开云体育

When I send an email to groups.io, I get a DKIM fail and SPF fail. I would like to work on SPF for now as I am just learning about this.

The error report says:

David,

Do I have to add "ip4:66.175.222.108"?
Someone mentioned that I need to add ip4:66.175.222.12 too. Is that
correct?

Yes, those two are Groups.io's outbound mail servers, hosted at Linode.

When I send an email to groups.io, I get a DKIM fail and SPF fail. I
would like to work on SPF for now as I am just learning about this.

I don't really know anything about configuring one's own mail server properly, but including Groups.io's outbound mail servers as allowed senders in your SPF policy is likely to be effective, if a bit crude. Assuming that what you're aiming for is a DMARC pass from the receiving email service.

"Crude" in the sense that *any* message coming from those two servers can be authenticated as coming from you - not that I'd expect any fellow group members to spoof your From domain, except perhaps as a stunt.

Your DKIM signature of course is hopeless, as Groups.io modifies both the message Subject field and body (appended footer) on the way through. But at least Groups.io strips yours and applies its own DKIM signature, for whatever that's worth to the receiver. For DMARC purposes it is a fail because groups.io doesn't align with your domain in the header From field.

Groups.io also provides an Authentication-Results header to report on its own evaluation of your incoming DKIM and SPF results, and backs that up with an ARC signature so that any receiving email service can take Groups.io's word for your authentication, if they choose to trust Groups.io as an ARC sealer.

Shal


--
Help: /helpcenter
More Help: /g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list

David,

I would not recommend including IP addresses of third-party email servers when they maintain an SPF record. You would?not be informed?if or when they change.

We use the following for our SPF record:
"v=spf1 mx a ip4:[redacted] ip6:[redacted] include:spf.protection.outlook.com include:groups.io -all"

Incidentally, our DMARC record is configured as follows:
"v=DMARC1; p=reject; sp=reject; pct=100; adkim=s; aspf=r; rua=mailto:[redacted]"

We learned it is important to have "aspf" set to relaxed for acceptance of "send on behalf" messages. Note that issues can still occur but this is the best compromise we could effect.

--
Jim

Thank you Shal for your response and explanation.

I am now considering taking out the inclusion of groups.io from my SPF record. I added it only about 3 days ago, but now from the DMARC reports I am seeing some emails being sent out in the name of groups.io but not with the right IPs (not the two we mentioned).

I guess I was trying to be completely error free. But if I include groups.io and the two IP addresses, I am still going to get DKIM failure. And the inclusion doesn't seem to fix anything but could possibly cause more spamming.

And on a higher level, I send emails to groups.io. Groups.io send them to the my group members. However the receiving mail servers want to treat the emails is really between them and groups.io. As long as they don't outright reject the emails and my group members can see read my emails, I should be all good.

Does that sound reasonable?

Jim,

Thanks! I will try the "aspf=r".

Since you have "p=reject" in your DMARC, wouldn't your emails (rerouted) from groups.io be rejected?


David

Not with "aspf" set to relaxed, which was determined after testing. The only other choices for "p" are "quarantine" and "none", neither of which were acceptable to us.
--
Jim