Why do so many sysadmins forget about DKIM/DMARC/SPF when setting up third party services?

[-]

Ok-Double-7982@reddit

I am trying to follow this, but if ACME company has a marketing dude who buys a SaaS subscription to MarketingJunk. MarketingJunk tries to blast email out as MarketingDude@ ACME. com The config needs to happen...where? By MarketingJunk on their mail server, right? Not ACME?

Reply

[-]

1337_Spartan@reddit

Step missing for the OP's comments to apply to ACME IT knows that blasting a mailshot from ACME.com is going to tank ACME.com's mail reputation so they add a subdomain of m.acme.com into their external DNS. Marketing dude sets his saas to blast the mailshot from marketingdude@m.acme.com ACME IT haven't added any of the needed records to m.acme.com so the mailshot falls over quickly. This is where the admonishment to make sure you have SPF/DMARC/DKIM records published (and updated...) comes in.

Reply

[-]

Ok-Double-7982@reddit

Thank you for the response. I was thinking that the SaaS vendor is supposed to add ACME as a subdomain to THEIR domain, so that when ACME's marketing dude logs into MarketingJunk system, he sends a blast from his MarketingJunk SaaS account, and the email actually comes from that SaaS vendor (MarketingJunk). I noticed a lot of my SaaS companies we use have websites (this is a generic example only) like Salesforce have subscribers set as a subdomain in their instance: ACME . salesforce . com COMPANY2 . salesforce . com So all the DKIM stuff should be happening on Salesforce's side, not ACME's DKIM/SPF/DMARC?

Reply

[-]

1337_Spartan@reddit

>So all the DKIM stuff should be happening on Salesforce's side, not ACME's DKIM/SPF/DMARC? No. Salesforce is sending on behalf of ACME so ACME have to signal to the world at large that this is kosher. That's why there has to be an SPF record for/at ACME that includes Salesforce and the DKIM public keys that Salesforce will/should generate (not actually touched or onboarded salesforce anywhere so no exp with it) and DMARC go in ACME's external DNS. So to use the prior example of ACME and MarketingJunk, m.acme.com needs to have an SPF record that includes MarketingJunk. Then the DKIM keys for MarketingJunk (I'm going to assume that MJ does it the same way as sendgrid where they call it Domain Authentication) which MarketingJunk generates, either just the key or the whole formatted DNS record for you to add. Then DMARC to bring it all together. >and the email actually comes from that SaaS vendor (MarketingJunk). Where MarketingJunk itself is sending the mail from isn't gemain to checking whether acme authorised it or not. If this mattered, bulk 3rd party email like sendgrid et al would be a lot harder to use.

Reply

[-]

TheRealLambardi@reddit

I find most sysadmins don’t know about this behind a cursory it exists. More to the BIGGER reasons. 1) marketing or comms setup a new email method and never even talked with IT. 2) someone setup cevent or survey monkey and don’t need ITs help. 3) what’s dmarc or spf and I simply added another domain name for the 14th record after putting much of AWS IP space in there already :)

Reply

[-]

IN-DI-SKU-TA-BELT@reddit

I didn’t forget, I setup a very strict policy, and then let it fail because marketing and other departments used tools without consulting ops.

Reply

[-]

HoodRattusNorvegicus@reddit

This happens all the time.. Marketing or HR signs up for Mailchimp or some other service without even telling IT, and then bitch & whine when the newsletters/payrolls bounce..

Reply

[-]

altodor@reddit

What gets annoying is when you've got so many services you start having to flatten the records yourself.

Reply

[-]

Ahnteis@reddit

Try to make 'em use a subdomain.

Reply

[-]

Loud_Meat@reddit

yeh is is our answer. running out of includes was a great help to force hand there anyway

Reply

[-]

RevLoveJoy@reddit

I get in front of it. "This is the list of approved mailers. Adding a new mailer requires your department director and our department director to both agree in writing." So basically that last bit almost never happens.

Reply

[-]

altodor@reddit

Happens in mine all the time

Reply

[-]

ZenAdm1n@reddit

"Just get it done" managers who don't want to have to understand what they're saying yes to.

Reply

[-]

MrD3a7h@reddit

This comment was approved, please proceed.

