Questions about upcoming Google DMARC/DKIM requirement

[kgc]

I have created net23._domainkey.walkerstreet.info as a CNAME pointing to net23._domainkey.sonic.net. I've also created dmarc.walkerstreet.info as a TXT containing "v=DMARC1; p=none; rua=mailto:admin@walkerstreet.info;" I've had an SPF record in place for several years.

Questions

• I'm not seeing DKIM signatures in my outgoing mail. Do I need to do something to request that Sonic does that? I notice that kgc said "I'd actually suggest that you have us become your MX server which would get your domain into our backend systems in a way that would allow it to be signed provided the proper DNS records were also added at your registrar" on 1/4/2024, but I'm not sure what that means in this context. I can certainly create an MX record for walkerstreet.info that points to mail.sonic.net (if that would be the correct destination), but I'm not sure how Sonic would be notified that I had done that.

• Do we know if net23 is always the correct DKIM selector to use? It'd be good to have Sonic confirm that.

Since we don't seem to handle your inbound mail flow for that domain, I actually think you may want to just send mail out using easydns' outbound systems. Presumably that's all well integrated on their end and you won't have to deal with adding any records and so on. If for some reason that isn't possible we can probably make something work for you but I'll be honest that I'd recommend against it. You're better of not relying on that kind of one-off config provided by us in the long term - the mechanisms to support it are in place, however.

That said, in cases where we don't control DNS, yes, you will need to inform us that the records in place. We don't have an official procedure in place yet and I'm working on some config management tools now that will generally add and remove the configs for domains we handle inbound flow for from the DKIM signing based on the presence of the correct DNS records. In the meantime, an email to support stating that you've added the CNAME records and would like us to start signing your domain should be sufficient to kick it off.

Regarding the selector, net23 is correct now. We have no determined a policy or procedure for migrating to a new selector yet but it would clearly involve notice to customers responsible for maintaining their own DNS records.

[dhwalker]

I have created net23._domainkey.walkerstreet.info as a CNAME pointing to net23._domainkey.sonic.net. I've also created dmarc.walkerstreet.info as a TXT containing "v=DMARC1; p=none; rua=mailto:admin@walkerstreet.info;" I've had an SPF record in place for several years.

Questions

• I'm not seeing DKIM signatures in my outgoing mail. Do I need to do something to request that Sonic does that? I notice that kgc said "I'd actually suggest that you have us become your MX server which would get your domain into our backend systems in a way that would allow it to be signed provided the proper DNS records were also added at your registrar" on 1/4/2024, but I'm not sure what that means in this context. I can certainly create an MX record for walkerstreet.info that points to mail.sonic.net (if that would be the correct destination), but I'm not sure how Sonic would be notified that I had done that.

• Do we know if net23 is always the correct DKIM selector to use? It'd be good to have Sonic confirm that.

Thanks for such a complete answer, Kelsey! Comments below...

Since we don't seem to handle your inbound mail flow for that domain, I actually think you may want to just send mail out using easydns' outbound systems. Presumably that's all well integrated on their end and you won't have to deal with adding any records and so on. If for some reason that isn't possible we can probably make something work for you but I'll be honest that I'd recommend against it. You're better of not relying on that kind of one-off config provided by us in the long term - the mechanisms to support it are in place, however.

Sonic does handle my inbound mail, after it is forwarded from EasyDNS. (When I set this up, EasyDNS did not have an IMAP/POP (or outbound) service, only a forwarding service. It's made migration to new IMAP services easy (AT&T -> GMail -> Zoho -> Sonic), so I like it.) I understand your hesitation, but I'd rather leave those things as they are.

That said, in cases where we don't control DNS, yes, you will need to inform us that the records in place. We don't have an official procedure in place yet and I'm working on some config management tools now that will generally add and remove the configs for domains we handle inbound flow for from the DKIM signing based on the presence of the correct DNS records. In the meantime, an email to support stating that you've added the CNAME records and would like us to start signing your domain should be sufficient to kick it off.

The tools you're working on sound great, but for now I'll send mail to support. If it helps, or if you'd like a tester, I can resubmit the request using the tools you're working on when they're ready.

