Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. DMARC DNS records for outgoing mail settings.

DMARC DNS records for outgoing mail settings.

Scheduled Pinned Locked Moved Discuss
dmarcmail
13 Posts 8 Posters 2.3k Views 8 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • whiskerpicklesW Offline
      whiskerpicklesW Offline
      whiskerpickles
      wrote on last edited by girish
      #1

      Currently in Cloudron, DMARC DNS records are generated when inocming e-mail is activated.

      What's missing is that DMARC policies are set by the domain owner (e-mail sender) and should be generated alongside DKIM and SPF. E-mail recipients only choose to acknowledge and honour the policy set by the domain owner. If it's not a terrible amount of work, please consider correcting the method of TXT record generation for DMARC. This will protect users that choose "outgoing only" as e-mail option for apps.

      BrutalBirdieB 1 Reply Last reply
      0
      • whiskerpicklesW whiskerpickles

        Currently in Cloudron, DMARC DNS records are generated when inocming e-mail is activated.

        What's missing is that DMARC policies are set by the domain owner (e-mail sender) and should be generated alongside DKIM and SPF. E-mail recipients only choose to acknowledge and honour the policy set by the domain owner. If it's not a terrible amount of work, please consider correcting the method of TXT record generation for DMARC. This will protect users that choose "outgoing only" as e-mail option for apps.

        BrutalBirdieB Offline
        BrutalBirdieB Offline
        BrutalBirdie
        Partner
        wrote on last edited by BrutalBirdie
        #2

        @whiskerpickles since I am not very familiar with E-Mail setup at all and I am glad cloudron does all the work for me so could you elaborate why this is a good thing and what will be the consequences for noobs like myself? 🙂

        Cheers!

        Like my work? Consider donating a drink. Cheers!

        whiskerpicklesW 1 Reply Last reply
        0
        • BrutalBirdieB BrutalBirdie

          @whiskerpickles since I am not very familiar with E-Mail setup at all and I am glad cloudron does all the work for me so could you elaborate why this is a good thing and what will be the consequences for noobs like myself? 🙂

          Cheers!

          whiskerpicklesW Offline
          whiskerpicklesW Offline
          whiskerpickles
          wrote on last edited by
          #3

          @brutalbirdie Absolutely... and goood choice with Cloudron! And I'll do my best to keep it light.

          DMARC is sort of a mashup policy that enforces DKIM and SPF records. Don't run away yet...!

          DKIM is a method where each e-mail you send is signed with a private key. When a recipient's server receives your message, it compares that key against a public key that you publish via a DNS record (that way it's available to the entire web). It's one way of verifying that an e-mail actually came from you.

          SPF is another policy published via DNS records that tells receiving servers which sender domains and IP addresses they should consider valid senders. It prevents bad actors from spoofing your domain by saying only accept mail from my Cloudron instanse which is on my.brutalbirdie.com.

          With DMARC, you publish another DNS record that lets receiving servers know you are serious about your e-mail identity. If an e-mail sent by your domain doesn't match a DKIM or SPF record, then you can instruct them to reject or send that message to SPAM folders.

          In all, DMARC is another method of building trust for e-mails that are sent. Last year, the FBI reported losses in the billions from impersonated e-mail. By properly adding DMARC to outgoing DNS settings, you'll better protect your recipients and your brand.

          Let me know if I missed the mark anywhere for you.

          BrutalBirdieB 1 Reply Last reply
          3
          • whiskerpicklesW whiskerpickles

            @brutalbirdie Absolutely... and goood choice with Cloudron! And I'll do my best to keep it light.

            DMARC is sort of a mashup policy that enforces DKIM and SPF records. Don't run away yet...!

            DKIM is a method where each e-mail you send is signed with a private key. When a recipient's server receives your message, it compares that key against a public key that you publish via a DNS record (that way it's available to the entire web). It's one way of verifying that an e-mail actually came from you.

            SPF is another policy published via DNS records that tells receiving servers which sender domains and IP addresses they should consider valid senders. It prevents bad actors from spoofing your domain by saying only accept mail from my Cloudron instanse which is on my.brutalbirdie.com.

            With DMARC, you publish another DNS record that lets receiving servers know you are serious about your e-mail identity. If an e-mail sent by your domain doesn't match a DKIM or SPF record, then you can instruct them to reject or send that message to SPAM folders.

            In all, DMARC is another method of building trust for e-mails that are sent. Last year, the FBI reported losses in the billions from impersonated e-mail. By properly adding DMARC to outgoing DNS settings, you'll better protect your recipients and your brand.

            Let me know if I missed the mark anywhere for you.

            BrutalBirdieB Offline
            BrutalBirdieB Offline
            BrutalBirdie
            Partner
            wrote on last edited by
            #4

            @whiskerpickles
            Thanks for that! Sounds good to me 😄
            @staff check this out, might be a good idea.

            Like my work? Consider donating a drink. Cheers!

            whiskerpicklesW 1 Reply Last reply
            0
            • BrutalBirdieB BrutalBirdie

              @whiskerpickles
              Thanks for that! Sounds good to me 😄
              @staff check this out, might be a good idea.

              whiskerpicklesW Offline
              whiskerpicklesW Offline
              whiskerpickles
              wrote on last edited by
              #5

              @brutalbirdie Don't fret, big guy. If you're using Cloudron to manage your incoming e-mail then you are covered. DMARC is implemented in Cloudron... it's just in the wrong place. So if you're an inbound or inbound AND outbound user then you are safe. Outbound only users should create a DMARC policy manually to take advantage of this feature until it's resolved.

              girishG 1 Reply Last reply
              1
              • whiskerpicklesW whiskerpickles

                @brutalbirdie Don't fret, big guy. If you're using Cloudron to manage your incoming e-mail then you are covered. DMARC is implemented in Cloudron... it's just in the wrong place. So if you're an inbound or inbound AND outbound user then you are safe. Outbound only users should create a DMARC policy manually to take advantage of this feature until it's resolved.

