azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c5f10faaa14799a49ee7be4cb128d757bdf7913
claudetools/clients/kittle/docs/email/dkim-dmarc-setup.md
Mike Swanson 8419cf2738 docs(kittle): comprehensive DKIM/DMARC setup guide for kittlearizona.com 
Created detailed implementation guide for email authentication:
- Step-by-step DKIM enablement in M365
- DKIM CNAME DNS record creation (NSOne/Squarespace)
- DMARC policy configuration and testing
- Verification procedures and troubleshooting
- Post-implementation monitoring guide

Current status documented:
- SPF: PASS (configured correctly)
- DKIM: MISSING (not configured)
- DMARC: MISSING (not configured)
- MX: PASS (points to M365)

Impact: Missing DKIM/DMARC affects deliverability and domain security
Priority: HIGH
Estimated time: 30-45 min + 24-48h DNS propagation

Updated:
- clients/kittle/docs/email/dkim-dmarc-setup.md (NEW - full guide)
- clients/kittle/docs/network/dns.md (external DNS section, TODO items)

Machine: Mikes-MacBook-Air.local
Timestamp: 2026-04-24 09:28:23

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-24 09:28:34 -07:00

391 lines
10 KiB
Markdown
Raw Blame History

# DKIM & DMARC Setup for kittlearizona.com
**Client:** Kittle Design & Construction LLC
**Domain:** kittlearizona.com
**Mail Provider:** Microsoft 365
**Status:** DKIM & DMARC not configured (as of 2026-04-23)
**Priority:** HIGH - Impacts email deliverability and security
---
## Current Status (2026-04-23)
**DNS Records Audit:**
| Record Type | Status | Details |
|------------|--------|---------|
| SPF | [OK] PASS | `v=spf1 include:spf.protection.outlook.com -all` |
| DKIM | [ERROR] MISSING | No DKIM selectors configured |
| DMARC | [ERROR] MISSING | No DMARC policy published |
| MX | [OK] PASS | Points to M365: `kittlearizona-com.mail.protection.outlook.com` |
**Impact of Missing DKIM/DMARC:**
- Emails more likely to land in recipient spam folders
- Domain can be easily spoofed by attackers
- No visibility into unauthorized use of domain
- Fails modern email authentication standards (Gmail/Yahoo requirements)
- May fail deliverability to strict recipients (especially Google Workspace)
---
## Part 1: Enable DKIM in Microsoft 365
### Prerequisites
- Global Admin or Exchange Admin access to M365 tenant
- Domain: kittlearizona.com verified in M365
- DNS management access (NSOne or Squarespace)
### Step 1: Access DKIM Settings
1. **Sign in to Microsoft 365 Defender Portal:**
- URL: <https://security.microsoft.com/dkimv2>
- Use admin credentials
2. **Navigate to DKIM:**
- Already at correct page if using direct link above
- OR: Email & collaboration → Policies & rules → Threat policies → DKIM
### Step 2: Enable DKIM for Domain
1. **Select Domain:**
- Find `kittlearizona.com` in the list
- Click on the domain name
2. **View CNAME Records:**
- Click "Create DKIM keys" (if not already created)
- Two CNAME records will be displayed:
**Example format (actual values will differ):**
```
Host name: selector1._domainkey.kittlearizona.com
Points to: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com
Host name: selector2._domainkey.kittlearizona.com
Points to: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com
```
3. **Copy Both CNAME Records:**
- Copy the exact values shown
- Keep this window open while adding DNS records
---
## Part 2: Add DKIM CNAMEs to DNS
**DNS Provider:** NSOne / Squarespace (hybrid setup)
**[IMPORTANT]** Determine which DNS provider is authoritative for `kittlearizona.com`:
```bash
dig +short NS kittlearizona.com
```
Current nameservers (as of 2026-04-23):
- dns1.p02.nsone.net
- dns2.p02.nsone.net
- dns3.p02.nsone.net
- dns4.p02.nsone.net
- ns01.squarespacedns.com