Regarding the selector, net23 is correct now. We have no determined a policy or procedure for migrating to a new selector yet but it would clearly involve notice to customers responsible for maintaining their own DNS records.

Thanks.

[kgc]

Sonic does handle my inbound mail, after it is forwarded from EasyDNS. (When I set this up, EasyDNS did not have an IMAP/POP (or outbound) service, only a forwarding service. It's made migration to new IMAP services easy (AT&T -> GMail -> Zoho -> Sonic), so I like it.) I understand your hesitation, but I'd rather leave those things as they are.

If they're just forwarding to us, I'd strongly recommend that you just swing the MX over to us. Forwarding mail, is, more or less, inimical to all of the mail authentication tech. I'm curious if the forwarded mail contains ARC headers? We're not processing them on our MX servers yet and probably would have to do it before enforcing DKIM/SPF/DMARC policies but I've generally taking the position that forwarding mail should just be avoided.

[dhwalker]

Sonic does handle my inbound mail, after it is forwarded from EasyDNS. (When I set this up, EasyDNS did not have an IMAP/POP (or outbound) service, only a forwarding service. It's made migration to new IMAP services easy (AT&T -> GMail -> Zoho -> Sonic), so I like it.) I understand your hesitation, but I'd rather leave those things as they are.

If they're just forwarding to us, I'd strongly recommend that you just swing the MX over to us. Forwarding mail, is, more or less, inimical to all of the mail authentication tech. I'm curious if the forwarded mail contains ARC headers? We're not processing them on our MX servers yet and probably would have to do it before enforcing DKIM/SPF/DMARC policies but I've generally taking the position that forwarding mail should just be avoided.

I think moving the MX wouldn't work, as the forwarding is on a per-address basis, not per-domain. (For example, David@WalkerStreet.info forwards to dhwalker@sonic.net.) I'm not sure exactly what they do, but it looks (from the Received: headers) like normal SMTP relaying, except that the "for <email address>" clause changes while relaying through EasyDNS. (See below.)

I think I'm seeing your point about being inimical, though. I've been assuming that DKIM verifies the addresses on the To: and other headers, but if it's actually the recipients in the SMTP envelope that are verified, then the mapped address (dhwalker@sonic.net in my case) is not the one that was signed (David@WalkerStreet.info). In that latter case, I'd hate to lose the per-address flexibility I have, but I think you're right that I should probably restructure how I handle my mail. I don't send anywhere near 5000 messages/day, but it should be right anyway.

Regarding ARC headers, I get them when I send from an outlook.com account I have, but not when I send via mail.sonic.net. Not sure what that means.

Here's an example of the Received: headers. Note how the mail is received for David@WalkerStreet.info when it first arrives at EasyDNS, but after that it's received for dhwalker@sonic.net.

Code: Select all

Return-Path: <SRS0=drdZ=IW=WalkerStreet.info=David@srszone.org>
Received: from d.mx.sonic.net (b.spam-proxy.sonic.net [157.131.224.146])
	by d.local-delivery.sonic.net (8.16.1/8.16.1) with ESMTP id 40C1wver2755207
	for <dhwalker@lds.sonic.net>; Thu, 11 Jan 2024 17:58:57 -0800
Received: from mx-caprica.easydns.com (mx-caprica.easydns.com [64.68.200.41])
	by d.mx.sonic.net (8.14.7/8.14.7) with ESMTP id 40C1wtkh075586
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <dhwalker@sonic.net>; Thu, 11 Jan 2024 17:58:56 -0800
Received: from localhost (localhost [127.0.0.1])
	by mx-caprica.easydns.com (Postfix) with ESMTP id E400BA8715
	for <dhwalker@sonic.net>; Fri, 12 Jan 2024 01:58:54 +0000 (UTC)
Received: from mx-caprica.easydns.com ([127.0.0.1])
	by localhost (mxc06-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id hUoMPSY13_Ln for <dhwalker@sonic.net>;
	Fri, 12 Jan 2024 01:58:54 +0000 (UTC)
Received-SPF: Pass (spfquery: domain of WalkerStreet.info designates 64.142.111.80 as permitted sender) client-ip=64.142.111.80; envelope-from="David@WalkerStreet.info"; helo=c.mail.sonic.net; receiver=spfquery; mechanism="include:mail.sonic.net"; identity=mailfrom
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx-caprica.easydns.com (Postfix) with ESMTPS id A9C64A869B
	for <David@WalkerStreet.info>; Fri, 12 Jan 2024 01:58:54 +0000 (UTC)
Received: from [192.168.1.101] (142-254-41-52.dsl.dynamic.fusionbroadband.com [142.254.41.52])
	(authenticated bits=0)
	by c.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 40C1wqm2028767
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <David@WalkerStreet.info>; Thu, 11 Jan 2024 17:58:52 -0800
Message-ID: <44d7464c-b50e-4b2c-89e7-943b65b29242@WalkerStreet.info>