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #6

                @whiskerpickles It's this way because we didn't want to trample of the user's existing DMARC record (or add a new record just like that) given that outgoing email is the default for all domains that are added. The user is of course free to add their own DMARC record directly in the DNS, it's just not automated when using outbound only.

                When a user chooses "incoming email" as well, we simply set everything up, since it seems like they chose Cloudron to manage all their email. So, we have a bit more "freedom" in creating new records. In fact, if there is an existing DMARC record and you enable incoming email, we don't change it.

                Is your idea that Cloudron should add a DMARC record when a domain is added (this is even at installation time)?

                whiskerpicklesW 1 Reply Last reply
                2
                • girishG girish

                  @whiskerpickles It's this way because we didn't want to trample of the user's existing DMARC record (or add a new record just like that) given that outgoing email is the default for all domains that are added. The user is of course free to add their own DMARC record directly in the DNS, it's just not automated when using outbound only.

                  When a user chooses "incoming email" as well, we simply set everything up, since it seems like they chose Cloudron to manage all their email. So, we have a bit more "freedom" in creating new records. In fact, if there is an existing DMARC record and you enable incoming email, we don't change it.

                  Is your idea that Cloudron should add a DMARC record when a domain is added (this is even at installation time)?

                  whiskerpicklesW Offline
                  whiskerpicklesW Offline
                  whiskerpickles
                  wrote on last edited by
                  #7

                  @girish Your logic really opens this up and I get it. You guys know your users and if "outbound-only" folks are managing their own DNS, then it definitely would't make sense. I was just concerned for the less experienced.

                  I'd say we could close out this thread.

                  1 Reply Last reply
                  2
                  • ? Offline
                    ? Offline
                    A Former User
                    wrote on last edited by
                    #8

                    I have an "Outbound only" (from the outset) domain at Gandi, with a DMARC record created by the Cloudron:-

                    _dmarc	TXT	300	"v=DMARC1; p=reject; pct=100"
                    

                    So, looks like DMARC records are already created for both 2-way and outbound only domains.

                    Confusion may arise because https://my.domain.tld/#/email shows the existence of a DMARC record for 2-way domains only.

                    1 Reply Last reply
                    2
                    • girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #9

                      Whoops, indeed, I stand corrected. What @Hillside502 noticed is correct. It seems we setup DMARC policy for outbound mail as well (but only if there is no existing record). For some reason, I thought this wasn't the case.

                      1 Reply Last reply
                      3
                      • girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by
                        #10

                        @pintudaso are you a real user or is this some very creative spam 😉 ? apologies if you are a real user but the amount of spam on this forum is crazy.

                        1 Reply Last reply
                        1
                        • P Offline
                          P Offline
                          pintudason
                          wrote on last edited by
                          #11

                          Before creating DMARC records it's a good idea to test DKIM and SPF. Testing can be found here: https://emailauth.io/dkim

                          micmcM 1 Reply Last reply
                          0
                          • P pintudason

                            Before creating DMARC records it's a good idea to test DKIM and SPF. Testing can be found here: https://emailauth.io/dkim

                            micmcM Offline
                            micmcM Offline
                            micmc
                            wrote on last edited by
                            #12

                            @pintudason said in DMARC DNS records for outgoing mail settings.:

                            Testing can be found here: https://emailauth.io/dkim

                            Hi thanks for the share.
                            However, it seems to me that this is not working very well, unless I'm missing something. I've DKIMs for all my domains and this thingy responds with a "No DKIM record found for: xxx" message for all domains I've tried and I know for a fact that DKIMs are implemented a long time ago. Anyone else have tried this?

                            I manage my DNS through Cloudflare, maybe it's the reason why. (?)

                            Ignorance is not an excuse anymore!
                            https://AutomateKit.com

                            whiskerpicklesW 1 Reply Last reply
                            0
                            • micmcM micmc

                              @pintudason said in DMARC DNS records for outgoing mail settings.:

                              Testing can be found here: https://emailauth.io/dkim

                              Hi thanks for the share.
                              However, it seems to me that this is not working very well, unless I'm missing something. I've DKIMs for all my domains and this thingy responds with a "No DKIM record found for: xxx" message for all domains I've tried and I know for a fact that DKIMs are implemented a long time ago. Anyone else have tried this?

                              I manage my DNS through Cloudflare, maybe it's the reason why. (?)

                              whiskerpicklesW Offline
                              whiskerpicklesW Offline
                              whiskerpickles
                              wrote on last edited by
                              #13

                              @micmc Can you share one of the domains so I can have a look?

                              1 Reply Last reply
                              0
                              Reply
                              • Reply as topic
                              Log in to reply
                              • Oldest to Newest
                              • Newest to Oldest
                              • Most Votes


                                • Login

                                • Don't have an account? Register

                                • Login or register to search.
                                • First post
                                  Last post
                                0
                                • Categories
                                • Recent
                                • Tags
                                • Popular
                                • Bookmarks
                                • Search