Contents:
Introduction:
FBO One is responsible for sending email messages on behalf of the FBO. These messages include handling confirmations, supply orders, invoices, movement messages, new contact emails, and backup documents.
FBO One supports DKIM and SPF through Amazon SES to authenticate its emails and safeguard your organisation. This article focuses on the necessary steps to configure these measures. For more general information on the email security features of FBO One and their functioning, please consult the article FBO One Email Security - DKIM, SES, and SPF.
Setup Summary
- Your email domain administrator is required to insert the following records:
- An 'SPF' record in the DNS configuration.
- Whitelist the FBO One email servers in your corporate email firewall.
-
Add DNS Records.
- Add DNS TXT record for Amazon SES*
- Add DKIM DNS CNAME TXT Record
* Public key values available via the Administration page 'Check DNS Email Records'
- Await the status to change to 'Success'.
- Note: validation may take up to 24 hours.
- Once validated, change the Application setting 'UseAmazonSesIfValidInAmazon' from false to true.
SPF Record
How to check in FBO One if SPF has already been set up in your domain
- Go to the page MENU | Administration | Check DNS email records.
- This page lists all sender-domains in use.
- SPF is set up correctly if the line that starts with "v=spf1" has the status Success.
Adding the FBO One servers to your domain SPF record
Note: The following tasks should be carried out by your IT Administrator.
Updating an existing SPF record.
Add the following value to the SPF record for your domain:
include:_spf.fboone.aero ~all
NOTEs:
- Only one SPF record is allowed. If you already have an existing SPF record, simply amend it with additional "includes", do not create extra records.
- The record uses the 'softfail' setting. A soft fail in an SPF record means that suspicious emails, or emails from unauthorized servers, are not rejected, but forwarded to a spam folder, or marked as suspicious.
Creating a new SPF record
If you have to create a new SPF record, it should be formatted as below. Replace the value "mail.isp.com" with your actual mail server(s).
yourdomain. IN TXT "v=spf1 mx a:mail.isp.com include:_spf.fboone.aero ~all"
Descriptions:
- Your domain name, usually in DNS configuration with a trailing dot. example "yourdomain: thejetcenter.com."
-
IN
As in every DNS record indicates this is an INternet record. -
TXT
The record type, in this case TXT. When SPF was designed there was no specific SPF record type, so TXT was used. -
mx
This will allow mail from every server that is mentioned in the MX records for your domain. If the same mailservers that handle inbound mail also handle outbould, you'll want this in the SPF record. By specifying another domain after : you could even include the MX records of another domain. -
a:mail.isp.com
Using an 'a' (for an DNS A-record lookup) you can allow mail from any other server name you want. If you have different outbound mailservers, or other machines that can send mail from your domain, this is the way to do it. There are also ways to allow an IPv4 network range for example. When your inbound (mx) mailservers are sending the mail as well, and you don't use any external mailservices or have any other mail-sending servers, you may not need this part at all. -
include:_spf.fboone.aero
This will include the servers of Amsterdam Software that can send mail on behalf of FBO One, so this is the important part. If you already have an SPF record, this is the (only) part you should add. -
~all
This part declares mail from the mentioned servers is all that should be accepted as originating from your domain. That's why you should very carefully insert all your current mailservers in the SPF record.
Whitelist the FBO One email servers in your corporate email server
Your corporate email server may reject messages sent by FBO One as an additional anti-spoofing measure on top of the SPF mechanism. If this is the case, all your clients will properly receive messages sent by FBO One, but you can't receive messages in your in-house mailbox. This happens if the mail server is configured to reject inbound messages from email servers sent from addresses that have the same domain name as the corporate email server uses. To solve this issue, the administrator of the email server needs to white-list the mail servers used by FBO One. This is the list of servers to be white-listed:
cbvpn1.fbo1.io cbvpn2.fbo1.io mail.dvxp.com smtp2.dvxp.com azuresw1.eastus2.cloudapp.azure.com
If you are still experiencing issues for internal recipients, it's likely that your email application firewall is identifying the incoming emails as spoofing coming from an external IP address. The IT administrator can resolve this by updating your email firewall settings to accept emails from the following IP Addresses:
54.240.88.211
54.240.88.212
Add DKIM DNS Records
Your network administration needs to insert all the records specified in the "Check DNS email records" administration screen. i.e 1 TXT record and 3 CNAME records.
When setting up DomainKeys Identified Mail (DKIM), a common approach is to publish the DKIM public key in a DNS TXT record using a CNAME-like convention. This allows you to use a more human-friendly name for the DKIM selector and is sometimes referred to as a "CNAME-like" TXT record for DKIM.
Adding a DNS TXT record for DKIM involves a series of steps, and the exact process can vary depending on your DNS hosting provider. Below are general instructions that should guide you through the process. Keep in mind that you need to have access to your domain's DNS settings to add or update DNS records.
General Steps:
1. Access DKIM Keys:
- For FBO One the key information can be found on the 'Check DNS Email Records' page.
2. Determine Selector and Domain:
- DKIM uses a selector to identify the specific key used to sign the email. Determine the selector and domain for which you want to set up DKIM. For example, if your selector is "default" and your domain is "example.com," you might have a DKIM selector like `default._domainkey.example.com`.
3. Create a TXT Record:
- Note: Instead of using a CNAME record directly, you'll create a TXT record with the DKIM public key. Use the following format:
- Name/Host: This is the selector followed by ._domainkey. Using the example above, it would be `default._domainkey`.
- Value/Text: This is the DKIM public key provided by FBO One on the 'Check DNS Email Records' page. It's a long string of characters.
4. Publish the TXT Records:
- Go to your DNS management console provided by your domain registrar or DNS hosting provider.
- Add the new TXT records with the details you determined in the previous steps.
5. Verify DKIM Record:
- After saving the record, wait for the DNS changes to propagate. This may take some time, typically up to 48 hours.
- Confirm the status has been updated to 'success' in the FBO One ' 'Check DNS Email Records' page.
If you encounter difficulties or have specific questions, refer to the support documentation of your DNS hosting provider or seek assistance from their support team.
Good to know.
In the event of incomplete configuration, emails generated by FBO One may be marked as 'unverified'. In order to prevent this FBO One will default to using the FBO One verified account, as configured in the Application setting 'EmailSenderUsedIfSpfIsInvalid'. The default value is "noreply@fbo1.io".
Related Information
http://en.wikipedia.org/wiki/Sender_Policy_Framework
Comments
0 comments
Please sign in to leave a comment.