docs(kittle): comprehensive DKIM/DMARC setup guide for kittlearizona.com

Created detailed implementation guide for email authentication: - Step-by-step DKIM enablement in M365 - DKIM CNAME DNS record creation (NSOne/Squarespace) - DMARC policy configuration and testing - Verification procedures and troubleshooting - Post-implementation monitoring guide Current status documented: - SPF: PASS (configured correctly) - DKIM: MISSING (not configured) - DMARC: MISSING (not configured) - MX: PASS (points to M365) Impact: Missing DKIM/DMARC affects deliverability and domain security Priority: HIGH Estimated time: 30-45 min + 24-48h DNS propagation Updated: - clients/kittle/docs/email/dkim-dmarc-setup.md (NEW - full guide) - clients/kittle/docs/network/dns.md (external DNS section, TODO items) Machine: Mikes-MacBook-Air.local Timestamp: 2026-04-24 09:28:23 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-24 09:28:23 -07:00
parent ffe29b286f
commit 8419cf2738
2 changed files with 411 additions and 2 deletions
--- a/clients/kittle/docs/email/dkim-dmarc-setup.md
+++ b/clients/kittle/docs/email/dkim-dmarc-setup.md
@@ -0,0 +1,390 @@
+# DKIM & DMARC Setup for kittlearizona.com
+
+**Client:** Kittle Design & Construction LLC
+**Domain:** kittlearizona.com
+**Mail Provider:** Microsoft 365
+**Status:** DKIM & DMARC not configured (as of 2026-04-23)
+**Priority:** HIGH - Impacts email deliverability and security
+
+---
+
+## Current Status (2026-04-23)
+
+**DNS Records Audit:**
+
+| Record Type | Status | Details |
+|------------|--------|---------|
+| SPF | [OK] PASS | `v=spf1 include:spf.protection.outlook.com -all` |
+| DKIM | [ERROR] MISSING | No DKIM selectors configured |
+| DMARC | [ERROR] MISSING | No DMARC policy published |
+| MX | [OK] PASS | Points to M365: `kittlearizona-com.mail.protection.outlook.com` |
+
+**Impact of Missing DKIM/DMARC:**
+- Emails more likely to land in recipient spam folders
+- Domain can be easily spoofed by attackers
+- No visibility into unauthorized use of domain
+- Fails modern email authentication standards (Gmail/Yahoo requirements)
+- May fail deliverability to strict recipients (especially Google Workspace)
+
+---
+
+## Part 1: Enable DKIM in Microsoft 365
+
+### Prerequisites
+- Global Admin or Exchange Admin access to M365 tenant
+- Domain: kittlearizona.com verified in M365
+- DNS management access (NSOne or Squarespace)
+
+### Step 1: Access DKIM Settings
+
+1. **Sign in to Microsoft 365 Defender Portal:**
+   - URL: <https://security.microsoft.com/dkimv2>
+   - Use admin credentials
+
+2. **Navigate to DKIM:**
+   - Already at correct page if using direct link above
+   - OR: Email & collaboration → Policies & rules → Threat policies → DKIM
+
+### Step 2: Enable DKIM for Domain
+
+1. **Select Domain:**
+   - Find `kittlearizona.com` in the list
+   - Click on the domain name
+
+2. **View CNAME Records:**
+   - Click "Create DKIM keys" (if not already created)
+   - Two CNAME records will be displayed:
+
+   **Example format (actual values will differ):**
+   ```
+   Host name: selector1._domainkey.kittlearizona.com
+   Points to: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com
+
+   Host name: selector2._domainkey.kittlearizona.com
+   Points to: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com
+   ```
+
+3. **Copy Both CNAME Records:**
+   - Copy the exact values shown
+   - Keep this window open while adding DNS records
+
+---
+
+## Part 2: Add DKIM CNAMEs to DNS
+
+**DNS Provider:** NSOne / Squarespace (hybrid setup)
+
+**[IMPORTANT]** Determine which DNS provider is authoritative for `kittlearizona.com`:
+```bash
+dig +short NS kittlearizona.com
+```
+
+Current nameservers (as of 2026-04-23):
+- dns1.p02.nsone.net
+- dns2.p02.nsone.net
+- dns3.p02.nsone.net
+- dns4.p02.nsone.net
+- ns01.squarespacedns.com
+- ns02.squarespacedns.com
+- ns03.squarespacedns.com
+- ns04.squarespacedns.com
+
+**Likely scenario:** NSOne is primary (listed first). Add records there.
