I absolutely agree with so many of the other comments here. After watching 4 or 5 other videos on setting up DKIM and DMARC I found yours. It is to the point and easy to follow. Thank you! and keep up the good work. Cheers!
I've been in IT for 35 years and this has to be one of the top five instructional videos I have ever seen! Easy to follow, very informative, and I am thankful that it's out there! THANK YOU!
Just like everyone else…such a helpful and easy to understand presentation. The ease with which you worked through what has otherwise been such a pain in the rear made that 20 minutes very well spent. Thank you!
VERY well done video! I'm a messaging admin (as are most of your viewers I suspect) and this is the best tutorial I've found on the subject. Thorough information without being bloated. You've made a subscriber out of me. Thank you for the great content!
Wow ! I must say I am deeply impressed. Not only does the video give a clear answer to the problem, but it also taught me a lot. I love it! Thank you very much mate !
As many others already said, it is very easy to perform thanks to your guidance. Thank you so much! I have subscribed to your channel. Keep up with your marvelous job!
@@thecloudgeezer I would appreciate if you can prepare another tutorial that explains how to analyze the reports and how to determine when it's the time to change the policy from none to quarantine and reject. Thanks 🙏🏻
Hey I am circling back to drop a thanks/like. I followed this guide, leveraged MXToolbox, and Proofpoints generator and got it rolling. I appreciate you The Cloud Geezer.
That's good to hear. I do try and make them as easy as possible. Only showing what you really need to know without going off on too many tangents. Thanks for your comment.
Wow, this has been a great video. I needed to add these records for a client. I followed your video and it worked perfectly. Thanks for the great content. I'm a subscriber for life.... I'll be looking for more videos.
Wow, that was very well done. I do have a question as I am getting an error but I don't think it is a bid deal. When I do the checks I get this in several locations DMARC Policy Not Enable DMARC Quarantine/Reject policy not enabled. Any thoughts?
Thank you. You may have set the DMARC policy to do nothing rather than reject/quarantine. Some tests will fail if there is no call to action on the DMARC like that, even thought the DMARC record is in place. Definitely good to set to reject.
So Great content here! Thank you for this very helpful video 🙏 > I'm fighting with those records (especially DMARC and DKIM in Office 365 admin centre...) for a while now. Thank you again and please keep on! 👍
Great video, I have been setting up so many MS365 Exchange online and according to the admin portal everything was fine. Just learned something new, even though I have been a sysadmin for over 10 years. :D
Thanks for the excellent video! I've now added DKIM to my domain and will add DMARC later. One quick question if I may relating to the mxtoolbox AnalyseHeaders check I've just carried out: my DKIM DNS changes appear to have replicated, but AnalyseHeaders currently shows DKIMAlignment with a green tick and DKIMAuthenticated with a red cross. I believe I have completed DMARK setup correctly so I'm wondering if there is a delay and it will turn green later? Incedentally, I actually noticed this exact state in your video at 13:42! I thought you might do a further AnalyseHeaders later in the video and we would see DKIMAuthenticated had changed to a green tick, but you didn't do a further AnalyseHeaders. Thanks for any light you might be able to shed on this.
The DKIM authenticated in MXToolbox can be a little misleading as sometimes it will fail that test, then pass it an hour or so later. The way to confirm is to send to a different email address, like a gmail.com or outlook.com, and rerun the test. There are other tools available which can check it too, which I have started to favour to be honest. I put one on my blog page to make it easier too. Check this one out. thecloudgeezer.com/dkim-dmarc-spf-scanner/
@@thecloudgeezer Thanks for responding, I really appreciate that. In case it's of any use to anyone, I did uncover the reason I appeared to be having trouble. It turned out that the issue is with the way I was copying the message when I emailed my own personal gmail account prior to pasting into the mxtoolbox/AnalyseHeaders screen. I did what seemed correct in gmail webmail by using ' Show original' then 'Copy to clipboard'. I was thinking it might be a propagation delay, but the next day I still had a red cross for 'DKIM Authenticated'. It turns out to be nothing to do with DNS propagation delay. I then tried a different tack: instead of using 'Copy to clipboard' in the gmail ' Show original' screen I thought I'd hit the 'download original' alternative over on the LHS which saved the EML file on my desktop. I then used notepadd++ to open the EML file then SelectAll then copy and finally paste that into the mxtoolbox/AnalyseHeaders screen. The clicking 'AnalyseHeaders' then shows 'DKIM Authenticated' with a nice green tick! Hope this background saves people some time when they hit the same issue.
