# DKIM & DMARC Setup for kittlearizona.com **Client:** Kittle Design & Construction LLC **Domain:** kittlearizona.com **Mail Provider:** Microsoft 365 **Status:** DKIM & DMARC not configured (as of 2026-04-23) **Priority:** HIGH - Impacts email deliverability and security --- ## Current Status (2026-04-23) **DNS Records Audit:** | Record Type | Status | Details | |------------|--------|---------| | SPF | [OK] PASS | `v=spf1 include:spf.protection.outlook.com -all` | | DKIM | [ERROR] MISSING | No DKIM selectors configured | | DMARC | [ERROR] MISSING | No DMARC policy published | | MX | [OK] PASS | Points to M365: `kittlearizona-com.mail.protection.outlook.com` | **Impact of Missing DKIM/DMARC:** - Emails more likely to land in recipient spam folders - Domain can be easily spoofed by attackers - No visibility into unauthorized use of domain - Fails modern email authentication standards (Gmail/Yahoo requirements) - May fail deliverability to strict recipients (especially Google Workspace) --- ## Part 1: Enable DKIM in Microsoft 365 ### Prerequisites - Global Admin or Exchange Admin access to M365 tenant - Domain: kittlearizona.com verified in M365 - DNS management access (NSOne or Squarespace) ### Step 1: Access DKIM Settings 1. **Sign in to Microsoft 365 Defender Portal:** - URL: - Use admin credentials 2. **Navigate to DKIM:** - Already at correct page if using direct link above - OR: Email & collaboration → Policies & rules → Threat policies → DKIM ### Step 2: Enable DKIM for Domain 1. **Select Domain:** - Find `kittlearizona.com` in the list - Click on the domain name 2. **View CNAME Records:** - Click "Create DKIM keys" (if not already created) - Two CNAME records will be displayed: **Example format (actual values will differ):** ``` Host name: selector1._domainkey.kittlearizona.com Points to: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com Host name: selector2._domainkey.kittlearizona.com Points to: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com ``` 3. **Copy Both CNAME Records:** - Copy the exact values shown - Keep this window open while adding DNS records --- ## Part 2: Add DKIM CNAMEs to DNS **DNS Provider:** NSOne / Squarespace (hybrid setup) **[IMPORTANT]** Determine which DNS provider is authoritative for `kittlearizona.com`: ```bash dig +short NS kittlearizona.com ``` Current nameservers (as of 2026-04-23): - dns1.p02.nsone.net - dns2.p02.nsone.net - dns3.p02.nsone.net - dns4.p02.nsone.net - ns01.squarespacedns.com - ns02.squarespacedns.com - ns03.squarespacedns.com - ns04.squarespacedns.com **Likely scenario:** NSOne is primary (listed first). Add records there. ### Option A: Add to NSOne 1. **Sign in to NSOne:** - URL: - Use Kittle's NSOne credentials (or ACG MSP account if managing) 2. **Navigate to Zone:** - Zones → `kittlearizona.com` 3. **Add DKIM CNAME Records:** **Record 1:** - Type: CNAME - Name: `selector1._domainkey` - Value: `selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com` - TTL: 3600 (1 hour) **Record 2:** - Type: CNAME - Name: `selector2._domainkey` - Value: `selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com` - TTL: 3600 (1 hour) 4. **Save Changes** ### Option B: Add to Squarespace If Squarespace is the active DNS provider: 1. **Sign in to Squarespace:** - URL: - Use Kittle's Squarespace credentials 2. **Navigate to DNS Settings:** - Domains → kittlearizona.com → DNS Settings 3. **Add Custom Records:** - Click "Add Custom Record" - Follow same CNAME format as NSOne above --- ## Part 3: Verify DKIM CNAMEs **Wait 30-60 minutes** for DNS propagation, then verify: ```bash # Check selector1 dig +short CNAME selector1._domainkey.kittlearizona.com # Check selector2 dig +short CNAME selector2._domainkey.kittlearizona.com ``` **Expected output:** ``` selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. ``` --- ## Part 4: Enable DKIM Signing in M365 1. **Return to M365 Defender Portal:** - 2. **Enable DKIM:** - Select `kittlearizona.com` - Toggle "Sign messages for this domain with DKIM signatures" to **Enabled** - Status should change to "Enabled" (may take a few minutes) 3. **Verify Signing:** - Send test email from ken@kittlearizona.com to external address - Check email headers for `DKIM-Signature:` header - Use online tool: --- ## Part 5: Add DMARC Policy **What is DMARC:** - Domain-based Message Authentication, Reporting & Conformance - Tells receiving servers what to do with emails that fail SPF/DKIM - Provides reports on email authentication failures ### Recommended DMARC Policy (Quarantine Mode) **Add TXT record to DNS:** **Record:** - Type: TXT - Name: `_dmarc` - Value: `v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r` - TTL: 3600 **Policy