both CNAME's already in your DNS so there is nothing to do on your part. It is good management to periodically rotate the keys but there is no strict guideline on how often to be honest. The checking in the backend of Microsoft can take a couple of hours. Go back to the DKIMV2 page in M365 after then and it should have updated for you. Mark.
You can only have one entry point for your domain. However, there are many many ways to route email once it hits a particular mail server. To recommend the best way for you, drop me a note to mark@thecloudgeezer.com and we can discuss you situation. Always happy to help out. Mark.
Looking for a little guidance here. I set everything up, checked the configuration with EOMS, and it passes with flying colors. Checking things in MxToolbox and using the headers in GMail shows that there's no DMARC record found. I'm kind of stumped. The only variable I can think of is that we use a third-party to generate automatic signatures for outgoing email. Would that mess with the DMARC configuration somehow?
It can do if the email signature provider is intercepting the email and rewriting it as it passes through. No problem though as that can all be mitigated depending on who it is. Maybe drop me a note to mark@thecloudgeezer.com and we can go into it a bit deeper. Mark.
Hi, Could you please help me. I try to setup and all looks similar but my SPF (When I loot at the original email) looks like SPF: PASS with IP 2a01:111:f400:fe1f:0:0:0:725. Is it someting wrong or how to fix it? thank you
Hi, that all looks fine. The IP address you have displayed is an IPv6 address, not IPv4, but it is working well because of the 'SPF: PASS' reference. Mark.
IM SO CONFUSED please help. I've found we don't have an SPF set up, where am I supposed to add the text? Like simplest answer ever please step by step 😭😭😭😭
Do I just log in to the Microsoft office account and click a button somewhere there to add an SPF TXT? It's literally just a work email address that has been in use for 5 years with no issues but now suddenly saying I can't send emails due to SPF and we don't have an IT team it's JUST ME , I don't know what a domain is but I need to fix this so we can send emails again 😭😭
Hi. Sure thing, to add an SPF record, these are done in your Public DNS. They are not settings that you add to the M365 tenant, but your external DNS provider, like GoDaddy or equivalent. Happy to help out on this, drop me an email to mark@thecloudgeezer.com and we can go through your particular scenario and get this done for you. Mark.
Hi The Cloud Geezer. I added Dmarc TXT in the DNS records for Action "None". I am getting the following issue "External Domains in your DMARC are not giving permission for your reports to be sent to them" How to fix this?
Did you add an email address to send to inside the DMARC record? If you just set to P=100, with an action of None, then although the DMARC record exists, it doesn't actually perform any tasks. The better option is to set a REJECT option and then you should add the email address for the DMARC reports to go to. It is interesting what comes through those. Email me at mark@thecloudgeezer.com if you need any help.