Hi, thanks for this, slightly confused as you set the dmarc policy to none, I did the same and get the message that quarantine/reject policy is not enabled. Your report showed that the policy was enabled at the end. Did you change the setting from none at some point?
Hi Stephen. Yes I did. The ‘none’ would normally be used for the initial testing as obviously it doesn’t do much except for having reports confirm that a DMARC policy exists. Setting it to ‘reject’ is generally accepted as the best practice. Thanks for picking that up and I appreciate the comment.
It is down to how the MXToolbox toolset looks at the different records. They are correct, but have a look at the article on thecloudgeezer.com as I have placed a newer checker tool in the SPF DKIM DMARC article. Feel free to email me at mark@thecloudgeezer.com if you need to. Mark.
Yes, that is certainly OK. The DKIM validation and selectors validate differently from provider to provider but as long as you get the Green tick on DKIM then you are good to go. I have put a checker tool on the website now. Here is the link - thecloudgeezer.com/dkim-dmarc-spf-scanner/ It will show how things are looking for any domain. Mark
Great video. A couple of questions. Firstly, if I’m using Microsoft 365 for email, but Hostgator for DNS hosting, where would I configure DKIM? Also, once configured, what do I do with the existing DKIM in Hostgator (there is a DKIM entry there)? Do I delete it?
Hi. Using Hostgator for DNS hosting is all good, there will be some settings in your account to change the DNS entries for your domain. They will be in the Hostgator control panel. Look for an items talking about DNS Zones. When you are in there, you are correct, the Hostgator DKIM entries can be removed. Drop me a note to mark@thecloudgeezer.com if you want to chat more privately and I can certainly help you out with this. Mark.
Short and crisp. Easy to follow and implemented it after watching your video. and the last part DKIM Authenticated still show in red. how to enable it.
@@thecloudgeezer it was very. I just finished implementing everything just now for my dissertation. About to implement CA and screenshot. Merry Christmas! 🥳
Question: I followed these steps and I am getting better results however I still get X on the DKIM Authenticated from the MX toolbox analyzer. Did I miss a step or is that important?
It does depend on how the email headers are copy/pasted. This came up a few months back and I got this comment left on the video. This may help....... @ianbennett7311 7 months ago (edited) @thecloudgeezer Thanks for responding, I really appreciate that. In case it's of any use to anyone, I did uncover the reason I appeared to be having trouble. It turned out that the issue is with the way I was copying the message when I emailed my own personal gmail account prior to pasting into the mxtoolbox/AnalyseHeaders screen. I did what seemed correct in gmail webmail by using ' Show original' then 'Copy to clipboard'. I was thinking it might be a propagation delay, but the next day I still had a red cross for 'DKIM Authenticated'. It turns out to be nothing to do with DNS propagation delay. I then tried a different tack: instead of using 'Copy to clipboard' in the gmail ' Show original' screen I thought I'd hit the 'download original' alternative over on the LHS which saved the EML file on my desktop. I then used notepadd++ to open the EML file then SelectAll then copy and finally paste that into the mxtoolbox/AnalyseHeaders screen. The clicking 'AnalyseHeaders' then shows 'DKIM Authenticated' with a nice green tick! Hope this background saves people some time when they hit the same issue.
Yes, and I have seen it stay red on certain headers too. This does depend on how the inbound service is reading the DKIM cert. The DKIM record in all the validator checks, in Google Mail, in M365 and other third party tools reports as being 100% compliant. From those checks I was happy that the records were all correct. However in some cases the MXToolbox reports that issue. As a test for this I setup my mailout through HubSpot and added the SPF entries to allow them to act on my behalf. When I checked the header coming through, it actually passed the DKIM authenticated check in MXToolbox which I thought was extremely interesting. Anyway, what I am saying is that your DKIM record should be checked by other third party tools as well, like dkimvalidator.org, or www.dmarcanalyzer.com/dkim/dkim-checker/ for more results. Hope this helps.
Hi. Thanks for that. You don't need to have an 'A' record in your DNS that is correct, but the NS records (Name Servers) would automatically be there and are important for Public DNS Health overall. They point to the servers that are providing the lookups for DNS queries so those ones are required for any DNS operations. Hope that helps. Mark.
