Overview
This article provides information on configuring your domain’s SPF, DKIM and DMARC DNS records to authenticate the emails sent by CIMcloud’s servers on behalf of your custom domain(s).
CIMcloud does not have access to configure your domain’s DNS records. DNS management is typically handled by your IT Department or your IT Service Provider. The information in this article can assist them with the DNS configuration.
SPF (Sender Policy Framework)
A SPF record identifies what email servers are allowed to send email on behalf of your domain. Receiving email servers check your SPF record to verify the email is actually coming from you (to protect against spoofing and phishing). Configuring an SPF record for your domain can help prevent CIMcloud system emails from getting marked as spam.
There are several helpful online tools that provide more information on SPF records, including tools you can use to lookup your current SPF record. For example, https://mxtoolbox.com/spf.aspx.
Configure Your SPF Record
Your SPF record is typically hosted with your domain name provider where you setup your DNS settings. To allow CIMcloud email servers to send email on behalf of your domain, add the following value to your SPF record:
include:_spf.mycimcloud.com
Here is an example SPF record that only allows email to be sent by CIMcloud:
- Type: TXT
- Host: @
- Value:
-
v=spf1 include:_spf.mycimcloud.com ~all
-
Your SPF record should also identify ALL other email services that send email for your domain, including your primary corporate email and any other 3rd party services.
Here are some common services provided for convenience:
- Google Business: include:_spf.google.com (Google’s documentation)
- Office 365: include:spf.protection.outlook.com (Microsoft’s documentation)
Here is an example of a complete SPF record of a CIMcloud customer that uses Google for corporate email, and no other 3rd party email services:
- Type: TXT
- Host: @
- Value:
-
v=spf1 include:_spf.mycimcloud.com include:_spf.google.com ~all
-
Note: It can take up to 48 hours after updating/adding your SPF record for authentication to start working.
SPF Troubleshooting Tips
The following tips can help if you are experiencing issues with emails getting delivered to you or your customers.
- Use an online tool like https://mxtoolbox.com/spf.aspx to confirm there are no errors in your SPF record
- Verify your SPF record is for the domain you are using as the “from email address” on your CIMcloud system emails.
- In the Worker Portal Settings Workspace, navigate to Customer Site Settings, edit your customer site, and then click Emails.
- The “From Address” domain should have an SPF record configured
- Note: older versions of the platform may have Email Settings under System-Wide Settings
- Make sure your domain has only one SPF record
DKIM (DomainKeys Identified Mail)
DKIM is an email security feature that helps prevent email spoofing, where someone sends emails pretending to be someone else. It works by letting an organization add a digital signature to its outgoing emails. This signature is then verified by the recipient’s email server to ensure the email is genuinely from the stated source, improving the trustworthiness and security of the email communication. CloudFlare has a good, general overview of DKIM.
Configure your DKIM Record
Follow these steps to configure your DKIM DNS record(s):
- In order to complete the setup you will need to be able to manage the DNS records for each of your custom domains. Note: CIMcloud staff are unable to manage your domains’ DNS records.
- CIMcloud will provision DKIM for the domains used by your website and share your domain-specific configuration information with you.
- Submit a support task to request that DKIM be provisioned for your website.
- Include your domain names. These should be based on the From addresses on all emails sent by CIMcloud on your behalf of your custom domains.
- After you receive your domain-specific configuration information, go into each domain’s DNS management and add a new TXT record:
- DNS Record Type: TXT
- DNS Record Name: (provided by CIMcloud to you)
- EXAMPLE: cimcloud-a94fdfc80c2c46c782969bfb0fc4084e._domainkey
- DNS Record Content: (provided by CIMcloud to you)
- EXAMPLE: v=DKIM1; p=76E629F05F709EF….
- Tips:
- You will need to add one DNS record to each domain using its unique configuration information.
- The exact process for this varies some depending on your DNS provider. Here are some popular provider’s instructions for adding DNS records:
- Verify the DKIM DNS settings were entered correctly using the Verification Links provided to you by CIMcloud. The verification links are to a 3rd party service (mxtoolbox.com) that will verify the existence and syntax of the DNS records you added. If there are problems identified, then adjust your DNS settings and re-verify.
- Notify CIMcloud that you have configured and verified your DNS settings. CIMcloud will then activate DKIM and the digital signatures will then be added to emails.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a security protocol for emails that helps prevent email phishing and spoofing. It allows an email sender’s domain to indicate that their emails are protected by SPF and/or DKIM, and tells the recipient’s server what to do if neither of those authentication methods passes – like reject the email or send it to spam.
Configure your DMARC Record
DMARC affects all email sent by all parties, including by CIMcloud, on behalf of your domain. Because of this your DMARC policies must take into account all email services you use to prevent delivery problems. It is recommended you work with your IT Department or IT Service Provider to determine the suitable DMARC configuration.
Important: A DMARC policy that rejects or quarantines emails based on DKIM alignment will cause delivery issues for emails sent from CIMcloud on behalf on your domain unless you have configured and activated DKIM with CIMcloud (see the DKIM section in this article for more information).
MTA-STS (Mail Transfer Agent-Strict Transport Security)
MTA-STS (Mail Transfer Agent-Strict Transport Security) is a security standard aimed at preventing interception and tampering of emails by providing options to enforce TLS encryption and what versions to allow on inbound mail connections through a policy published by the domain owners. A MTA-STS policy is defined in a text file called “mta-sts.txt” hosted on a secure web server under a well-defined URL structure: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This URL is referenced by a DNS record on your corporate DNS zone along with an email address to receive error reports at.
A MTA-STS policy affects all of your emails sent to your corporate email domain from any source. The policy is not specific to the emails your CIMcloud website sends to your users and has no impact on emails your CIMcloud website sends to other domains. CIMcloud mail relay servers that send website emails support the latest TLS protocols and certificate authentication on all outbound connections and will honor any MTA-STS policy options on destination email servers.
Publishing your MTA-STS policy on your CIMcloud website is not supported nor recommended. Instead, we recommend using as 3rd party MTA-STS service designed specifically for that purpose. Some examples are: https://powerdmarc.com/what-is-mta-sts/, https://www.mailhardener.com/, and https://www.uriports.com/ (Note: CIMcloud does not endorse these service providers, they are provided only as examples).
Still experiencing issues with emails sent from your CIMcloud application?
Our Support Team is happy to help, just submit a ticket in Extranet.