Questions about upcoming Google DMARC/DKIM requirement

[lr]

Correct. The IMAP side is how your Apple mail "user agent" looks at incoming mail that is already stored on Sonic's servers, and has nothing to do with SPF/DKIM/DMARK, which is about outgoing mail. If you set up your outgoing mail on a @sonic.net address to send via SMTP to mail.sonic.net (with some interesting things about ports and encryption), then everything is done for you: Sonic has configured its outgoing mail server completely.

There are two situations where extra work is required:

• You are using an e-mail address that is not @sonic.net (for example user@example.com), but sending that mail through mail.sonic.net. In that case your domain's DNS server has to publish: SPF = it's OK if your mail comes from mail.sonic.net, DKIM = your mail will be encrypted using Sonic's encryption keys, and DMARC = you want receivers of your mail to check that SPF and DKIM were done correctly.
• You are using an e-mail address that is not @sonic.net (for example user@example.com), and you are sending mail through other sending services (such as mailchimp, sendgrid, twilio, or god forbid you do it yourself). In that case your domain also needs to publish how the mail is sent, except now it gets more complicated.

[kgc]

Does "using our servers...you should have nothing to worry about" mean that if I am using my sonic.net addresses in Apple Mail, it should be ok, as long as I originally set up Apple Mail using Sonic's instructions for IMAP and SMPT? (I'm simply an end user, not a professional, so I appreciate your taking the time to explain questions than may seem very basic.)

Yes, that's exactly what it means.

[danzingone]

Kelsey, that's a big relief. DMARC/DKIM were unknown terms to me, and it was concerning to think I might need to implement a different way of handling email before February. Thanks for the prompt reply!

I know many of Sonic's customers are very technically savvy, but when technical emails go out to the general customer base, it might be helpful to have a non-engineer review them before sending....

[kgc]

I know many of Sonic's customers are very technically savvy, but when technical emails go out to the general customer base, it might be helpful to have a non-engineer review them before sending....

It's a tough position for us to be in. It's difficult to write an email that is by necessity highly technical and then tell 99.99% of recipients that the probably don't need to read it and it doesn't apply to them.

[kfrisa]

You are using an e-mail address that is not @sonic.net (for example user@example.com), but sending that mail through mail.sonic.net. In that case your domain's DNS server has to publish: SPF = it's OK if your mail comes from mail.sonic.net, DKIM = your mail will be encrypted using Sonic's encryption keys, and DMARC = you want receivers of your mail to check that SPF and DKIM were done correctly.

This is my situation. I'm using Apple Mail on my laptop, sending email using Sonic's outgoing SMTP server, but my From: address is in the cal.berkeley.edu domain. I have no idea how I'm supposed to get them to do the above things so that my mail doesn't break. I don't even know how to contact them. In the past I've tried writing to "postmaster@cal.berkeley.edu" and "itcshelp@berkeley.edu" for other email issues and have never received a response. Any ideas out there?

[kgc]

I'm using Apple Mail on my laptop, sending email using Sonic's outgoing SMTP server, but my From: address is in the cal.berkeley.edu domain. I have no idea how I'm supposed to get them to do the above things so that my mail doesn't break.

Unfortunately, I'm not able help. But I think it's safe to assume that you will in part be caught up with this. My guess is that they forward your cal address to us - which is fine, but sending from it may not be viable unless they allow you to send through their servers. You will ultimately need to get a hold of someone at their help desk or find someone who knows how they are handling these requirements and it's impact on users like you.

[virtualmike]

...my From: address is in the cal.berkeley.edu domain.

Is this a "bConnected" email address? If so, it appears that it is powered by Gmail. https://bconnected.berkeley.edu/home

If that's the case, I'd recommend logging in to the bMail web view with your CalNet ID and going through settings to find the correct SMTP server setup for sending email.

If not, perhaps the previous link or this one (https://bconnected.berkeley.edu/collabo ... c-berkeley) can help you find assistance with your specific email account.

[danzingone]

If you get your email as a Berkeley alum, it looks like Google runs their email service, so presumably email from your @berkeley.edu address will be compliant with Google's policy changes.

The university's website says "Please contact alumniemail@berkeley.edu for questions related to alumni use of the Alumni Email Service."

A link for further information about Berkeley's email service for alumnae/i should be accessible to you through the FAQs on the following page:
https://my.berkeley.edu/get-answers/

(An earlier version of this reply included links that didn't work.)

[kfrisa]

Is this a "bConnected" email address? If so, it appears that it is powered by Gmail. https://bconnected.berkeley.edu/home

Yes, it is a "bConnected" address (though I'd forgotten that terminology) and it is powered by gmail. Thanks to you and danzingone for your links; I appreciate it! They should give me a good starting point for my questions.

[dhwalker]

[*] Sign all outgoing mail with DKIM. For mail that is sent through mail.sonic.net, that is automatically taken care of. The DKIM signature relies on a <selector>._domainkey.sonic.net DNS record, which needs a specific selector. Again Sonic has taken care of that already. For the domains where Sonic is our DNS provider, I see that they added a net23._domainkey.<my_domain> DNS record, which is a CNAME to net23._domainkey.sonic.net. I don't know whether that cname record is even necessary (since the DKIM signature in the mail header clearly points at Sonic's domainkey record), but maybe some e-mail receivers need it. For the third domain, I'll add that CNAME record myself. If one uses an outside mail service, this gets more complicated.

Thanks! Your post was very helpful. I have a couple of questions, though, that may may need an answer from Sonic, but I'll ask them here.

Background
My domain is walkerstreet.info; EasyDNS is the registrar, and I use their mailmap service to forward messages addressed <family member>@walkerstreet.info from EasyDNS to <userid>@sonic.net, where we retrieve it with IMAP. Outgoing mail is sent from Thunderbird and K-9 Mail (on Android) via mail.sonic.net.

I have created net23._domainkey.walkerstreet.info as a CNAME pointing to net23._domainkey.sonic.net. I've also created dmarc.walkerstreet.info as a TXT containing "v=DMARC1; p=none; rua=mailto:admin@walkerstreet.info;" I've had an SPF record in place for several years.

Questions

• I'm not seeing DKIM signatures in my outgoing mail. Do I need to do something to request that Sonic does that? I notice that kgc said "I'd actually suggest that you have us become your MX server which would get your domain into our backend systems in a way that would allow it to be signed provided the proper DNS records were also added at your registrar" on 1/4/2024, but I'm not sure what that means in this context. I can certainly create an MX record for walkerstreet.info that points to mail.sonic.net (if that would be the correct destination), but I'm not sure how Sonic would be notified that I had done that.

• Do we know if net23 is always the correct DKIM selector to use? It'd be good to have Sonic confirm that.