Thank you very much. I have implemented all SPF, DKIM, and DMARC. Our cloud service desk sends emails as from our domain and they are now sitting in the junk folder. Is there a way of allowing these emails? Thank you. Wessam
Hi. Quick question, is the third parties outbound server added to your SPF record? What you can do is look at the header of the email that appears in junk and check what part of triggering the spam designation. Email me at mark@thecloudgeezer.com and we can chat more.
Great Vid. But I'm thinking you'll still get a warning for no DMARC policy set if you're passing p=none. And the only step you seem to have skipped over is setting a DMAC policy. Something you seem to have done retrospectively? v=DMARC1; p=reject; pct=100
Yes, you are right. Setting DMARC policy to 'none' isn't really much good, however it is a good start and things really should be either quarantine or reject.
I found we already had DKIM in place, but not DMARC. The DKIM keys were 2 years old("Last Checked March 2021") so I rotated them. Any idea how long will it take to actually rotate before I can proceed? Will the CNAME's be updated automatically by Microsoft?
If you rotate the keys it bounces between selector1 and selector2. You should have both CNAME's already in your DNS so there is nothing to do on your part. It is good management to periodically rotate the keys but there is no strict guideline on how often to be honest. The checking in the backend of Microsoft can take a couple of hours. Go back to the DKIMV2 page in M365 after then and it should have updated for you. Mark.
IM SO CONFUSED please help. I've found we don't have an SPF set up, where am I supposed to add the text? Like simplest answer ever please step by step 😭😭😭😭
Do I just log in to the Microsoft office account and click a button somewhere there to add an SPF TXT? It's literally just a work email address that has been in use for 5 years with no issues but now suddenly saying I can't send emails due to SPF and we don't have an IT team it's JUST ME , I don't know what a domain is but I need to fix this so we can send emails again 😭😭
Hi. Sure thing, to add an SPF record, these are done in your Public DNS. They are not settings that you add to the M365 tenant, but your external DNS provider, like GoDaddy or equivalent. Happy to help out on this, drop me an email to mark@thecloudgeezer.com and we can go through your particular scenario and get this done for you. Mark.
Looking for a little guidance here. I set everything up, checked the configuration with EOMS, and it passes with flying colors. Checking things in MxToolbox and using the headers in GMail shows that there's no DMARC record found. I'm kind of stumped. The only variable I can think of is that we use a third-party to generate automatic signatures for outgoing email. Would that mess with the DMARC configuration somehow?
It can do if the email signature provider is intercepting the email and rewriting it as it passes through. No problem though as that can all be mitigated depending on who it is. Maybe drop me a note to mark@thecloudgeezer.com and we can go into it a bit deeper. Mark.
You can only have one entry point for your domain. However, there are many many ways to route email once it hits a particular mail server. To recommend the best way for you, drop me a note to mark@thecloudgeezer.com and we can discuss you situation. Always happy to help out. Mark.
Hi. Yes I respond to all comments. :-) And you are right, it don't address it specifically as I have found that the DKIM and DMARC checks for the domain itself all pass. Sometimes I see the alignment in the tool possibly fail from an M365 sent email due to the selector1/2 entries. Always on the delivery side it goes through fine. Perform the DKIM and DMARC checks against the domain with mxtoolbox have shown more accurate results.
Hi. In the DMARC entry you will need to edit the existing DNS as you can only have one for each domain. However are you asking if you can have reject AND quarantine set? If so, then that isn't possible. You can only have 'none', 'reject' OR 'quarantine'. Hope that helps. Mark.
Hi, Could you please help me. I try to setup and all looks similar but my SPF (When I loot at the original email) looks like SPF: PASS with IP 2a01:111:f400:fe1f:0:0:0:725. Is it someting wrong or how to fix it? thank you
Hi, that all looks fine. The IP address you have displayed is an IPv6 address, not IPv4, but it is working well because of the 'SPF: PASS' reference. Mark.
I absolutely agree with so many of the other comments here. After watching 4 or 5 other videos on setting up DKIM and DMARC I found yours. It is to the point and easy to follow. Thank you! and keep up the good work. Cheers!
Thank you Sir, for taking the time to write this. Appreciate your comments.
