Mike Swanson
8419cf2738
Created detailed implementation guide for email authentication: - Step-by-step DKIM enablement in M365 - DKIM CNAME DNS record creation (NSOne/Squarespace) - DMARC policy configuration and testing - Verification procedures and troubleshooting - Post-implementation monitoring guide Current status documented: - SPF: PASS (configured correctly) - DKIM: MISSING (not configured) - DMARC: MISSING (not configured) - MX: PASS (points to M365) Impact: Missing DKIM/DMARC affects deliverability and domain security Priority: HIGH Estimated time: 30-45 min + 24-48h DNS propagation Updated: - clients/kittle/docs/email/dkim-dmarc-setup.md (NEW - full guide) - clients/kittle/docs/network/dns.md (external DNS section, TODO items) Machine: Mikes-MacBook-Air.local Timestamp: 2026-04-24 09:28:23 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
10 KiB
10 KiB
DKIM & DMARC Setup for kittlearizona.com
Client: Kittle Design & Construction LLC Domain: kittlearizona.com Mail Provider: Microsoft 365 Status: DKIM & DMARC not configured (as of 2026-04-23) Priority: HIGH - Impacts email deliverability and security
Current Status (2026-04-23)
DNS Records Audit:
| Record Type | Status | Details |
|---|---|---|
| SPF | [OK] PASS | v=spf1 include:spf.protection.outlook.com -all |
| DKIM | [ERROR] MISSING | No DKIM selectors configured |
| DMARC | [ERROR] MISSING | No DMARC policy published |
| MX | [OK] PASS | Points to M365: kittlearizona-com.mail.protection.outlook.com |
Impact of Missing DKIM/DMARC:
- Emails more likely to land in recipient spam folders
- Domain can be easily spoofed by attackers
- No visibility into unauthorized use of domain
- Fails modern email authentication standards (Gmail/Yahoo requirements)
- May fail deliverability to strict recipients (especially Google Workspace)
Part 1: Enable DKIM in Microsoft 365
Prerequisites
- Global Admin or Exchange Admin access to M365 tenant
- Domain: kittlearizona.com verified in M365
- DNS management access (NSOne or Squarespace)
Step 1: Access DKIM Settings
-
Sign in to Microsoft 365 Defender Portal:
- URL: https://security.microsoft.com/dkimv2
- Use admin credentials
-
Navigate to DKIM:
- Already at correct page if using direct link above
- OR: Email & collaboration → Policies & rules → Threat policies → DKIM
Step 2: Enable DKIM for Domain
-
Select Domain:
- Find
kittlearizona.comin the list - Click on the domain name
- Find
-
View CNAME Records:
- Click "Create DKIM keys" (if not already created)
- Two CNAME records will be displayed:
Example format (actual values will differ):
Host name: selector1._domainkey.kittlearizona.com Points to: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com Host name: selector2._domainkey.kittlearizona.com Points to: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com -
Copy Both CNAME Records:
- Copy the exact values shown
- Keep this window open while adding DNS records
Part 2: Add DKIM CNAMEs to DNS
DNS Provider: NSOne / Squarespace (hybrid setup)
[IMPORTANT] Determine which DNS provider is authoritative for kittlearizona.com:
dig +short NS kittlearizona.com
Current nameservers (as of 2026-04-23):
- dns1.p02.nsone.net
- dns2.p02.nsone.net
- dns3.p02.nsone.net
- dns4.p02.nsone.net
- ns01.squarespacedns.com
- ns02.squarespacedns.com
- ns03.squarespacedns.com
- ns04.squarespacedns.com
Likely scenario: NSOne is primary (listed first). Add records there.
Option A: Add to NSOne
-
Sign in to NSOne:
- URL: https://my.nsone.net/
- Use Kittle's NSOne credentials (or ACG MSP account if managing)
-
Navigate to Zone:
- Zones →
kittlearizona.com
- Zones →
-
Add DKIM CNAME Records:
Record 1:
- Type: CNAME
- Name:
selector1._domainkey - Value:
selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com - TTL: 3600 (1 hour)
Record 2:
- Type: CNAME
- Name:
selector2._domainkey - Value:
selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com - TTL: 3600 (1 hour)
-
Save Changes
Option B: Add to Squarespace
If Squarespace is the active DNS provider:
-
Sign in to Squarespace:
- URL: https://account.squarespace.com/
- Use Kittle's Squarespace credentials
-
Navigate to DNS Settings:
- Domains → kittlearizona.com → DNS Settings
-
Add Custom Records:
- Click "Add Custom Record"
- Follow same CNAME format as NSOne above
Part 3: Verify DKIM CNAMEs
Wait 30-60 minutes for DNS propagation, then verify:
# Check selector1
dig +short CNAME selector1._domainkey.kittlearizona.com
# Check selector2
dig +short CNAME selector2._domainkey.kittlearizona.com
Expected output:
selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
Part 4: Enable DKIM Signing in M365
-
Return to M365 Defender Portal:
-
Enable DKIM:
- Select
kittlearizona.com - Toggle "Sign messages for this domain with DKIM signatures" to Enabled
- Status should change to "Enabled" (may take a few minutes)
- Select
-
Verify Signing:
- Send test email from ken@kittlearizona.com to external address
- Check email headers for
DKIM-Signature:header - Use online tool: https://www.mail-tester.com/
Part 5: Add DMARC Policy