Reply

[-]

Muy_Dedicado@reddit

Macro SPF is your friend, my friend. Nowadays you don't even have to configure it yourself, there are 3rd Party vendors who will handle it for you.

Reply

[-]

Silent_Villan@reddit

Even more fun when the #1 and #2 spot are a security products and they don't understand the problem, or why their mail is flagged as spam.

Reply

[-]

d00ber@reddit

Yep, exactly. Literally got pulled into a meeting this morning about it. The SAAS vendors support people were so condescending too. Like, brother.. This is the first I'm hearing about us using your product.. lol

Reply

[-]

Metrics_Engineer@reddit

This is why all orgs need a DMARC reporting app that they consult weekly. That way they can see these rogue apps in some department come to life and hunt them down and get them compliant.

Reply

[-]

teorouge@reddit

Is Postmark still giving away weekly reports for free? They did prove useful in our org.

Reply

[-]

Metrics_Engineer@reddit

Seems pretty limited, but it's there: https://dmarc.postmarkapp.com/#comparison. You can find vendors on https://dmarcvendors.com/#DMARC\_Analytics that have a free tier. Most limit by message volume, so it all depends on how much traffic your org generates.

Reply

[-]

Surge-Monkey@reddit

CEO can’t miss -any- emails, under any circumstances, ever, so SPF is set permissive, and he gets all spam etc delivered. All of it is then forwarded to 2 separate hosted cloud emails on different domains. It’s funny when one of the 2 3rd party hosting reject the mail and deliver a bounceback because of the spam rules and our mail system gets blamed. Nobody else has this problem. Nobody else has unfiltered email being forwarded onto 3rd party hosts. And i cant change SPF to be restrictive instead of permissive :( I’m very well aware of the danger of their choice.

Reply

[-]

IN-DI-SKU-TA-BELT@reddit

That sounds like hell, I'm sorry :(

Reply

[-]

BlotchyBaboon@reddit

This is exactly the issue. It's always marketing. It's always some marketing exec who just fires up some subscription service, doesn't bother to test anything and then wonders why their critical new system doesn't work. The email chain I'm currently, at this exact moment I'm on it, "the new WhizbangMagic site isn't working" which led me to ask "WTF is WhizbangMagic", which then led to them explaining it's the tool that integrates with DigiGarbage and then I had to ask the question, "WTF is DigiGarbage?" Never mind the fact there's a whole "policy" against unapproved SaaS, but it's marketing - apparently they're exempt and management would never tell them no anyway.

Reply

[-]

Jimthepirate@reddit

As an architect I try to get ahead of these random SaaS popping like mushrooms after rain, but it often feels like a loosing battle. Especially with AI, people just onboard shit and upload company data without second thought. I got directors send me links to some fancy noname AI tools “we should consider” that are clearly scams. It feels hopeless sometimes.

Reply

[-]

TheFluffiestRedditor@reddit

It’s a loosing battle to be sure, but it’s marketing and HR loosing their cannons of bullshit at us. 😞

Reply

[-]

IN-DI-SKU-TA-BELT@reddit

And they seem to be able to get away with "Oh I'm not technical", despite it should 100% be their role to be technical and understand the technologies that they're managing.

Reply

[-]

DoughnutSpanker@reddit

You’re not technical? Okay, then stop making technical decisions. “No, our director authorized this project.”

Reply

[-]

ProgressBartender@reddit

You need a CIO who has the nod from the CEO. And then the CEO can punish anyone not following his policy about IT expenditures

Reply

[-]

itskdog@reddit

We've got the finance department to check any new subscription with us before purchasing, in case we already have a suitable equivalent.

Reply

[-]

BlotchyBaboon@reddit

The marketing department has their own credit card. Lucky them. Meanwhile, I've got to go beg to add an EOP2 license to an M365 tenant.

Reply

[-]

ZPrimed@reddit

It's even worse when the CEO and CMO are good friends. I work at a place where marketing has *way* too much power.

Reply

[-]

yet_another_newbie@reddit

> I work at a place where marketing has way too much power. Is there any place where that's not the case?

Reply

[-]

Darkace911@reddit

The one were they fire the lead marketing person every two years because of low sales or no leads.

