If you are presented with DNS warnings when you login to the portal; there may be a problem that needs you attention.  



If you click on the DNS Health Check link, you will be presented with the specific records that we are having trouble validating.   The information below should assist you in creating or correcting the specific records that we have not been able to validate.  

TABLE OF CONTENTS




SPF (Sender Policy Framework) allows the owner of a domain to specify which mail servers they use to send mail from

that domain.


An organization sending mail publishes an SPF (TXT) record in the Domain Name System (DNS). The record contains a list of IP addresses that are authorised to send mail on behalf of their domain name.


Receivers of mail verify the SPF record by looking up the “Envelope From” (aka Mail From, Mfrom or return-path) domain name in the DNS. If the IP address sending mail on behalf of this domain is not listed in the SPF record, the message fails SPF authentication.


Configuring an SPF record is not only required when using the EntrustedMail  service, but a real good idea and will help the deliverability of your e-mail message.  If there is not an SPF record configured for your domain, then receivers that require some form of authentication verification may not accept your message or may automatically flag the message as SPAM.  When you create an SPF record, you must include all legitimate mail systems that send email on behalf of your domain, otherwise the ones not listed could be treated as possible forgery sources. 


In the following example, Healthy Care Services is has an SPF record in the following format;

v=spf1 include:spf.messaging.microsoft.com -all

In order to authorize EntrustedMail  to deliver messages for healthycareservices.com, the SPF record for healthycareservices.com will need to be modified to include EntrustedMail's SPF record.   


By editing the current SPF record by adding include:spf.entrustedmail.net you are authorizing EncryptTitan to deliver mail for your domain.  The following is what the edited SPF record for healthycareservices.com would like after they authorize EncryptTitan to deliver mail from their domain.


v=spf1 include:spf.messaging.microsoft.com include:spf.entrustedmail.net -all

A few caveats to avoid;


  • Be sure to place the include statement (include:spf.entrustedmail.net) before the ending operand which is usually -all
  • A valid SPF record can contain 10 or less DNS lookups.  
  • Be sure  that there is no more than one white space between statements in your SPF record.  For instance, if you have two spaces (rather than one) between the include:spf.entrustedmail.net and -all, the SPF record may fail validation.


    If you are unsure of how many lookups your SPF record current includes, Kitterman Technical Services has a great tool for verifying the structure of you SPF record. You can reach this tool by pointing your browser to https://www.kitterman.com/spf/validate.html



DKIM is a development of "DomainKeys" from Yahoo and "Identified Internet Mail" from Cisco, hence the name DKIM.


DKIM is a method of verifying the email sender is who they say they are. It's purpose is to prevent email spoofing.

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.


If you have implemented DKIM for your domain, you will need to create the following CNAME record so that the messages signed and delivered by EncryptTitan pass DKIM checks for your domain.



Record typeLabel/Host fieldTime To Live (TTL)Destination/Target field
CNAMEselect-em1._domainkey3600 or leave the defaultselect-em1._domainkey.entrustedmail.net 

 


If you have not implemented  DKIM for your domain, then creating the CNAME record is not a requirement but is highly recommended and will likely increase the deliverability of your email.


If you are not certain if DKIM has or has not been implemented, then please add the CNAME record since creating the CNAME record without a DKIM implementation will not impact the deliverability of your e-mail.  


If you would like help with implementing DKIM for you domain, please open a ticket and will be happy to assist you.



ZIX (Limited to our customer that are using Zix Encryption.  If you are not using Zix Encryption though EntrustedMail you will not see this record listed under the DNS Health Check.)

The ZixVPM MX record is a required record that is needed to determine where to send inbound encrypted messages for decryption. Because encrypted messages from other Zix encryption users, are signed using a unique key, that message will need to be sent to a gateway that hosts a private key that is used to decrypt the message.

The host that a ZixVPM MX record uses as a value or destination points to a host that is able to decrypt messages signed with the unique key.

If you need assistance with the syntax of your ZixVPM record, please open a support request and we will be happy to assist you.