by
lr » Sun Jan 07, 2024 10:49 am
So here's my summary of what I have done; I would love people to critique whether there are any misunderstandings, or critique what I did wrong.
To begin with, e-mails that are sent with a @sonic.net From address and through the outgoing mailer at mail.sonic.net are completely unaffected, and users don't need to do anything about those. Conversely, it is no longer possible to send e-mails with a @sonic.net From address through any mailer other than mail.sonic.net. I consider this to be a good thing, since it reduces the chance that a Sonic user is wrongly accused of sending spam. We've never done that and aren't planning to start, so we're good there.
We use 3 different domains, 2 of which have their DNS run by Sonic. We today send all our mail for these domains through mail.sonic.net; in the past I had also used an outside mailing service (I think it was sendgrid), but I gave up on the complexity of it. For all these domains, one needs three things now:
- Have an SPF record in the domain's DNS that says that mail for this domain is allowed to come from mail.sonic.net. Here is what mine looks like: "v=spf1 include:mail.sonic.net -all". I have also seen it with "~all" at the end (which is less strict). If you use an outside mailing service, you would have to add it in the SPF record too, or remove the "-all" at the end (which is not recommended). I don't know whether Sonic would automatically add that SPF record for domains they serve; I did it myself long ago.
- Sign all outgoing mail with DKIM. For mail that is sent through mail.sonic.net, that is automatically taken care of. The DKIM signature relies on a <selector>._domainkey.sonic.net DNS record, which needs a specific selector. Again Sonic has taken care of that already. For the domains where Sonic is our DNS provider, I see that they added a net23._domainkey.<my_domain> DNS record, which is a CNAME to net23._domainkey.sonic.net. I don't know whether that cname record is even necessary (since the DKIM signature in the mail header clearly points at Sonic's domainkey record), but maybe some e-mail receivers need it. For the third domain, I'll add that CNAME record myself. If one uses an outside mail service, this gets more complicated.
- Have a _dmarc record in the domain's DNS. This is the only thing that's new. And it is easy to add: Go to whatever DNS server management interface, and add a TXT record at _dmarc.<my_domain>, which says "v=DMARC1; p=none; rua=mailto:postmaster@<my_domain>;". Use whatever e-mail for the error message you want, but it has to be within the same domain.
So in summary: For every domain that you use in From e-mail addresses, you need to have an SPF TXT record and DMARC TXT record, and while you are at it, adding the DOMAINKEY CNAME record for DKIM is easy, and may do something useful. If you use Sonic's DNS, the SPF and DOMAINKEY records may be automatic, but the DMARC record requires user intervention. If you use an outside mail sender, those are more complex.