+
+### Option A: Add to NSOne
+
+1. **Sign in to NSOne:**
+   - URL: <https://my.nsone.net/>
+   - Use Kittle's NSOne credentials (or ACG MSP account if managing)
+
+2. **Navigate to Zone:**
+   - Zones → `kittlearizona.com`
+
+3. **Add DKIM CNAME Records:**
+
+   **Record 1:**
+   - Type: CNAME
+   - Name: `selector1._domainkey`
+   - Value: `selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com`
+   - TTL: 3600 (1 hour)
+
+   **Record 2:**
+   - Type: CNAME
+   - Name: `selector2._domainkey`
+   - Value: `selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com`
+   - TTL: 3600 (1 hour)
+
+4. **Save Changes**
+
+### Option B: Add to Squarespace
+
+If Squarespace is the active DNS provider:
+
+1. **Sign in to Squarespace:**
+   - URL: <https://account.squarespace.com/>
+   - Use Kittle's Squarespace credentials
+
+2. **Navigate to DNS Settings:**
+   - Domains → kittlearizona.com → DNS Settings
+
+3. **Add Custom Records:**
+   - Click "Add Custom Record"
+   - Follow same CNAME format as NSOne above
+
+---
+
+## Part 3: Verify DKIM CNAMEs
+
+**Wait 30-60 minutes** for DNS propagation, then verify:
+
+```bash
+# Check selector1
+dig +short CNAME selector1._domainkey.kittlearizona.com
+
+# Check selector2
+dig +short CNAME selector2._domainkey.kittlearizona.com
+```
+
+**Expected output:**
+```
+selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
+selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
+```
+
+---
+
+## Part 4: Enable DKIM Signing in M365
+
+1. **Return to M365 Defender Portal:**
+   - <https://security.microsoft.com/dkimv2>
+
+2. **Enable DKIM:**
+   - Select `kittlearizona.com`
+   - Toggle "Sign messages for this domain with DKIM signatures" to **Enabled**
+   - Status should change to "Enabled" (may take a few minutes)
+
+3. **Verify Signing:**
+   - Send test email from ken@kittlearizona.com to external address
+   - Check email headers for `DKIM-Signature:` header
+   - Use online tool: <https://www.mail-tester.com/>
+
+---
+
+## Part 5: Add DMARC Policy
+
+**What is DMARC:**
+- Domain-based Message Authentication, Reporting & Conformance
+- Tells receiving servers what to do with emails that fail SPF/DKIM
+- Provides reports on email authentication failures
+
+### Recommended DMARC Policy (Quarantine Mode)
+
+**Add TXT record to DNS:**
+
+**Record:**
+- Type: TXT
+- Name: `_dmarc`
+- Value: `v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r`
+- TTL: 3600
+
+**Policy Breakdown:**
+- `v=DMARC1` - Version
+- `p=quarantine` - Quarantine (spam folder) emails that fail authentication
+- `rua=mailto:ken@kittlearizona.com` - Send aggregate reports to Ken
+- `pct=100` - Apply policy to 100% of emails
+- `adkim=r` - Relaxed DKIM alignment
+- `aspf=r` - Relaxed SPF alignment
+
+**Alternative: Monitor-Only Mode (Recommended for First Week):**
+
+Start with monitoring to ensure no legitimate mail breaks:
+
+```
+v=DMARC1; p=none; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r
+```
+
+- `p=none` - Monitor only, don't take action (collect data first)
+- After 1 week of clean reports, change to `p=quarantine`
