Update Email Processing with DKIM and SPF for Eval25

Email sent out from collegenet.com servers by the Eval25 system will have the "From" address that your institution designates, such as name@yourschool.edu. For our email servers to be trusted to send email on behalf of your school, your DNS servers will need to be updated.

CollegeNET recommends that you perform the following two steps to ensure that mail is processed correctly and reaches the intended targets:

• Use DKIM, which allows CollegeNET to sign messages sent on your behalf as trusted messages from your own domain. See the “Using DKIM” section below.
• Create or update your existing SPF record to include CollegeNET as one of the senders of messages from your domain. See the “Updating your SPF Record” section below.

Using DKIM

DKIM (DomainKeys Identified Mail, http://www.dkim.org) is an email authentication standard that allows an organization (and trusted third parties) to take responsibility for an email. The sending email system includes a digital signature in the email when it’s sent. Receiving email systems will validate the signature and ensure the system that added the digital signature is authorized to sign email from the organization’s domain.

Using DKIM offers two important advantages:

• Improved email delivery — Mail is less likely to end up in the recipient’s spam folder because the emails are cryptographically signed with a private key that matches the public key listed in your DNS system.
• Clearer presentation — Email clients (such as Gmail, Outlook, Hotmail, etc.) present the “From” information more clearly to the recipient.

For additional reference, please see: 

• https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
• https://tools.ietf.org/html/rfc6376

Implementing DKIM

1. Send an email to support@collegenet.com to let us know you want DKIM email signing. CollegeNET then creates a signing key pair and provides you with the proper DNS record for the signing key.
2. Your IT department adds the provided DNS record to your domain information, and you notify us when it’s done. A sample DNS record is shown below. (The actual record varies from school to school).

collegenet._domainkey.your-school.edu. IN TXT "v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWDgaB1SC1PJ+Ivt3kTwhptgbmMPbW8dVsCl9ztfN8WL3TFYhx3HpFjZw+hTLIJp8cjevBSPlTloL+BT+o8emoPn/BEoEPIPJ1QTF+oDonStMqiaArQmWJ/kKWOdXYDhpcLTK7mvp5HfFC5IxDg+WiK1sKsZu6hXHwyWHmzKglpwIDAQAB;"

3. Email support@collegenet.comto let us know once the signing key has been added on your end.

Note: You can remove the actual sender domain relationship at any time by removing the key on your end.

Updating your SPF Record

SPF (Sender Policy Framework) is an email-validation system designed to detect email spoofing. Receiving email exchangers can check to ensure incoming mail from a domain comes from a host authorized by that domain's administrators.

SPFv1 allows the owner of a domain to specify their mail sending policy, including which mail servers they use to send mail from their domain. The technology requires two sides to communicate as follows:

• The domain owner publishes this information in an SPF record in the domain's DNS zone.
• When another mail server receives a message claiming to come from that domain, then the receiving server can check whether the message complies with the domain's stated policy.

For additional reference, please see: 

• https://en.wikipedia.org/wiki/Sender_Policy_Framework
• https://tools.ietf.org/html/rfc7208

Implementing SPF

Editing an Existing SPF:

1. Determine if your domain already has an SPF record.

2. If you already have an SPF record, add this text to it:
mx:collegenet.com

Creating a New SPF:

1. If you don't already have an SPF record, create one for your domain as described at this website:
   • https://www.spfwizard.net/
     You can read more about SPF command references at the following archive site:
     https://web.archive.org/web/20190225203208/http://www.openspf.org/
2. Add this text to it:
   • mx:collegenet.com
3. Once you have created the new SPF record, add this record to your DNS system:
   • customerdomain.edu. IN TXT "v=spf1 a mx:collegenet.com ~all"

Understanding the SPF record

The following example explains what each part of the SPF record means.

Annotated sample record:

v=spf1 a mx:collegenet.com ~all

• v=spf1 identifies the TXT record as an SPF string.
• a customer.edu's IP address is xxx.xxx.xxx.xxx. That server is allowed to send mail from customer.edu
• mx  customer.edu has one MX server. It is allowed to send mail from customer.edu.
• mx:collegenet.com Any email server listed in the DNS MX record for collegenet.com is also allowed to send mail from customer.edu.
• ~all  SPF queries that do not match any other mechanism will return "softfail". Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny.
  
  Note: If you prefer to reject all messages not sent by an approved mail server, then change "~all" to "-all" but please be sure that you understand the implications of using
  "-all".