Reply

[-]

amotion578@reddit

This is the way. "We're done talking" -ATHF

Reply

[-]

valar12@reddit

Every fucking time without fail.

Reply

[-]

accidentalciso@reddit

Yup. This is how it goes.

Reply

[-]

logoth@reddit

I feel this in my bones. (along with sales jumping on to new tools).

Reply

[-]

DULUXR1R2L1L2@reddit

At least you know it's working as intended

Reply

[-]

dowhileuntil787@reddit

Then they, or the agencies they've hired, work around it by [buying a completely separate domain](https://askbobrankin.com/sigh_the_phish_that_wasnt.html) and running their campaign from that...

Reply

[-]

fresh-dork@reddit

do you work at chase? they're the worst for that

Reply

[-]

jeff49522@reddit

I'd prefer that over the usual email in a ticket at 6pm on a Thursday asking for SSO, app packaging etc and a list of users to deploy to etc. Then start hounding everyone in IT at 8am the next morning asking when it will be done because their go live is supposed to be monday.

Reply

[-]

angrydeuce@reddit

This precisely. I can only act on things that I know about. I shouldn't have to ask a web developer 657 times if theyre planning on sending outbound email with the service account they requested for a web form, but of course I always do. "Hey were going to be sending a shitload of marketing emails from one of our internal mailboxes." "Yeah, don't do that. Youre going to get the whole domain flagged as spam." "Oh, okay." ...*one week later*... "ALL OF OUR COMPANY EMAILS ARE GOING TO PEOPLES JUNK FOLDERS!! THIS IS *UNACCEPTABLE!*" "Man, who could have ever predicted this? Oh wait, **I did**, when I told you not to do that. Did you do that?" ...*crickets*...

Reply

[-]

Competitive_Run_3920@reddit

This is exactly it. If you check the company’s SPF policies etc and they’re non existent then that’s an IT issue. If the policies exist but a specific vendor isn’t listed, that’s very likely another department buying a service and not telling IT. When I see these come up I try to respectfully contact the IT dept at the other end as I hope someone would do the same for me. Same for compromised mailboxes or other issues. I have the same thing happen for SSO and SCIM. 6 months later when a position turns over, I get a call asking bout providing the new user access to an app I’ve never heard of. 45 mins of investigating later I find out someone has been manually adding users to an app I had no idea about that’s supported SSO and SCIM since the day it was purchased.

Reply

[-]

RevLoveJoy@reddit

This is the way.

Reply

[-]

8BFF4fpThY@reddit

This is also the setup that we have. Not my fault that they didn't consult IT before rolling something out.

Reply

[-]

what_dat_ninja@reddit

Yup, this is how you find shadow IT

Reply

[-]

LookAtThatMonkey@reddit

Bingo !!

Reply

[-]

BioshockEnthusiast@reddit

Vibes. Good work my man lol.

Reply

[-]

StaffIntelligent2773@reddit

The joy I am getting from hearing the pain we all suffer from this \*typically\* unrecognized step in email marketing. I felt alone in my angst and am now joined by my fellow admins. My marketing team sent out 500,000 emails during a rebrand and didn't notify me. The entire Universe black-listed our domain and Google throttled us for 2 months due to our vendor (who barely understands DNS) provided no guidance. We all deserve a Bud Light commercial "Here's to you Mr. DNS, DMARC, SPF, DKIM aligner for keeping marketing strong and email flowing."

Reply

[-]

NuAngelDOTnet@reddit (OP)

170+ comments feel your pain. ;)

Reply

[-]

Top_Boysenberry_7784@reddit

I see big companies and little companies do it all the time. The company I work for has over 500 customers. The top 30 customers are big name customers and the rest you have probably never heard of. It's fairly common for us to block a small customers email because their settings are telling us to block their emails. Sales is never happy about it and the customers sometimes claim that everyone else gets their emails, which makes me further wonder how many places are not checking at least DMARC/SPF.

Reply

[-]

SolidKnight@reddit

Dysfunctional orgs or solo admins who don't understand DMARC/DKIM/SPF.

