The purpose of this document is to advise and enable Abacus clients to send mail correctly from our SaaS platforms. This covers the DKIM, DMARC and SPF DNS settings. 

    Introduction 

    Abacus utilises a professional mail sending service provided by SendGrid, a trusted and widely used service by large enterprise organisations to ensure delivery of critical mail from their SaaS platforms. 

    When administration or notification emails are sent via AD and WV, clients have a MAIL FROM email address field, this will usually be noreply@example.com. If this configuration is setup then there are prerequisites that need to be completed to guarantee mail is not spammed or quarantined by recipient mail servers. 

    With the wide adoption of DMARC, DKIM and SPF for public email providers, most notably GMAIL, delivery from senders who masquerade as the sender but are not actually sending from the domains real mail servers, will result in an email being marked as spam or being bounced altogether. 

    In order to achieve the smooth delivery of email, the client must implement some key components outlined below which need to be added and/or created on the client’s DNS Resource Records. 

    Note: It is important to understand that detailed discussions around DNS mail settings with the client will be required to understand their mail policies. For example, all three records may already exist on the client’s domain. 

    Abacus will need to understand the client’s current configuration of their DNS Resource Records that match the DKIM, SPF or DMARC criteria. This is to ensure that DNS mail work carried out does not disrupt the client’s pre-configured DNS mail settings. 

    The client should provide any information they deem important to the setup of mail – for example, email forwarding, email providers, other mail platforms that may use SPF, DMARC or DKIM values outside of the Abacus SaaS platform.  If in doubt a technical meeting should be set up with the relevant staff on both sides (Sysman from Abacus and the relevant technical contact on the client’s side). 

    Setup and implementation

    Please refer to the Glossary of Terms for detailed explanations of each DNS term used below. 

    Setup of DKIM, SPF and DMARC can be broken down into the following three DNS Resource Records: 

    1. SPF in the form of a TXT DNS Resource Record 

    v=spf1 include:sendgrid.net include:mail.webvisioncloud.com ~all 

    In the above example, we are telling mail recipient servers that Sendgrid and WV Cloud mail servers are allowed to send on behalf of the domain. 

    2. DKIM in the form of CNAME DNS Resource Records 

    In order to authenticate your domain and rewrite all tracking links for your custom domain, Abacus will require your domain name. This is required to authenticate Abacus as the authorised mail sender on your domain’s behalf. 

    support

    Raise a Jira ticket

    Please raise a Jira ticket titled 'System Email Setup' with the email domain you wish to use. We will provide you with the CNAME records that you will need to set up with your DNS provider.

    RAISE A TICKET

     

    Once you have provided your domain, we will give you the CNAME records that you need to set up with your DNS provider. We will then verify this and confirm that the records have been set up correctly.

    3. DMARC Policy in the form of a TXT DNS Resource Record 

    When implementing DMARC the best practice to ensure that mail services do not incorrectly stop mail from being delivered, is to set the highlighted value to “none”: 

    _dmarc.example.com TXT “v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com” 

    The above DMARC setting will not impact mail sending, tells mail servers the DMARC version and asks that all reports are sent to the email address dmarc@example.com 

    The below example is not configured correctly, the RUA value and RUF values are default values and are not sending the DMARC reports anywhere.

    v=DMARC1; p=reject; pct=100; fo=1; rua=mailto:custom-email-domain-dmarc-reports@stripe.com; ruf=mailto:custom-email-domain-dmarc-forensics@stripe.com 

    This is remedied by using valid email addresses that parses DMARC email reports. However, the key value here is p=reject. With this set, the sender must have DKIM and SPF configured to get a “pass” in the email header, this is essential for services such as Google who utilise DMARC to allow mail through only with 2 passes SPF and DKIM. 

    Once all three Resource Record sets are configured, the mail flow setup on SendGrid will be complete.  

    An Excel template accompanies this document with the DNS values that need to be configured. Liaison with the client’s DNS administrators should be straightforward with the values highlighted above generated by Abacus Sysman staff and passed on to the DNS administrators to implement. 

    Glossary of terms 

    SPF – Sender Policy Framework RFC 7208
    Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited only to detect a forged sender claimed in the envelope of the email which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails email spoofing, a technique often used in phishing and email spam. 

    DMARC – Domain-based Message Authentication, Reporting and ConformanceRFC 7489
    DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities. 

    DKIM – DomainKeys Identified MailRFC 6376
    DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam. 

    DNS – Domain Name Service
    The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. By providing a worldwide, distributed directory service, the Domain Name System has been an essential component of the functionality of the Internet since 1985. 

    CNAME – Canonical Name Record
    A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) which maps one domain name (an alias) to another (the Canonical Name.) 

    TXT – A TXT record
    A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human-readable information about a server, network, Datacenter, or other accounting information. It is also often used in a more structured fashion to record small amounts of machine-readable data into the DNS. 

    Note: If you find that some emails are not being delivered to the end-users, then you might have to whitelist SendGrid’s IP addresses. They are as follows:

    168.245.70.157

    168.245.29.129

    Supporting documents

    Click links below to download and view individual files.