- ns02.squarespacedns.com
- ns03.squarespacedns.com
- ns04.squarespacedns.com
**Likely scenario:** NSOne is primary (listed first). Add records there.
### Option A: Add to NSOne
1. **Sign in to NSOne:**
- URL: <https://my.nsone.net/>
- Use Kittle's NSOne credentials (or ACG MSP account if managing)
2. **Navigate to Zone:**
- Zones → `kittlearizona.com`
3. **Add DKIM CNAME Records:**
**Record 1:**
- Type: CNAME
- Name: `selector1._domainkey`
- Value: `selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com`
- TTL: 3600 (1 hour)
**Record 2:**
- Type: CNAME
- Name: `selector2._domainkey`
- Value: `selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com`
- TTL: 3600 (1 hour)
4. **Save Changes**
### Option B: Add to Squarespace
If Squarespace is the active DNS provider:
1. **Sign in to Squarespace:**
- URL: <https://account.squarespace.com/>
- Use Kittle's Squarespace credentials
2. **Navigate to DNS Settings:**
- Domains → kittlearizona.com → DNS Settings
3. **Add Custom Records:**
- Click "Add Custom Record"
- Follow same CNAME format as NSOne above
---
## Part 3: Verify DKIM CNAMEs
**Wait 30-60 minutes** for DNS propagation, then verify:
```bash
# Check selector1
dig +short CNAME selector1._domainkey.kittlearizona.com
# Check selector2
dig +short CNAME selector2._domainkey.kittlearizona.com
```
**Expected output:**
```
selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
```
---
## Part 4: Enable DKIM Signing in M365
1. **Return to M365 Defender Portal:**
- <https://security.microsoft.com/dkimv2>
2. **Enable DKIM:**
- Select `kittlearizona.com`
- Toggle "Sign messages for this domain with DKIM signatures" to **Enabled**
- Status should change to "Enabled" (may take a few minutes)
3. **Verify Signing:**
- Send test email from ken@kittlearizona.com to external address
- Check email headers for `DKIM-Signature:` header
- Use online tool: <https://www.mail-tester.com/>
---
## Part 5: Add DMARC Policy
**What is DMARC:**
- Domain-based Message Authentication, Reporting & Conformance
- Tells receiving servers what to do with emails that fail SPF/DKIM
- Provides reports on email authentication failures
### Recommended DMARC Policy (Quarantine Mode)
**Add TXT record to DNS:**
**Record:**
- Type: TXT
- Name: `_dmarc`
- Value: `v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r`
- TTL: 3600
**Policy Breakdown:**
- `v=DMARC1` - Version
- `p=quarantine` - Quarantine (spam folder) emails that fail authentication
- `rua=mailto:ken@kittlearizona.com` - Send aggregate reports to Ken
- `pct=100` - Apply policy to 100% of emails
- `adkim=r` - Relaxed DKIM alignment
- `aspf=r` - Relaxed SPF alignment
**Alternative: Monitor-Only Mode (Recommended for First Week):**
Start with monitoring to ensure no legitimate mail breaks:
```
v=DMARC1; p=none; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r
```
- `p=none` - Monitor only, don't take action (collect data first)
- After 1 week of clean reports, change to `p=quarantine`
- After 2 weeks with no issues, optionally change to `p=reject`
### Add DMARC Record
**NSOne:**
1. Zones → kittlearizona.com → Add Record
2. Type: TXT
3. Name: `_dmarc`
4. Value: (paste DMARC policy above)
5. TTL: 3600
6. Save
**Squarespace:**
1. Domains → kittlearizona.com → DNS Settings
2. Add Custom Record → TXT
3. Host: `_dmarc`
4. Data: (paste DMARC policy above)
5. Save
### Verify DMARC
```bash
dig +short TXT _dmarc.kittlearizona.com
```
**Expected output:**
```
"v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r"
```
---
## Part 6: Verification & Testing
### Full Email Authentication Check
**Online Tools:**
1. **Mail-Tester:** <https://www.mail-tester.com/>