+- After 2 weeks with no issues, optionally change to `p=reject`
+
+### Add DMARC Record
+
+**NSOne:**
+1. Zones → kittlearizona.com → Add Record
+2. Type: TXT
+3. Name: `_dmarc`
+4. Value: (paste DMARC policy above)
+5. TTL: 3600
+6. Save
+
+**Squarespace:**
+1. Domains → kittlearizona.com → DNS Settings
+2. Add Custom Record → TXT
+3. Host: `_dmarc`
+4. Data: (paste DMARC policy above)
+5. Save
+
+### Verify DMARC
+
+```bash
+dig +short TXT _dmarc.kittlearizona.com
+```
+
+**Expected output:**
+```
+"v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r"
+```
+
+---
+
+## Part 6: Verification & Testing
+
+### Full Email Authentication Check
+
+**Online Tools:**
+1. **Mail-Tester:** <https://www.mail-tester.com/>
+   - Send test email to provided address
+   - Get deliverability score (should be 10/10 after DKIM/DMARC)
+
+2. **MXToolbox:** <https://mxtoolbox.com/SuperTool.aspx>
+   - Check SPF: `spf:kittlearizona.com`
+   - Check DMARC: `dmarc:kittlearizona.com`
+   - Check DKIM: Send test email, view headers
+
+3. **DMARC Analyzer:** <https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/>
+   - Verify DMARC record syntax
+
+### Manual Header Inspection
+
+Send test email from `ken@kittlearizona.com`, check headers for:
+
+```
+Authentication-Results: dkim=pass header.d=kittlearizona.com
+DKIM-Signature: v=1; a=rsa-sha256; d=kittlearizona.com; s=selector1;
+```
+
+---
+
+## Post-Implementation
+
+### Monitor DMARC Reports
+
+**Reports will be sent to:** ken@kittlearizona.com (as configured in `rua=` parameter)
+
+**Report Format:**
+- XML attachments (daily)
+- Contains details on:
+  - Sending IPs using your domain
+  - SPF/DKIM pass/fail rates
+  - Potential spoofing attempts
+
+**DMARC Report Analyzers (optional):**
+- Postmark: <https://dmarc.postmarkapp.com/>
+- DMARC Analyzer: <https://www.dmarcanalyzer.com/>
+- These parse XML reports into readable format
+
+### Escalation Path
+
+If DMARC reports show legitimate mail failing:
+1. Review failing IPs/sources
+2. Check if authorized sender not in SPF (e.g., third-party service)
+3. Add authorized senders to SPF or set up DKIM for them
+4. Adjust DMARC policy alignment if needed
+
+### Timeline for Full Protection
+
+**Week 1:**
+- DKIM enabled, DMARC at `p=none` (monitoring)
+- Review reports daily
+
+**Week 2:**
+- If no issues, change DMARC to `p=quarantine`
+- Continue monitoring
+
+**Week 3+:**
+- Optionally escalate to `p=reject` (hard fail)
+- Ongoing: Review monthly DMARC reports
+
+---
+
+## Troubleshooting
+
+### DKIM Not Signing After 24 Hours
+
+**Check:**
+1. CNAMEs propagated globally: <https://www.whatsmydns.net/>
+2. DKIM toggle is ON in M365 admin center
+3. No typos in CNAME records
+4. DNS provider is correct (NSOne vs Squarespace)
+
+**Fix:**
+- Wait 48 hours for full propagation
+- Verify CNAME records exactly match M365 values
+- Contact M365 support if still failing after 48h
+
+### DMARC Reports Not Arriving
+
+**Check:**
+1. `rua=` email address is correct
+2. Email inbox not filtering as spam
+3. Wait 24-48 hours (reports are daily)
+
+**Note:** Not all receiving servers send DMARC reports. Gmail and Outlook.com do.