I've been in IT for 35 years and this has to be one of the top five instructional videos I have ever seen! Easy to follow, very informative, and I am thankful that it's out there! THANK YOU!
Thank you. That is very much appreciated. Mark.
I totally agree!!! Thank you so very much!!!
Just like everyone else…such a helpful and easy to understand presentation. The ease with which you worked through what has otherwise been such a pain in the rear made that 20 minutes very well spent. Thank you!
Thank you. Very nice to see your comment. I always have fun making these videos and to know they are helpful is very pleasing.
After an exhaustive search, I found this video and it was exactly what I needed. Exactly. Thank you
You're so welcome! Glad it helped you out.
I let the ads run all the way as appreciation for your work here.
You’re a legend. Thank you.
VERY well done video! I'm a messaging admin (as are most of your viewers I suspect) and this is the best tutorial I've found on the subject. Thorough information without being bloated. You've made a subscriber out of me. Thank you for the great content!
Cheers Steve, I really appreciate that. Glad it was useful and yes I hate bloated YT videos. Haha. Mark.
This might be the best tutorial video ever made. Excellent job.
Wow, thanks!
Wow ! I must say I am deeply impressed. Not only does the video give a clear answer to the problem, but it also taught me a lot. I love it!
Thank you very much mate !
You are most welcome. Glad you found it useful. Mark.
Absolutely EXCELLENT instructions! Beats everything else I've seen. Thank you!!!
No worries at all. Thanks for the comment. :-)
I was running here and there to setup DKIM/DMARC. Finally I found your detail tutorial. Very very big thanks!! my problem has solved. ❤❤❤❤
Thank you. Very glad that helped you out. Always trying to provide content that is straight to the point and quick to digest. Mark.
I wish I could have found your video earlier. I have spend a lot of time on this. Great job! I appreciate it.
Glad it was helpful!
As many others already said, it is very easy to perform thanks to your guidance. Thank you so much! I have subscribed to your channel. Keep up with your marvelous job!
Thank you. Always very nice to hear. :-)
@@thecloudgeezer I would appreciate if you can prepare another tutorial that explains how to analyze the reports and how to determine when it's the time to change the policy from none to quarantine and reject.
Thanks 🙏🏻
Wow! You took a subject that was over my head and made it completely understandable. Thank you so much for putting this video together!
Hi Larry. No worries at all. I enjoy making these videos and I am glad it helped you out. Have a good day. Mark.
Thank youuuu! I have been struggling with my DKIM and your video was very clear and concise. It now works, thanks for sharing!
No worries at all. Glad you got good value out of it. Have an awesome week. Mark.
You are a GOD SEND!!! Thanks a million!!
You're welcome! :-)
Hey I am circling back to drop a thanks/like. I followed this guide, leveraged MXToolbox, and Proofpoints generator and got it rolling. I appreciate you The Cloud Geezer.
Thank you for your kind comments. So glad that it was helpful for you.
Thanks so much for creating this video. Very easy to follow and precise. You now have a new follower.
Awesome. Thank you. Have a good weekend.
Great video, easy to follow and I have successfully config my domain with DKIM and DMARC by following your tutorial.
Thank you. Glad that it helped you and worked out well.
This tutorial is the easiest to follow. Thank you very much!
That's good to hear. I do try and make them as easy as possible. Only showing what you really need to know without going off on too many tangents. Thanks for your comment.
I have bookmarked this video and intend to use it... Great video, many thanks!
Awesome, thanks for the feedback. Mark.
Wow, this has been a great video. I needed to add these records for a client. I followed your video and it worked perfectly. Thanks for the great content. I'm a subscriber for life....
I'll be looking for more videos.
Thank you very much. :-)
absolutely awesome. Please keep these types of tutorials and implementation coming.....
Thanks, will certainly do that.
Wow, that was very well done. I do have a question as I am getting an error but I don't think it is a bid deal. When I do the checks I get this in several locations DMARC Policy Not Enable DMARC Quarantine/Reject policy not enabled. Any thoughts?
Thank you. You may have set the DMARC policy to do nothing rather than reject/quarantine. Some tests will fail if there is no call to action on the DMARC like that, even thought the DMARC record is in place. Definitely good to set to reject.
This video is absolutely valuable, Thank you to share your knowledge with us.
My pleasure! Very happy that you liked it and took the time to comment. :-)
This helped so much. Thanks for such a great video that was easy to follow.
