From 8419cf2738be4d8a8bd0a62b65f9c50b57698da4 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 24 Apr 2026 09:28:23 -0700 Subject: [PATCH] docs(kittle): comprehensive DKIM/DMARC setup guide for kittlearizona.com Created detailed implementation guide for email authentication: - Step-by-step DKIM enablement in M365 - DKIM CNAME DNS record creation (NSOne/Squarespace) - DMARC policy configuration and testing - Verification procedures and troubleshooting - Post-implementation monitoring guide Current status documented: - SPF: PASS (configured correctly) - DKIM: MISSING (not configured) - DMARC: MISSING (not configured) - MX: PASS (points to M365) Impact: Missing DKIM/DMARC affects deliverability and domain security Priority: HIGH Estimated time: 30-45 min + 24-48h DNS propagation Updated: - clients/kittle/docs/email/dkim-dmarc-setup.md (NEW - full guide) - clients/kittle/docs/network/dns.md (external DNS section, TODO items) Machine: Mikes-MacBook-Air.local Timestamp: 2026-04-24 09:28:23 Co-Authored-By: Claude Sonnet 4.5 --- clients/kittle/docs/email/dkim-dmarc-setup.md | 390 ++++++++++++++++++ clients/kittle/docs/network/dns.md | 23 +- 2 files changed, 411 insertions(+), 2 deletions(-) create mode 100644 clients/kittle/docs/email/dkim-dmarc-setup.md diff --git a/clients/kittle/docs/email/dkim-dmarc-setup.md b/clients/kittle/docs/email/dkim-dmarc-setup.md new file mode 100644 index 0000000..5361d65 --- /dev/null +++ b/clients/kittle/docs/email/dkim-dmarc-setup.md @@ -0,0 +1,390 @@ +# DKIM & DMARC Setup for kittlearizona.com + +**Client:** Kittle Design & Construction LLC +**Domain:** kittlearizona.com +**Mail Provider:** Microsoft 365 +**Status:** DKIM & DMARC not configured (as of 2026-04-23) +**Priority:** HIGH - Impacts email deliverability and security + +--- + +## Current Status (2026-04-23) + +**DNS Records Audit:** + +| Record Type | Status | Details | +|------------|--------|---------| +| SPF | [OK] PASS | `v=spf1 include:spf.protection.outlook.com -all` | +| DKIM | [ERROR] MISSING | No DKIM selectors configured | +| DMARC | [ERROR] MISSING | No DMARC policy published | +| MX | [OK] PASS | Points to M365: `kittlearizona-com.mail.protection.outlook.com` | + +**Impact of Missing DKIM/DMARC:** +- Emails more likely to land in recipient spam folders +- Domain can be easily spoofed by attackers +- No visibility into unauthorized use of domain +- Fails modern email authentication standards (Gmail/Yahoo requirements) +- May fail deliverability to strict recipients (especially Google Workspace) + +--- + +## Part 1: Enable DKIM in Microsoft 365 + +### Prerequisites +- Global Admin or Exchange Admin access to M365 tenant +- Domain: kittlearizona.com verified in M365 +- DNS management access (NSOne or Squarespace) + +### Step 1: Access DKIM Settings + +1. **Sign in to Microsoft 365 Defender Portal:** + - URL: + - Use admin credentials + +2. **Navigate to DKIM:** + - Already at correct page if using direct link above + - OR: Email & collaboration → Policies & rules → Threat policies → DKIM + +### Step 2: Enable DKIM for Domain + +1. **Select Domain:** + - Find `kittlearizona.com` in the list + - Click on the domain name + +2. **View CNAME Records:** + - Click "Create DKIM keys" (if not already created) + - Two CNAME records will be displayed: + + **Example format (actual values will differ):** + ``` + Host name: selector1._domainkey.kittlearizona.com + Points to: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com + + Host name: selector2._domainkey.kittlearizona.com + Points to: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com + ``` + +3. **Copy Both CNAME Records:** + - Copy the exact values shown + - Keep this window open while adding DNS records + +--- + +## Part 2: Add DKIM CNAMEs to DNS + +**DNS Provider:** NSOne / Squarespace (hybrid setup) + +**[IMPORTANT]** Determine which DNS provider is authoritative for `kittlearizona.com`: +```bash +dig +short NS kittlearizona.com +``` + +Current nameservers (as of 2026-04-23): +- dns1.p02.nsone.net +- dns2.p02.nsone.net +- dns3.p02.nsone.net +- dns4.p02.nsone.net +- ns01.squarespacedns.com +- ns02.squarespacedns.com +- ns03.squarespacedns.com +- ns04.squarespacedns.com + +**Likely scenario:** NSOne is primary (listed first). Add records there. + +### Option A: Add to NSOne + +1. **Sign in to NSOne:** + - URL: + - Use Kittle's NSOne credentials (or ACG MSP account if