- Send test email to provided address
- Get deliverability score (should be 10/10 after DKIM/DMARC)
2. **MXToolbox:** <https://mxtoolbox.com/SuperTool.aspx>
- Check SPF: `spf:kittlearizona.com`
- Check DMARC: `dmarc:kittlearizona.com`
- Check DKIM: Send test email, view headers
3. **DMARC Analyzer:** <https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/>
- Verify DMARC record syntax
### Manual Header Inspection
Send test email from `ken@kittlearizona.com`, check headers for:
```
Authentication-Results: dkim=pass header.d=kittlearizona.com
DKIM-Signature: v=1; a=rsa-sha256; d=kittlearizona.com; s=selector1;
```
---
## Post-Implementation
### Monitor DMARC Reports
**Reports will be sent to:** ken@kittlearizona.com (as configured in `rua=` parameter)
**Report Format:**
- XML attachments (daily)
- Contains details on:
- Sending IPs using your domain
- SPF/DKIM pass/fail rates
- Potential spoofing attempts
**DMARC Report Analyzers (optional):**
- Postmark: <https://dmarc.postmarkapp.com/>
- DMARC Analyzer: <https://www.dmarcanalyzer.com/>
- These parse XML reports into readable format
### Escalation Path
If DMARC reports show legitimate mail failing:
1. Review failing IPs/sources
2. Check if authorized sender not in SPF (e.g., third-party service)
3. Add authorized senders to SPF or set up DKIM for them
4. Adjust DMARC policy alignment if needed
### Timeline for Full Protection
**Week 1:**
- DKIM enabled, DMARC at `p=none` (monitoring)
- Review reports daily
**Week 2:**
- If no issues, change DMARC to `p=quarantine`
- Continue monitoring
**Week 3+:**
- Optionally escalate to `p=reject` (hard fail)
- Ongoing: Review monthly DMARC reports
---
## Troubleshooting
### DKIM Not Signing After 24 Hours
**Check:**
1. CNAMEs propagated globally: <https://www.whatsmydns.net/>
2. DKIM toggle is ON in M365 admin center
3. No typos in CNAME records
4. DNS provider is correct (NSOne vs Squarespace)
**Fix:**
- Wait 48 hours for full propagation
- Verify CNAME records exactly match M365 values
- Contact M365 support if still failing after 48h
### DMARC Reports Not Arriving
**Check:**
1. `rua=` email address is correct
2. Email inbox not filtering as spam
3. Wait 24-48 hours (reports are daily)
**Note:** Not all receiving servers send DMARC reports. Gmail and Outlook.com do.
### Emails Going to Spam After DMARC
**Likely causes:**
1. DMARC too strict (`p=reject`) before DKIM stabilized
2. Legitimate sender failing SPF/DKIM
3. Reputation issue unrelated to authentication
**Fix:**
- Revert DMARC to `p=none` temporarily
- Review DMARC reports for failing sources
- Resolve SPF/DKIM issues before re-enabling strict policy
---
## Quick Reference Commands
**Check all email authentication:**
```bash
# SPF
dig +short TXT kittlearizona.com | grep spf
# DKIM selector1
dig +short CNAME selector1._domainkey.kittlearizona.com
# DKIM selector2
dig +short CNAME selector2._domainkey.kittlearizona.com
# DMARC
dig +short TXT _dmarc.kittlearizona.com
# MX
dig +short MX kittlearizona.com
```
**Expected output (after setup):**
```
SPF: "v=spf1 include:spf.protection.outlook.com -all"
DKIM1: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
DKIM2: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
DMARC: "v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r"
MX: 0 kittlearizona-com.mail.protection.outlook.com.
```
---
## Related Documentation
- M365 Admin Access: [TO BE DOCUMENTED]
- DNS Management: `docs/network/dns.md`
- Email Overview: [TO BE CREATED]
---
**Created:** 2026-04-23
**Author:** Mike Swanson (ACG)
**Status:** Pending implementation
**Estimated Time:** 30-45 minutes + 24-48h DNS propagation
Reference in New Issue View Git Blame Copy Permalink