Hey no worries, my pleasure. Glad it all worked for you.
Exactly what I needed, thank you for taking the time to make this video!
You are most welcome. Thanks for watching and taking the time to comment.
Great video. Straight to the point and saves MONEY!!!
Cheers Sam. :-)
So Great content here! Thank you for this very helpful video 🙏 > I'm fighting with those records (especially DMARC and DKIM in Office 365 admin centre...) for a while now. Thank you again and please keep on! 👍
You. Are. Amazing. This was so easy to follow. Thank you SO much!
You are very welcome. I enjoy putting these videos together, thanks for the kind words.
Great video, I have been setting up so many MS365 Exchange online and according to the admin portal everything was fine. Just learned something new, even though I have been a sysadmin for over 10 years. :D
Thanks for that. Glad it was helpful. :-)
Thanks for the excellent video! I've now added DKIM to my domain and will add DMARC later. One quick question if I may relating to the mxtoolbox AnalyseHeaders check I've just carried out: my DKIM DNS changes appear to have replicated, but AnalyseHeaders currently shows DKIMAlignment with a green tick and DKIMAuthenticated with a red cross. I believe I have completed DMARK setup correctly so I'm wondering if there is a delay and it will turn green later? Incedentally, I actually noticed this exact state in your video at 13:42! I thought you might do a further AnalyseHeaders later in the video and we would see DKIMAuthenticated had changed to a green tick, but you didn't do a further AnalyseHeaders. Thanks for any light you might be able to shed on this.
The DKIM authenticated in MXToolbox can be a little misleading as sometimes it will fail that test, then pass it an hour or so later. The way to confirm is to send to a different email address, like a gmail.com or outlook.com, and rerun the test. There are other tools available which can check it too, which I have started to favour to be honest. I put one on my blog page to make it easier too. Check this one out. thecloudgeezer.com/dkim-dmarc-spf-scanner/
@@thecloudgeezer Thanks for responding, I really appreciate that. In case it's of any use to anyone, I did uncover the reason I appeared to be having trouble. It turned out that the issue is with the way I was copying the message when I emailed my own personal gmail account prior to pasting into the mxtoolbox/AnalyseHeaders screen. I did what seemed correct in gmail webmail by using ' Show original' then 'Copy to clipboard'. I was thinking it might be a propagation delay, but the next day I still had a red cross for 'DKIM Authenticated'. It turns out to be nothing to do with DNS propagation delay. I then tried a different tack: instead of using 'Copy to clipboard' in the gmail ' Show original' screen I thought I'd hit the 'download original' alternative over on the LHS which saved the EML file on my desktop. I then used notepadd++ to open the EML file then SelectAll then copy and finally paste that into the mxtoolbox/AnalyseHeaders screen. The clicking 'AnalyseHeaders' then shows 'DKIM Authenticated' with a nice green tick! Hope this background saves people some time when they hit the same issue.
@@ianbennett7311 That is a perfect insight, thank you. I definitely appreciate this comment.
Wow, what a detailed and calm tutorial. Huge thumbs up 👍
Thank you. :-) Always nice to get positive feedback like this.
Thank you. This was really helpful and to the point.
Glad it was helpful!
great video - made the final bits of setup easy
Thank you. :-)
Great video - saved me hours of trying to figure this out. Keep up the good work!
Cheers. Thanks for taking the time to comment. :-)
Great work. This cleared up an issue I was having.
Thanks. Glad it helped you out.
Thanks. Glad it helped you out.
Hi, thanks for this, slightly confused as you set the dmarc policy to none, I did the same and get the message that quarantine/reject policy is not enabled. Your report showed that the policy was enabled at the end. Did you change the setting from none at some point?
Hi Stephen. Yes I did. The ‘none’ would normally be used for the initial testing as obviously it doesn’t do much except for having reports confirm that a DMARC policy exists. Setting it to ‘reject’ is generally accepted as the best practice. Thanks for picking that up and I appreciate the comment.
Fantastic bro! your video is a life saver! Cheers from Chile
Glad it helped! Thanks for commenting and have a great week.
Thanks for the great explanation. Why is there still an issue with DKIM Authentication at 17:05?
It is down to how the MXToolbox toolset looks at the different records. They are correct, but have a look at the article on thecloudgeezer.com as I have placed a newer checker tool in the SPF DKIM DMARC article. Feel free to email me at mark@thecloudgeezer.com if you need to. Mark.
