Forgot to set SPF and DKIM records... How much damage have I caused?

Posted by g0ldf1sh101@reddit | sysadmin | View on Reddit | 25 comments

Recently I've been helping a local charity migrate from Office 365 to Google Workspace on a volunteer basis. I'm not a Sysadmin by trade (software engineer) but I've ended up doing Sysadmin stuff just because I'm the most tech-y person there, and they don't really have the funds to hire anyone in. Anyway, I'm flying by the seat of my pants here, it's a wild but informative ride and I just realised I screwed up big time while switching email providers. I switched the email provider from Exchange to Google, migrated all the mailboxes and everything seemed fine for a few weeks. Today, I was told by one of the members that loads of their emails hadn't been received by people since the switchover and it was causing an issue. Not sure why it wasn't raised before, but here we are. A quick Google search made me realise it was squarely my fault - I hadn't set the SPF and DKIM records up for emails coming from Google (there was an SPF record, but it was set up for emails coming from Exchange, which is probably doubly bad as it's the wrong origin entirely). I read the manual, updated the SPF record and set up the DKIM record, sent out some test emails and it's all looking good now. However, as far as I understand, for those few weeks the recipients' mail providers were blocking our emails as they appeared to be spoofed / spam. Now that the records are correct, will they start receiving emails from us again, or is there a chance we'll be blacklisted somehow and we need to tell those recipients that their IT team need to 'unblock' us? The reason I ask is because I need to give said member some confirmation that we're good to start sending emails again, but they are asking how we can be sure that the emails are actually being received now. If I wait for 48 hours to make sure the changes have propagated, do I just tell them to re-send all the important emails they haven't received a reply for over the past 3-4 weeks and assume all is well? Trying to gauge how big of a screw up this is and whether I need to do a chunk of cleanup work. Apologies if I'm not using the right terminology here, still getting the hang of all of this. Any advice is appreciated! Also, I have learned that Sysadmin work is not suitable for part time, unpaid volunteering. There are too many fires and I am burning alive. Send help lol

Reply to Post

25 Comments

[-]

hoilday42@reddit

about "emails not received" or "recipients' mail providers were blocking..." Does this mean the emails bounced? In that case the sender would have gotten an email that their message was not accepted. If they waited to report this, it's on them. Did their email go into the recipients spam/junk folders? Perhaps they ought to poll some of their recipient with a phone call, if they need reassurance.

[-]

g0ldf1sh101@reddit (OP)

It’s complicated, because the one recipient we investigated is insisting the email hasn’t gone to their junk folder but the sender is insisting they didn’t get any bounce emails. All the ‘missed recipients’ we are aware of have corporate email addresses. As far as we know, emails sent to personal Gmail addresses etc have gone through fine. All of that pointed me at two possibilities: - The emails have gone to their junk folders - Their email systems automatically hold/block dodgy emails and they never end up with the recipient, junk or otherwise. I think you’re right - I’ll instruct them to ring up their most important contacts to make sure things are working smoothly again. Thank you!

[-]

ShiningSquirrel@reddit

If it just corporate accounts not receiving it, it may not go into their junk mailbox. Many company's have email appliances that stop suspected spam before it even reaches the users mailboxes so they would never even see it.

[-]

zuron7@reddit

+1, We're a small 10 person company, but we have a quarantine section for highly suspicious emails on the server before it goes to the addressed persons mailbox. We have it configured only to block executable files currently. Pretty much everything else gets through.

[-]

BoltActionRifleman@reddit

Have someone at one of the recipient corporations check their quarantine. With no bounce back and nothing in their junk folders, it’s likely being held in email purgatory.

[-]

wasteoide@reddit

We block NDRs for many of our clients so servers aren't sending NDRs for all the fucking spam it blocks and all the invalid recipient mail we reject. So maybe that's why he didn't get a bounceback.

[-]

WTFKGCT@reddit

On the right track. Just takes the rest of the net to realize the changes, and sometimes recipient servers hold grudges about such things, so to speak.

[-]

cr4ckh33d@reddit

Just get a new domain now this one is burnt.

[-]

demosthenes83@reddit

You should be good to go now. Failing those checks will almost always just drop those emails or flag them as spam, and won't cause you any long term issues. I'm sure you've tested, and tested again, but here's a good tool if you want to triple check your settings: https://www.learndmarc.com/ Now is also the time to set up DMARC, MTA-STS and TLS-RPT, and make sure the reports are being monitored.

[-]

Due_Capital_3507@reddit

We straight reject messages that hard fail SPF or DKIM, so their spam filter could potentially drop the messages. It's going to be different for every recipient

[-]

cbiggers@reddit

We hard reject failed spf but dkim is too "new" that we can't block it because Uncle Bob's glass shop doesn't know how to set it, and lots of one click hosting things don't set it .

[-]

vppencilsharpening@reddit

I don't have much to add other than the possibly of using a free (or paid) DMARC aggregation service. DMARC aggregation will give you a feedback loop that you can use to verify that the SPF and DKIM records are setup correctly. Depending on the service you use (and use a service because doing it by hand is waaaayy too much work) you may be able to setup alerting or periodic reporting. For the corporate message that are not in the spam folder, some enterprise level systems have different levels of quarantine. If the messages got caught as spoofing they may be in super secret jail that requires an IT admin to find.

[-]

sorean_4@reddit

This right here. Find a DMARC monitoring solution, configure your record and keep an eye on the reports. You will see what fails and where.

[-]

Dull-Bowl2@reddit

You're fine. It happens alot.

[-]

StaffOfDoom@reddit

SPF is voluntary and most places don’t set it right…filters will catch it but email will flow when you correct it. DKIM I’m not 100% sure of the long-term effects…correct it and see, I guess?

[-]

Tides_of_Blue@reddit

Sounds like the right changes were made. Now sit back and relax while it propagates.

[-]

Bluusoda@reddit

Bro, it’s email and DNS. Make the updates and you’re good. Anyone that had in un-received emails can just resend.

[-]

taxigrandpa@reddit

have you found [mxtoolbox.com](https://mxtoolbox.com)? it's my go-to to test everything the best way to show your users that email is going through is to send an email to a gmail account. Google is the fastest to block un secured email

[-]

lolklolk@reddit

As long as you fix the SPF and DKIM records for the new sending services, you should be fine.

[-]

Zncon@reddit

You'll almost certainly be fine. These checks are usually performed on each message, so there's no global system that's been counting up your failed messages to add you to a blocklist. If you're concerned you can put your server info into a tool like this and see if you did get listed anywhere as a spammer. [https://mxtoolbox.com/blacklists.aspx](https://mxtoolbox.com/blacklists.aspx) I generally push for strict enforcement of these checks, so we make a point of reaching out to our external vendors when their messages get blocked for failing SPF/DKIM. Once they fix their records everything is usually all good again.

[-]

g0ldf1sh101@reddit (OP)

Great, thanks for the info. Had a look through the list and looks like we are all good (except for UCEPROTECTL3 blacklisting a DigitalOcean IP address, but from what I'm reading they just blacklist everything).

[-]

CiTechnology@reddit

You shouldn’t be black listed unless they explicitly did so

[-]

ARP_P0150N@reddit

Everything will be fine.

[-]

g0ldf1sh101@reddit (OP)

I needed this!

[-]

Silent331@reddit

Failing SPF is not a reason that you be blacklisted. As long as you fix the records you should be good to go once the record propagate, they say can take up to 48 hours but I've seen it pretty much fully implemented in less than three. Failing SPF will often just cause a hard fail and not always return to bounce. I would say tell them to wait a couple days and resend any important emails.