Custom SPF Record

can i add the following to CUSTOM DNS IN THE BOX??? Or, how can I add 54.240.8.96 to be allowed to send email? that domain is amazon ses instance running sendy.co - my box is box.fwla.com on vultr.

here are the detials of my issue:
[Sender ID] fwla.com does not allow your server 54.240.8.96 to use info@fwla.com
Sender ID is like SPF, but it checks the FROM address, not the bounce address.
What we retained as your current SPF record is:

v=spf1 mx -all
It should be changed to:

v=spf1 mx include:amazonses.com l~al
More information about this error:

Hi uca,

If I understand you correctly you are getting an error message from MIAB that states you cannot send email through info@fwla.com from Sendy? As long as you are able to configure a custom FROM address in Sendy and a custom SMTP server in Sendy, you should be okay.

It would look something like:
Custom SMTP From: info@fwla.com
Custom SMTP Server: box.fwla.com
Custom SMTP Login: info@fwla.com
Custom SMTP Password: your.info.at.fwla.com.password.

Make sure you enable any STARTTLS options, and use SMTP port 587

This will bypass Amazon SES entirely. I don’t have applied experience with Sendy but I do know that while it’s designed for Amazon SES, it supports custom SMTP servers. See this article for more details.

Can I add DKIM signature to the custom DNS as well as the SPF record that is generated from SENDY / Amazon SES?

I want to continue to use Amazon SES via sending because the system works really well. When I was using external DNS with mail in a box, it worked fine, except d Kim and SPF records were not matching all the time. The information I posted above is from mail - tester which seems like I can just add that information to allow Amazon SES to send email as well as the mail in a box. What do you think?

Hi @uca,

A couple things to point out here:

• You can use two different DKIM keys only if the selectors are different. So for example your DKIM keys cannot both be default._domainkey.fwla.com. You’d need something like AmazonSES._domainkey.fwla.com. and the mail._domainkey.fwla.com that MIAB issues. You’ll need to add the Amazon SES DKIM records to your name server (likely MIAB?)
• You are likely failing to reliably deliver mail because the default MIAB DMARC settings are to reject email not delivered by the MIAB, which is not how SES is delivering it’s email. You’ll need to change the fwla.com SPF records to permit both the MIAB server and Amazon SES. That should look something like a TXT record with “v=spf1 include:amazonses.com include:box.fwla.com -all”. This will permit all SES and MIAB outgoing traffic to be authorized by DMARC. You should check your AWS Console to ensure there are not specific SPF records your SES instance requires (I’ve never used SES before, so I’m not sure if that’s the case. The guidance online seems to be that amazonses.com is the proper domain.)

P.S. You can use the DMARC Validator to help ensure the DKIM and SPF settings are correct. It’s a free service that provides an email address to which you send an email (send one from SES and one from MIAB) and it will analyze your DKIM, SPF, DNS, and email headers to ensure everything is right for your particular environment.

thank you. I believe this answers what I just posted in the other topic. I will take a crack at these directions and report back because I know there have been SES questions by others on here before.

This looks like great information.

ah, realized had quick question about the text record.

in the sub domain location (part before the .fwla.com.) what do I put for spf record?
I had one that looked like this:

_amazonses.fwla.com
TXT
v=spf1 include:amazonses.com include:box.fwla.com -all

right now I decided to grasp at straws and add:
box.fwla.com
TXT
v=spf1 include:amazonses.com include:box.fwla.com -all

_box.fwla.com
TXT
v=spf1 include:amazonses.com include:box.fwla.com -all

LOL. Anything else I should add? or delete…ha

Here’s an example to help illustrate how SPF works.

I’ve set up a MIAB for sending email from users@mailinabox.email. I’ve set the MX record for mailinabox.email to my MIAB and taken care of A records and all that already. Now I just need SPF.

Because I’m only sending email from mailinabox.email, I only need an SPF record on the mailinabox.email domain. So for example, because I’m not sending email from discourse.mailinabox.email, I don’t need an SPF record for discourse.mailinabox.email.

I assume you aren’t sending email from awesome-users@box.fwla.com, but instead from awesome-users@fwla.com. Additionally, your email news letter is saying it’s from info@fwla.com

So, the SPF record to focus on will be that of fwla.com itself. You’d want to include both box.fwla.com and amazonses.com. This is because while you aren’t sending emails from awesome-users@box.fwla.com, you are sending emails through box.fwla.com in order to deliver your email. SPF is concerned with the email servers that deliver the email for a domain, which is why the email sending domain SPF should contain the email servers you’ll be using.

Now, if AmazonSES notes that it requires an _amazonses.fwla.com, you should include that as an SPF record in addition to the ones you’ve already set.

So, you should have at least:

• fwla.com TXT “v=spf1 include:amazonses.com include:box.fwla.com -a”. This will let only AmazonSES and your MIAB send mail claiming to be from fwla.com, without SPF related issues.

You won’t need to change the SPF records for any of your subdomains unless you need to add some for Amazon SES to work.

The More You Know: Note that we have put -a instead of ~a. The former is restrictive and the latter is permissive. Email coming from somewhere not defined in your SPF, when you use the -a flag, will be rejected. This makes it harder on spammers. Email coming from somewhere not defined in your SPF when using the ~a flag, will result in the email probably getting through but maybe tagged as spam. This is good for debugging how you’ve set up SPF. The setting we have here, with -a, means that you expect legitimate email only to originate on your MIAB and from Amazon SES.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.