@@thecloudgeezer Thanks for answering :) I'll have a look
You are a beautiful human. Thank you for this
Thank you. I appreciate that. :-)
hi is it considered good to go if the dkim authentiction is still red? but all the rest is green 13:43 in the vid
Yes, that is certainly OK. The DKIM validation and selectors validate differently from provider to provider but as long as you get the Green tick on DKIM then you are good to go.
I have put a checker tool on the website now. Here is the link - thecloudgeezer.com/dkim-dmarc-spf-scanner/
It will show how things are looking for any domain.
Mark
thank you 😍
You have saved me , you are the Best Man Thanks
No problem 👍:-)
You explained this better than microsoft 😄.
Thank you. I appreciate that. :-)
😀 Great video to follow - step by step. And It works perfect.
Perfect! Glad you liked it. Mark.
Great tutorial man. Helped a family member with this. I'd never really bothered with this stuff lol
Great to hear! Thanks for commenting, I appreciate that.
Well I nearly stopped watching, when I first saw the Avatar, however persevered and found it very useful and informative. Thank You...
Well I am definitely glad you did. Thanks for commenting. Mark.
Thanks for the help and the tips! Got everything done!
Excellent. Very glad it helped you out.
Great guide ! thanks
Glad you liked it!
Brilliant video. Thank you so much for making this so easy to follow. 10/10
You're very welcome!
Thank you for posting this - life saver!
Cheers
No worries at all. Thanks for the comment. I appreciate all of them and I am very glad that this video is helping so many people.
Thank you, very helpful and well explained..... Keep on
Thanks Paul. I appreciate that.
Thanks for your video, great 👏👏👏👏👏👏
next level! you made our lives easy bru.. Excellent.. great job.! looking for more stuff from you. subscribed the channel.
Cheers for that. I am always looking for new content to create, any ideas are always welcome.
love your practical video.
Awesome. Thank you. Glad you enjoyed it.
this video is a life saver - thank you!
Thanks Zorba, nice of you to take the time to comment. I definitely appreciate that.
10/10 Great Video , now im goint to binge watch your channel 😂
I can probably think of better things on Netflix to binge watch to be fair! But thank you anyway. :-)
Great video. A couple of questions. Firstly, if I’m using Microsoft 365 for email, but Hostgator for DNS hosting, where would I configure DKIM? Also, once configured, what do I do with the existing DKIM in Hostgator (there is a DKIM entry there)? Do I delete it?
Hi. Using Hostgator for DNS hosting is all good, there will be some settings in your account to change the DNS entries for your domain. They will be in the Hostgator control panel. Look for an items talking about DNS Zones. When you are in there, you are correct, the Hostgator DKIM entries can be removed. Drop me a note to mark@thecloudgeezer.com if you want to chat more privately and I can certainly help you out with this. Mark.
Fantastic video!
Thank you very much!
Thank you very much for sharing your knowledge with us❤❤
My pleasure 😊 I always enjoy making these videos, glad everybody likes them.
Short and crisp. Easy to follow and implemented it after watching your video. and the last part DKIM Authenticated still show in red. how to enable it.
That was the plan, just the details on how to get it implemented without tons of fluff around it. Thanks for the comment, I appreciate that.
Solid explanation. thanks!
Glad it was helpful!
@@thecloudgeezer it was very. I just finished implementing everything just now for my dissertation. About to implement CA and screenshot. Merry Christmas! 🥳
@@adventuresofa9jaguy322 Merry Christmas to you too. :-)
I hope you know that you're a legend. 🙂
Haha, thank you very much. :-)
From an admin on office 365 thank you 🙏🏻
No problem, you are most welcome.
Thank You for the great work! , Very helpful -- You saved my day
Excellent. Thank you for adding the comment and letting me know. Glad it helped you out. Mark.
Thank you!!!! This was very helpful in setting up my email.
You are most welcome. :-)
Super useful. Many, many thanks. Cheers
Thank you Sir. Always nice to get this type of feedback. Thanks for taking the time to comment. Mark.
Thank you very much, this was very well explained and accurate, also about the wait times to expect before it becomes active :)
Always makes me smile when I get comments like this. Thank you so much for making this channel a success with all the positivity. You are awesome. :-)
Thanks a lot
You are most welcome. :-)
Great video, well explained and really useful! Many thanks.