Breakdown:** - `v=DMARC1` - Version - `p=quarantine` - Quarantine (spam folder) emails that fail authentication - `rua=mailto:ken@kittlearizona.com` - Send aggregate reports to Ken - `pct=100` - Apply policy to 100% of emails - `adkim=r` - Relaxed DKIM alignment - `aspf=r` - Relaxed SPF alignment **Alternative: Monitor-Only Mode (Recommended for First Week):** Start with monitoring to ensure no legitimate mail breaks: ``` v=DMARC1; p=none; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r ``` - `p=none` - Monitor only, don't take action (collect data first) - After 1 week of clean reports, change to `p=quarantine` - After 2 weeks with no issues, optionally change to `p=reject` ### Add DMARC Record **NSOne:** 1. Zones → kittlearizona.com → Add Record 2. Type: TXT 3. Name: `_dmarc` 4. Value: (paste DMARC policy above) 5. TTL: 3600 6. Save **Squarespace:** 1. Domains → kittlearizona.com → DNS Settings 2. Add Custom Record → TXT 3. Host: `_dmarc` 4. Data: (paste DMARC policy above) 5. Save ### Verify DMARC ```bash dig +short TXT _dmarc.kittlearizona.com ``` **Expected output:** ``` "v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r" ``` --- ## Part 6: Verification & Testing ### Full Email Authentication Check **Online Tools:** 1. **Mail-Tester:** - Send test email to provided address - Get deliverability score (should be 10/10 after DKIM/DMARC) 2. **MXToolbox:** - Check SPF: `spf:kittlearizona.com` - Check DMARC: `dmarc:kittlearizona.com` - Check DKIM: Send test email, view headers 3. **DMARC Analyzer:** - Verify DMARC record syntax ### Manual Header Inspection Send test email from `ken@kittlearizona.com`, check headers for: ``` Authentication-Results: dkim=pass header.d=kittlearizona.com DKIM-Signature: v=1; a=rsa-sha256; d=kittlearizona.com; s=selector1; ``` --- ## Post-Implementation ### Monitor DMARC Reports **Reports will be sent to:** ken@kittlearizona.com (as configured in `rua=` parameter) **Report Format:** - XML attachments (daily) - Contains details on: - Sending IPs using your domain - SPF/DKIM pass/fail rates - Potential spoofing attempts **DMARC Report Analyzers (optional):** - Postmark: - DMARC Analyzer: - These parse XML reports into readable format ### Escalation Path If DMARC reports show legitimate mail failing: 1. Review failing IPs/sources 2. Check if authorized sender not in SPF (e.g., third-party service) 3. Add authorized senders to SPF or set up DKIM for them 4. Adjust DMARC policy alignment if needed ### Timeline for Full Protection **Week 1:** - DKIM enabled, DMARC at `p=none` (monitoring) - Review reports daily **Week 2:** - If no issues, change DMARC to `p=quarantine` - Continue monitoring **Week 3+:** - Optionally escalate to `p=reject` (hard fail) - Ongoing: Review monthly DMARC reports --- ## Troubleshooting ### DKIM Not Signing After 24 Hours **Check:** 1. CNAMEs propagated globally: 2. DKIM toggle is ON in M365 admin center 3. No typos in CNAME records 4. DNS provider is correct (NSOne vs Squarespace) **Fix:** - Wait 48 hours for full propagation - Verify CNAME records exactly match M365 values - Contact M365 support if still failing after 48h ### DMARC Reports Not Arriving **Check:** 1. `rua=` email address is correct 2. Email inbox not filtering as spam 3. Wait 24-48 hours (reports are daily) **Note:** Not all receiving servers send DMARC reports. Gmail and Outlook.com do. ### Emails Going to Spam After DMARC **Likely causes:** 1. DMARC too strict (`p=reject`) before DKIM stabilized 2. Legitimate sender failing SPF/DKIM 3. Reputation issue unrelated to authentication **Fix:** - Revert DMARC to `p=none` temporarily - Review DMARC reports for failing sources - Resolve SPF/DKIM issues before re-enabling strict policy --- ## Quick Reference Commands **Check all email authentication:** ```bash # SPF dig +short TXT kittlearizona.com | grep spf # DKIM selector1 dig +short CNAME selector1._domainkey.kittlearizona.com # DKIM selector2 dig +short CNAME selector2._domainkey.kittlearizona.com # DMARC dig +short TXT _dmarc.kittlearizona.com # MX dig +short MX kittlearizona.com ``` **Expected output (after setup):** ``` SPF: "v=spf1 include:spf.protection.outlook.com -all" DKIM1: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. DKIM2: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com. DMARC: "v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r" MX: 0 kittlearizona-com.mail.protection.outlook.com. ``` --- ## Related Documentation - M365 Admin Access: [TO BE DOCUMENTED] - DNS Management: `docs/network/dns.md` - Email Overview: [TO BE CREATED] --- **Created:** 2026-04-23 **Author:** Mike Swanson (ACG) **Status:** Pending implementation **Estimated Time:** 30-45 minutes + 24-48h DNS propagation