managing) + +2. **Navigate to Zone:** + - Zones → `kittlearizona.com` + +3. **Add DKIM CNAME Records:** + + **Record 1:** + - Type: CNAME + - Name: `selector1._domainkey` + - Value: `selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com` + - TTL: 3600 (1 hour) + + **Record 2:** + - Type: CNAME + - Name: `selector2._domainkey` + - Value: `selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com` + - TTL: 3600 (1 hour) + +4. **Save Changes** + +### Option B: Add to Squarespace + +If Squarespace is the active DNS provider: + +1. **Sign in to Squarespace:** + - URL: + - Use Kittle's Squarespace credentials + +2. **Navigate to DNS Settings:** + - Domains → kittlearizona.com → DNS Settings + +3. **Add Custom Records:** + - Click "Add Custom Record" + - Follow same CNAME format as NSOne above + +--- + +## Part 3: Verify DKIM CNAMEs + +**Wait 30-60 minutes** for DNS propagation, then verify: + +```bash +# Check selector1 +dig +short CNAME selector1._domainkey.kittlearizona.com + +# Check selector2 +dig +short CNAME selector2._domainkey.kittlearizona.com +``` + +**Expected output:** +``` +selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. +selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. +``` + +--- + +## Part 4: Enable DKIM Signing in M365 + +1. **Return to M365 Defender Portal:** + - + +2. **Enable DKIM:** + - Select `kittlearizona.com` + - Toggle "Sign messages for this domain with DKIM signatures" to **Enabled** + - Status should change to "Enabled" (may take a few minutes) + +3. **Verify Signing:** + - Send test email from ken@kittlearizona.com to external address + - Check email headers for `DKIM-Signature:` header + - Use online tool: + +--- + +## Part 5: Add DMARC Policy + +**What is DMARC:** +- Domain-based Message Authentication, Reporting & Conformance +- Tells receiving servers what to do with emails that fail SPF/DKIM +- Provides reports on email authentication failures + +### Recommended DMARC Policy (Quarantine Mode) + +**Add TXT record to DNS:** + +**Record:** +- Type: TXT +- Name: `_dmarc` +- Value: `v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r` +- TTL: 3600 + +**Policy Breakdown:** +- `v=DMARC1` - Version +- `p=quarantine` - Quarantine (spam folder) emails that fail authentication +- `rua=mailto:ken@kittlearizona.com` - Send aggregate reports to Ken +- `pct=100` - Apply policy to 100% of emails +- `adkim=r` - Relaxed DKIM alignment +- `aspf=r` - Relaxed SPF alignment + +**Alternative: Monitor-Only Mode (Recommended for First Week):** + +Start with monitoring to ensure no legitimate mail breaks: + +``` +v=DMARC1; p=none; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r +``` + +- `p=none` - Monitor only, don't take action (collect data first) +- After 1 week of clean reports, change to `p=quarantine` +- After 2 weeks with no issues, optionally change to `p=reject` + +### Add DMARC Record + +**NSOne:** +1. Zones → kittlearizona.com → Add Record +2. Type: TXT +3. Name: `_dmarc` +4. Value: (paste DMARC policy above) +5. TTL: 3600 +6. Save + +**Squarespace:** +1. Domains → kittlearizona.com → DNS Settings +2. Add Custom Record → TXT +3. Host: `_dmarc` +4. Data: (paste DMARC policy above) +5. Save + +### Verify DMARC + +```bash +dig +short TXT _dmarc.kittlearizona.com +``` + +**Expected output:** +``` +"v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r" +``` + +--- + +## Part 6: Verification & Testing + +### Full Email Authentication Check + +**Online Tools:** +1. **Mail-Tester:** + - Send test email to provided address + - Get deliverability score (should be 10/10 after DKIM/DMARC) + +2. **MXToolbox:** + - Check SPF: `spf:kittlearizona.com` + - Check DMARC: `dmarc:kittlearizona.com` + - Check DKIM: Send test email, view headers + +3. **DMARC Analyzer:** + - Verify DMARC record syntax + +### Manual Header Inspection + +Send test email from `ken@kittlearizona.com`, check headers for: + +``` +Authentication-Results: dkim=pass header.d=kittlearizona.com +DKIM-Signature: v=1; a=rsa-sha256; d=kittlearizona.com; s=selector1; +``` + +--- + +## Post-Implementation + +### Monitor DMARC Reports + +**Reports will be sent to:** ken@kittlearizona.com (as configured in `rua=` parameter) + +**Report Format:** +- XML attachments (daily) +- Contains details on: + - Sending IPs using your domain + - SPF/DKIM pass/fail rates + - Potential spoofing attempts + +**DMARC Report Analyzers (optional):** +- Postmark: +- DMARC Analyzer: +- These parse XML reports into readable format + +### Escalation Path + +If DMARC reports show legitimate mail failing: +1. Review failing IPs/sources +2. Check if authorized sender not in SPF (e.g., third-party service) +3. Add authorized senders to SPF or set up DKIM for them +4. Adjust DMARC policy alignment if needed + +### Timeline for Full Protection + +**Week 1:** +- DKIM enabled, DMARC at `p=none` (monitoring) +- Review reports daily + +**Week 2:** +- If no issues, change DMARC to `p=quarantine` +- Continue monitoring + +**Week 3+:** +- Optionally escalate to `p=reject` (hard fail) +- Ongoing: Review monthly DMARC reports + +--- + +## Troubleshooting + +### DKIM Not Signing After 24 Hours + +**Check:** +1. CNAMEs propagated globally: +2. DKIM toggle is ON in M365 admin center +3. No typos in CNAME records +4. DNS provider is correct (NSOne vs Squarespace) + +**Fix:** +- Wait 48 hours for full propagation +- Verify CNAME records exactly match M365 values +- Contact M365 support if still failing after 48h + +### DMARC Reports Not Arriving + +**Check:** +1. `rua=` email address is correct +2. Email inbox not filtering as spam +3. Wait 24-48 hours (reports are daily) + +**Note:** Not all receiving servers send DMARC reports. Gmail and Outlook.com do. + +### Emails Going to Spam After DMARC + +**Likely causes:** +1. DMARC too strict (`p=reject`) before DKIM stabilized +2. Legitimate sender failing SPF/DKIM +3. Reputation issue unrelated to authentication + +**Fix:** +- Revert DMARC to `p=none` temporarily +- Review DMARC reports for failing sources +- Resolve SPF/DKIM issues before re-enabling strict policy + +--- + +## Quick Reference Commands + +**Check all email authentication:** +```bash +# SPF +dig +short TXT kittlearizona.com | grep spf + +# DKIM selector1 +dig +short CNAME selector1._domainkey.kittlearizona.com + +# DKIM selector2 +dig +short CNAME selector2._domainkey.kittlearizona.com + +# DMARC +dig +short TXT _dmarc.kittlearizona.com + +# MX +dig +short MX kittlearizona.com +``` + +**Expected output (after setup):** +``` +SPF: "v=spf1 include:spf.protection.outlook.com -all" +DKIM1: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. +DKIM2: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. +DMARC: "v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r" +MX: 0 kittlearizona-com.mail.protection.outlook.com. +``` + +--- + +## Related Documentation + +- M365 Admin Access: [TO BE DOCUMENTED] +- DNS Management: `docs/network/dns.md` +- Email Overview: [TO BE CREATED] + +--- + +**Created:** 2026-04-23 +**Author:** Mike Swanson (ACG) +**Status:** Pending implementation +**Estimated Time:** 30-45 minutes + 24-48h DNS propagation diff --git a/clients/kittle/docs/network/dns.md b/clients/kittle/docs/network/dns.md index 5b4b029..cf635b1 100644 --- a/clients/kittle/docs/network/dns.md +++ b/clients/kittle/docs/network/dns.md @@ -26,7 +26,24 @@ ## External DNS - Registrar: Unknown - Primary Domain: kittlearizona.com -- Management URL: Unknown +- Nameservers: NSOne + Squarespace (hybrid setup) + - dns1.p02.nsone.net + - dns2.p02.nsone.net + - dns3.p02.nsone.net + - dns4.p02.nsone.net + - ns01.squarespacedns.com + - ns02.squarespacedns.com + - ns03.squarespacedns.com + - ns04.squarespacedns.com + +### Email DNS Records (as of 2026-04-23) +- **MX:** `0 kittlearizona-com.mail.protection.outlook.com` (Microsoft 365) +- **SPF:** `v=spf1 include:spf.protection.outlook.com -all` [OK] +- **DKIM:** NOT CONFIGURED [ACTION REQUIRED] +- **DMARC:** NOT CONFIGURED [ACTION REQUIRED] + +**[HIGH PRIORITY]** Missing DKIM/DMARC impacts email deliverability and security. +**Setup Guide:** See `docs/email/dkim-dmarc-setup.md` for implementation steps. ## Issues 1. **No reverse DNS zone** — Create 0.0.10.in-addr.arpa for PTR lookups on 10.0.0.0/24 @@ -38,4 +55,6 @@ - [ ] Verify what DNS server DHCP clients receive from the ISP router - [ ] Consider adding secondary DNS forwarder for redundancy - [ ] Enable DNS scavenging to prevent stale records -- [ ] Document external DNS (registrar, MX records, SPF/DKIM/DMARC for kittlearizona.com) +- [ ] **[HIGH PRIORITY] Configure DKIM for kittlearizona.com** (see docs/email/dkim-dmarc-setup.md) +- [ ] **[HIGH PRIORITY] Add DMARC policy for kittlearizona.com** (see docs/email/dkim-dmarc-setup.md) +- [ ] Identify DNS registrar and management URL for kittlearizona.com