Thanks John. Glad it helped you.
Question: I followed these steps and I am getting better results however I still get X on the DKIM Authenticated from the MX toolbox analyzer. Did I miss a step or is that important?
It does depend on how the email headers are copy/pasted. This came up a few months back and I got this comment left on the video. This may help.......
@ianbennett7311
7 months ago (edited)
@thecloudgeezer Thanks for responding, I really appreciate that. In case it's of any use to anyone, I did uncover the reason I appeared to be having trouble. It turned out that the issue is with the way I was copying the message when I emailed my own personal gmail account prior to pasting into the mxtoolbox/AnalyseHeaders screen. I did what seemed correct in gmail webmail by using ' Show original' then 'Copy to clipboard'. I was thinking it might be a propagation delay, but the next day I still had a red cross for 'DKIM Authenticated'. It turns out to be nothing to do with DNS propagation delay. I then tried a different tack: instead of using 'Copy to clipboard' in the gmail ' Show original' screen I thought I'd hit the 'download original' alternative over on the LHS which saved the EML file on my desktop. I then used notepadd++ to open the EML file then SelectAll then copy and finally paste that into the mxtoolbox/AnalyseHeaders screen. The clicking 'AnalyseHeaders' then shows 'DKIM Authenticated' with a nice green tick! Hope this background saves people some time when they hit the same issue.
Very well explained!!! thanks
Always nice to get feedback like this, thank you.
Brilliant video, thank you
Glad you enjoyed it
SOOOOO useful ! Very well explained ! All is setup now for me :) Thanks so much !!!
Pleased I could help out and thank you for taking the time to comment.
Thank you. Everything is explained. 😀
Glad it was helpful!
Many thanks, set up mine also with DKIM.
One question: What is the red 'DKIM Authenticated'? Must that one be green too?
Yes, and I have seen it stay red on certain headers too. This does depend on how the inbound service is reading the DKIM cert. The DKIM record in all the validator checks, in Google Mail, in M365 and other third party tools reports as being 100% compliant. From those checks I was happy that the records were all correct. However in some cases the MXToolbox reports that issue. As a test for this I setup my mailout through HubSpot and added the SPF entries to allow them to act on my behalf. When I checked the header coming through, it actually passed the DKIM authenticated check in MXToolbox which I thought was extremely interesting. Anyway, what I am saying is that your DKIM record should be checked by other third party tools as well, like dkimvalidator.org, or www.dmarcanalyzer.com/dkim/dkim-checker/ for more results. Hope this helps.
Very nice video! Can I have dkim and spf registers configured even if I don't have a A or NS register, right or? Thanks
Hi. Thanks for that. You don't need to have an 'A' record in your DNS that is correct, but the NS records (Name Servers) would automatically be there and are important for Public DNS Health overall. They point to the servers that are providing the lookups for DNS queries so those ones are required for any DNS operations. Hope that helps. Mark.
You saved me. Thank you.
No worries at all. Glad is was helpful. :-)
Very very helpful, thank you so much kind sir!
Glad it was helpful!
Thank you so much for this!
You are most welcome. Thank you for watching.
Brilliant vid. Thank you so much
Thank you. Very happy that you liked it.
Excellent walk though - helped me enormously! :-)
Thanks Tim. I appreciate that.
best video on youtube
Thanks Ronald. Also nice to get positive feedback. Have an awesome week my friend.
Very helpful toutrial Mark.. Thank you
Thank you Feras. I appreciate your comment.
Thank you very much, this helped me get squared away.
Excellent. Glad it helped you out.
outstanding thanks from ireland
You are welcome! Thanks for the comment. Have an awesome week there in Ireland. :-) Mark.
very helpful video for me thank you sir.
Glad to hear that. Have an awesome week.
Thank you very much. I have implemented all SPF, DKIM, and DMARC. Our cloud service desk sends emails as from our domain and they are now sitting in the junk folder. Is there a way of allowing these emails?
Thank you. Wessam
Hi. Quick question, is the third parties outbound server added to your SPF record? What you can do is look at the header of the email that appears in junk and check what part of triggering the spam designation. Email me at mark@thecloudgeezer.com and we can chat more.