[dhwalker]

I think I'm seeing your point about being inimical, though. I've been assuming that DKIM verifies the addresses on the To: and other headers, but if it's actually the recipients in the SMTP envelope that are verified, then the mapped address (dhwalker@sonic.net in my case) is not the one that was signed (David@WalkerStreet.info). In that latter case, I'd hate to lose the per-address flexibility I have, but I think you're right that I should probably restructure how I handle my mail. I don't send anywhere near 5000 messages/day, but it should be right anyway.

After reading https://en.wikipedia.org/wiki/DomainKey ... ified_Mail, it looks like I was right that DKIM verifies the addresses in the headers, not the envelope, so it seems to me that, unless EasyDNS modifies the message body/headers in some way I'm not seeing, DKIM should work OK with EasyDNS's "mailmap" forwarding. I'm willing to do the experiment if you are.

[virtualmike]

I think moving the MX wouldn't work, as the forwarding is on a per-address basis...

If you move the MX, that means Sonic would manage your mail completely for you because incoming email will be delivered to Sonic's servers directly, not through a third party. Since you already have the Sonic mailboxes, you'd use Sonic tools to manage the @WalkerStreet.addresses.

As an added benefit, you can create as many addresses on your domain as you'd like, so you could have david@, dh@, dave@, theboss@, and others all point to dhwalker@sonic.net. You can do the same for the rest of the family, You can also create a catch-all (wildcard), so that mail sent to an undefined address will get delivered to the mailbox you designate.

I moved my domain to Sonic years ago, including MX, and I couldn't be happier with the configurability and flexibility that it gives me. That also means that DMARK/DKIM/SPF has been handled for me, and all outbound email from my domain is signed appropriately.

[lr]

I typed a long reply, and then discovered that kgc and virtualmike already answered the questions better. Thank you kgc for confirming net23. Except for one observation:

I've also created dmarc.walkerstreet.info as a TXT containing ...

There is an "_" missing in front of dmarc. Probably just a transcription error on the forum (hopefully).

[dhwalker]

There is an "_" missing in front of dmarc. Probably just a transcription error on the forum (hopefully).

Nope, I missed the "_" in my reading of your post. I've fixed my DNS record for that. Thanks, lr!

[kgc]

Regarding forwarding, I view it as a more reliable solution to use multiple pop/imap accounts and/or profiles in your mail client of choice. Or, if you have a place to run it, use something like fetchmail or getmail to move mail directly between imap accounts. (Which is what I do in several places to combine email accounts.)

[dhwalker]

Regarding forwarding, I view it as a more reliable solution to use multiple pop/imap accounts and/or profiles in your mail client of choice. Or, if you have a place to run it, use something like fetchmail or getmail to move mail directly between imap accounts. (Which is what I do in several places to combine email accounts.)

I agree. As I've said, though, I'm not using any pop/imap service at EasyDNS, only at Sonic, so another Thunderbird profile isn't applicable. I do have a second profile in Thunderbird for a client's mail system, but that's separate from this discussion.

Nevertheless, I think it's clear that you, representing Sonic, don't want to deal with how I've had mail delivery for the past several years (most of which with Sonic), so I'll read up on EasyDNS's POP/IMAP service and Sonic's support for non-Sonic DNS domains and decide which way to move. Luckily, my mail volume is small, so I've got time.

Thanks for all the time you've spent on this.