What is DMARC:
- Domain-based Message Authentication, Reporting & Conformance
- Tells receiving servers what to do with emails that fail SPF/DKIM
- Provides reports on email authentication failures
Recommended DMARC Policy (Quarantine Mode)
Add TXT record to DNS:
Record:
- Type: TXT
- Name:
_dmarc - Value:
v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r - TTL: 3600
Policy Breakdown:
v=DMARC1- Versionp=quarantine- Quarantine (spam folder) emails that fail authenticationrua=mailto:ken@kittlearizona.com- Send aggregate reports to Kenpct=100- Apply policy to 100% of emailsadkim=r- Relaxed DKIM alignmentaspf=r- Relaxed SPF alignment
Alternative: Monitor-Only Mode (Recommended for First Week):
Start with monitoring to ensure no legitimate mail breaks:
v=DMARC1; p=none; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r
p=none- Monitor only, don't take action (collect data first)- After 1 week of clean reports, change to
p=quarantine - After 2 weeks with no issues, optionally change to
p=reject
Add DMARC Record
NSOne:
- Zones → kittlearizona.com → Add Record
- Type: TXT
- Name:
_dmarc - Value: (paste DMARC policy above)
- TTL: 3600
- Save
Squarespace:
- Domains → kittlearizona.com → DNS Settings
- Add Custom Record → TXT
- Host:
_dmarc - Data: (paste DMARC policy above)
- Save
Verify DMARC
dig +short TXT _dmarc.kittlearizona.com
Expected output:
"v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r"
Part 6: Verification & Testing
Full Email Authentication Check
Online Tools:
-
Mail-Tester: https://www.mail-tester.com/
- Send test email to provided address
- Get deliverability score (should be 10/10 after DKIM/DMARC)
-
MXToolbox: https://mxtoolbox.com/SuperTool.aspx
- Check SPF:
spf:kittlearizona.com - Check DMARC:
dmarc:kittlearizona.com - Check DKIM: Send test email, view headers
- Check SPF:
-
DMARC Analyzer: https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/
- Verify DMARC record syntax
Manual Header Inspection
Send test email from ken@kittlearizona.com, check headers for:
Authentication-Results: dkim=pass header.d=kittlearizona.com
DKIM-Signature: v=1; a=rsa-sha256; d=kittlearizona.com; s=selector1;
Post-Implementation
Monitor DMARC Reports
Reports will be sent to: ken@kittlearizona.com (as configured in rua= parameter)
Report Format:
- XML attachments (daily)
- Contains details on:
- Sending IPs using your domain
- SPF/DKIM pass/fail rates
- Potential spoofing attempts
DMARC Report Analyzers (optional):
- Postmark: https://dmarc.postmarkapp.com/
- DMARC Analyzer: https://www.dmarcanalyzer.com/
- These parse XML reports into readable format
Escalation Path
If DMARC reports show legitimate mail failing:
- Review failing IPs/sources
- Check if authorized sender not in SPF (e.g., third-party service)
- Add authorized senders to SPF or set up DKIM for them
- Adjust DMARC policy alignment if needed
Timeline for Full Protection
Week 1:
- DKIM enabled, DMARC at
p=none(monitoring) - Review reports daily
Week 2:
- If no issues, change DMARC to
p=quarantine - Continue monitoring
Week 3+:
- Optionally escalate to
p=reject(hard fail) - Ongoing: Review monthly DMARC reports
Troubleshooting
DKIM Not Signing After 24 Hours
Check:
- CNAMEs propagated globally: https://www.whatsmydns.net/
- DKIM toggle is ON in M365 admin center
- No typos in CNAME records
- DNS provider is correct (NSOne vs Squarespace)
Fix:
- Wait 48 hours for full propagation
- Verify CNAME records exactly match M365 values
- Contact M365 support if still failing after 48h
DMARC Reports Not Arriving
Check:
rua=email address is correct- Email inbox not filtering as spam
- Wait 24-48 hours (reports are daily)
Note: Not all receiving servers send DMARC reports. Gmail and Outlook.com do.
Emails Going to Spam After DMARC
Likely causes:
- DMARC too strict (
p=reject) before DKIM stabilized - Legitimate sender failing SPF/DKIM
- Reputation issue unrelated to authentication
Fix:
- Revert DMARC to
p=nonetemporarily - Review DMARC reports for failing sources
- Resolve SPF/DKIM issues before re-enabling strict policy
Quick Reference Commands
Check all email authentication:
# SPF
dig +short TXT kittlearizona.com | grep spf
# DKIM selector1
dig +short CNAME selector1._domainkey.kittlearizona.com
# DKIM selector2
dig +short CNAME selector2._domainkey.kittlearizona.com
# DMARC
dig +short TXT _dmarc.kittlearizona.com
# MX
dig +short MX kittlearizona.com
Expected output (after setup):
SPF: "v=spf1 include:spf.protection.outlook.com -all"
DKIM1: selector1-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
DKIM2: selector2-kittlearizona-com._domainkey.azcomputerguru.onmicrosoft.com.
DMARC: "v=DMARC1; p=quarantine; rua=mailto:ken@kittlearizona.com; pct=100; adkim=r; aspf=r"
MX: 0 kittlearizona-com.mail.protection.outlook.com.
Related Documentation
- M365 Admin Access: [TO BE DOCUMENTED]
- DNS Management:
docs/network/dns.md - Email Overview: [TO BE CREATED]
Created: 2026-04-23 Author: Mike Swanson (ACG) Status: Pending implementation Estimated Time: 30-45 minutes + 24-48h DNS propagation