Great Vid. But I'm thinking you'll still get a warning for no DMARC policy set if you're passing p=none. And the only step you seem to have skipped over is setting a DMAC policy. Something you seem to have done retrospectively?
v=DMARC1; p=reject; pct=100
Yes, you are right. Setting DMARC policy to 'none' isn't really much good, however it is a good start and things really should be either quarantine or reject.
THX mate this video was VERY helpfull
Cheers Michael. Always nice to get positive feedback. Mark.
I found we already had DKIM in place, but not DMARC. The DKIM keys were 2 years old("Last Checked March 2021") so I rotated them. Any idea how long will it take to actually rotate before I can proceed? Will the CNAME's be updated automatically by Microsoft?
If you rotate the keys it bounces between selector1 and selector2. You should have both CNAME's already in your DNS so there is nothing to do on your part. It is good management to periodically rotate the keys but there is no strict guideline on how often to be honest. The checking in the backend of Microsoft can take a couple of hours. Go back to the DKIMV2 page in M365 after then and it should have updated for you. Mark.
Every 6 months is advised.
When setting this up does it matter what order you setup the three?
No, not really. They are all technically separate things, but it is good to do them all.
IM SO CONFUSED please help. I've found we don't have an SPF set up, where am I supposed to add the text? Like simplest answer ever please step by step 😭😭😭😭
Do I just log in to the Microsoft office account and click a button somewhere there to add an SPF TXT? It's literally just a work email address that has been in use for 5 years with no issues but now suddenly saying I can't send emails due to SPF and we don't have an IT team it's JUST ME , I don't know what a domain is but I need to fix this so we can send emails again 😭😭
Hi. Sure thing, to add an SPF record, these are done in your Public DNS. They are not settings that you add to the M365 tenant, but your external DNS provider, like GoDaddy or equivalent. Happy to help out on this, drop me an email to mark@thecloudgeezer.com and we can go through your particular scenario and get this done for you. Mark.
Looking for a little guidance here. I set everything up, checked the configuration with EOMS, and it passes with flying colors. Checking things in MxToolbox and using the headers in GMail shows that there's no DMARC record found. I'm kind of stumped. The only variable I can think of is that we use a third-party to generate automatic signatures for outgoing email. Would that mess with the DMARC configuration somehow?
It can do if the email signature provider is intercepting the email and rewriting it as it passes through. No problem though as that can all be mitigated depending on who it is. Maybe drop me a note to mark@thecloudgeezer.com and we can go into it a bit deeper. Mark.
@@thecloudgeezer Awesome, I'll shoot you an email tomorrow. Thanks!
Is it possible to configure 2 mail servers on the same domain? use 01 email hosting and another email with exchange but are they the same domain?
You can only have one entry point for your domain. However, there are many many ways to route email once it hits a particular mail server. To recommend the best way for you, drop me a note to mark@thecloudgeezer.com and we can discuss you situation. Always happy to help out. Mark.
I am not sure if you will read this comment but I noticed DKIM Authenticated was red but I didn't see you address it.
Hi. Yes I respond to all comments. :-) And you are right, it don't address it specifically as I have found that the DKIM and DMARC checks for the domain itself all pass. Sometimes I see the alignment in the tool possibly fail from an M365 sent email due to the selector1/2 entries. Always on the delivery side it goes through fine. Perform the DKIM and DMARC checks against the domain with mxtoolbox have shown more accurate results.
Great Video, Really helped
Glad it helped out. Thanks for watching.
Great vid!
Thank you. :-)
Hi, Sir, If I add DMARC reject and quarantine. Should I just press add record? Or edit the existing record?
Hi. In the DMARC entry you will need to edit the existing DNS as you can only have one for each domain. However are you asking if you can have reject AND quarantine set? If so, then that isn't possible. You can only have 'none', 'reject' OR 'quarantine'. Hope that helps. Mark.
@@thecloudgeezer thank you so much, sir! You doing a great job on teaching us! Thanks again!
Hi,
Could you please help me. I try to setup and all looks similar but my SPF (When I loot at the original email) looks like SPF: PASS with IP 2a01:111:f400:fe1f:0:0:0:725. Is it someting wrong or how to fix it? thank you
Hi, that all looks fine. The IP address you have displayed is an IPv6 address, not IPv4, but it is working well because of the 'SPF: PASS' reference. Mark.
accurate information
Thank you.