Is Neoserra capable of sending DMARC compliant email, and how do I set up domain authentication: DKIM and SPF?
First of all, Yes, Neoserra is capable of sending DMARC compliant email, but what does that really mean? Well, in the early days of email, there were limited ways available to support sender verification. Nearly all spam, scams, and viruses that spread through email did so using falsified sender information - as some still do today. Verifying who is sending the emails actually was, and still is, a difficult process, especially when some domains are, in fact, allowed to send email using your domain, like OutreachSystems.
When you send email using the Neoserra platform, you will be sending an email originating in Neoserra, but when your client receives it you want it to look like it came from yourname@yourcenter.edu - not from yourname@outreachsystems.com!
In order to allow Neoserra to send emails that look like they came from your email servers, we recommend that you set up custom DomainKeys Identified Mail (DKIM) authentication for your domain and include Neoserra in your Sender Policy Frameworks (SPF) record. Both are necessary because SPF uses rule sets to determine authorized IP addresses from which you will be sending emails and DKIM uses public key cryptography to authenticate individual email messages.
Yes, this article may be a bit techy, and we recommend that you share it with your IT staff who can set up DKIM and include Neoserra in your SPF record. They will want to edit your domain's Zone Editor and create a CNAME record for:
- osc1._domainkey.yourcenter.edu to map to this value: osc1._domainkey.outreachsystems.com.
Where "yourcenter.edu" is truly your program's domain name. A sample zone file entry would look like:
osc1._domainkey.yourcenter.edu IN CNAME osc1._domainkey.outreachsystems.com.
If the osc1._domainkey.yourcenter.edu DKIM key is not found at the time of sending, then Neoserra will not use DKIM.
Additionally you will want to create a TXT record for yourcenter.edu with this value (adjust for your mail provider; below is for Microsoft Outlook):
- v=spf1 include:spf.protection.outlook.com include:spf.outreachsystems.com -all
If your hosting provider requires you to use IP addresses, then you can provide them with the following IP addresses:
ip4:107.20.160.162/32 ip4:35.85.179.136/32 ip4:44.203.150.85/32 ip4:50.112.114.135/32 ip4:52.5.236.246/32 ip4:54.163.226.88/32 ip4:54.185.24.42/32 ip4:54.204.25.186/32
NOTE: OutreachSystems may add or remove IP addresses over time and usage of the include:spf.outreachsystems.com is highly recommended.
Once your DMARC policy has been updated by your IT department, please contact OutreachSystems so that we can clear all email addresses that were rejected because they could not be authenticated.
What if your IT department is not willing/able to implement the full DMARC policy? The bottom line is that there are three options:
Best Option | The best option is for your IT department to implement the full DMARC policy (DKIM + SPF) as described in this FAQ. This will allow you to send email as you and it will reduce the likelihood that your messages will be classified as spam. If you choose this option then you should turn OFF the "When sending email, have Neoserra authenticate on sender's behalf?" checkbox on your Administration|Configuration|General Settings page. |
Second Best Option | The second best option is to change your sender email address to something that can be validated by the recipient mail server, and thus pass the "spam test." This means that the sender email address is changed to an @mail.outreachsystems.com email address as discussed in this FAQ. You can do this by checking the "When sending email, have Neoserra authenticate on sender's behalf?" checkbox on your Administration|Configuration|General Settings page. This setting is dynamic, thus, if you have checked the box but you have also implemented SPF+DKIM, then Neoserra will automatically know to use that instead. However, many Neoserra databases have users that are hosted on different email servers, some of these servers have set up SPF+DKIM, and others have not. By checking this box, you are ensuring a higher chance of email delivery for those users that don't implement the full DMARC policy. |
Last Option (Not recommended) | The least desirable option is to do nothing. Your email messages will likely fail to reach their intended recipients and your email address reputation will suffer. You can turn OFF the "When sending email, have Neoserra authenticate on sender's behalf?" checkbox on your Administration|Configuration|General Settings page which will mean that your sender address will not be changed but this also means that your email address cannot be validated. |
Last but not least, what can you do? We always recommend that you follow best email practices!
Want more? Browse our extensive list of Neoserra FAQs.