+
+### Emails Going to Spam After DMARC
+
+**Likely causes:**
+1. DMARC too strict (`p=reject`) before DKIM stabilized
+2. Legitimate sender failing SPF/DKIM
+3. Reputation issue unrelated to authentication
+
+**Fix:**
+- Revert DMARC to `p=none` temporarily
+- Review DMARC reports for failing sources
+- Resolve SPF/DKIM issues before re-enabling strict policy
+
+---
+
+## Quick Reference Commands
+
+**Check all email authentication:**
+```bash
+# SPF
+dig +short TXT kittlearizona.com | grep spf
+
+# DKIM selector1
+dig +short CNAME selector1._domainkey.kittlearizona.com
+
+# DKIM selector2
+dig +short CNAME selector2._domainkey.kittlearizona.com
+
+# DMARC
+dig +short TXT _dmarc.kittlearizona.com
+
+# MX
+dig +short MX kittlearizona.com
+```
+
+**Expected output (after setup):**
+```
+SPF:   "v=spf1 include:spf.protection.outlook.com -all"
+DKIM1: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
+DKIM2: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
+DMARC: "v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r"
+MX:    0 kittlearizona-com.mail.protection.outlook.com.
+```
+
+---
+
+## Related Documentation
+
+- M365 Admin Access: [TO BE DOCUMENTED]
+- DNS Management: `docs/network/dns.md`
+- Email Overview: [TO BE CREATED]
+
+---
+
+**Created:** 2026-04-23
+**Author:** Mike Swanson (ACG)
+**Status:** Pending implementation
+**Estimated Time:** 30-45 minutes + 24-48h DNS propagation
--- a/clients/kittle/docs/network/dns.md
+++ b/clients/kittle/docs/network/dns.md
@@ -26,7 +26,24 @@
 ## External DNS
 - Registrar: Unknown
 - Primary Domain: kittlearizona.com
- Management URL: Unknown
+- Nameservers: NSOne + Squarespace (hybrid setup)
+  - dns1.p02.nsone.net
+  - dns2.p02.nsone.net
+  - dns3.p02.nsone.net
+  - dns4.p02.nsone.net
+  - ns01.squarespacedns.com
+  - ns02.squarespacedns.com
+  - ns03.squarespacedns.com
+  - ns04.squarespacedns.com
+
+### Email DNS Records (as of 2026-04-23)
+- **MX:** `0 kittlearizona-com.mail.protection.outlook.com` (Microsoft 365)
+- **SPF:** `v=spf1 include:spf.protection.outlook.com -all` [OK]
+- **DKIM:** NOT CONFIGURED [ACTION REQUIRED]
+- **DMARC:** NOT CONFIGURED [ACTION REQUIRED]
+
+**[HIGH PRIORITY]** Missing DKIM/DMARC impacts email deliverability and security.
+**Setup Guide:** See `docs/email/dkim-dmarc-setup.md` for implementation steps.

 ## Issues
 1. **No reverse DNS zone** — Create 0.0.10.in-addr.arpa for PTR lookups on 10.0.0.0/24
@@ -38,4 +55,6 @@
 - [ ] Verify what DNS server DHCP clients receive from the ISP router
 - [ ] Consider adding secondary DNS forwarder for redundancy
 - [ ] Enable DNS scavenging to prevent stale records
- [ ] Document external DNS (registrar, MX records, SPF/DKIM/DMARC for kittlearizona.com)
+- [ ] **[HIGH PRIORITY] Configure DKIM for kittlearizona.com** (see docs/email/dkim-dmarc-setup.md)
+- [ ] **[HIGH PRIORITY] Add DMARC policy for kittlearizona.com** (see docs/email/dkim-dmarc-setup.md)
+- [ ] Identify DNS registrar and management URL for kittlearizona.com