Reply

[-]

d00ber@reddit

I just found out this morning that our ED was working with a vendor to setup a new SAAS without involving IT and was stumped when emails weren't being delivered as emails from our domain until I got called into a call with some dude telling me i needed to setup SPF records. Yeah, I'm aware .. I wasn't aware of our ED piloting this random SAAS. Having a nice sit down with the ED and reminding them of company policies and why we have them lol

Reply

[-]

idontknowlikeapuma@reddit

I worked for an ISP that offered mail services. Mind-blowingly, the founder and CEO used to work for AOL! It took me so long to explain to him the email header where it was getting rejected and why. "Well then, gmail/yahoo/microsoft needs to fix on their end." God no, dammit dude, it is on OUR END. You are seriously trying to tell me three mega corporations don't know how to configure their shit but you do?! I eventually found the mail server and fixed it. He commended me for getting THEM to fix it.

Reply

[-]

Far-Hovercraft9471@reddit

The genius of higher ups is always impressive

Reply

[-]

Far-Hovercraft9471@reddit

No one gives 2 shits about email since the market doesn't give a shit about email admins. It's just admins reacting to incentives.

Reply

[-]

Nomaddo@reddit

Oh, one of my personal peeves is when someone starts using Amazon Ses and they don't setup *their* domain as a custom mail from. I would much rather see 0100018b6f6e9099-800e90e1-28b6-4017-9d54-3f54acb90173-000000@**ses-bounce.meraki.com** instead of 0100018b6f6e9099-800e90e1-28b6-4017-9d54-3f54acb90173-000000@**amazonses.com**

Reply

[-]

idriscollins@reddit

\> I've had to send the same link to multiple people's IT departments showing THEM how to add DKIM to their subdomains Please could you send me the link? Thank you

Reply

[-]

NuAngelDOTnet@reddit (OP)

Well, the one that got me to write this thread was specific to the "[mailgun](https://help.mailgun.com/hc/en-us/articles/360011804533-Why-did-I-receive-the-error-Sender-Verify-Failed-or-some-variation-thereof)" service. But if you need to set up DMARC / DKIM / SPF, I suggest starting with SPF and using this site for all three: [https://easydmarc.com/tools/spf-record-generator](https://easydmarc.com/tools/spf-record-generator)

Reply

[-]

idriscollins@reddit

Please could you send me the link?

Reply

[-]

idriscollins@reddit

\> I've had to send the same link to multiple people's IT departments showing THEM how to add DKIM to their subdomains

Reply

[-]

gregory92024@reddit

I've built up a nice little side hustle setting up DNS records. 😎

Reply

[-]

matthewstinar@reddit

How do you find prospects or how do they find you?

Reply

[-]

gregory92024@reddit

Like all my work, it's word of mouth.

Reply

[-]

BlackSquirrel05@reddit

They don't get how they work... It's like certificates... People just don't get it or how CA's work.

Reply

[-]

somewhatimportantnew@reddit

It's not that difficult to understand though, very easy to look up online and there are free tools like spoof checker and mxtoolbox to use

Reply

[-]

BlackSquirrel05@reddit

After a bit... Some of the concepts are wonky in terms of how they actually function.

Reply

[-]

BioshockEnthusiast@reddit

I'm one of them, anyone have a recommended link that explains certs properly?

Reply

[-]

Reetpeteet@reddit

Here's a training I teach rather regularly at my clients. Used to be on a monthly basis. -> [https://www.youtube.com/watch?v=p1ViwiXA-Kk](https://www.youtube.com/watch?v=p1ViwiXA-Kk) Tells you all you need to know to understand cryptography, certs and PKI... plus then some.

Reply

[-]

pyl_time@reddit

It's extremely silly, but for a basic overview, I really like this blog post: https://datacenteroverlords.com/2011/09/25/ssl-who-do-you-trust/

Reply

[-]

HeKis4@reddit

Like on a practical level or on a fundamental level ? Certificate 101 is basically: - You have a public/private keypair: the public key is a lock, the private key is a key. Anyone can use your lock to send data, but only you can open the lock to read the data. If you and a friend exchange public keys, you have bidirectional secure communication. - The issue is that you still have to exchange keys, and how do you make sure that you're handing the key to your recipient and not to a man in the middle attacker ? You bring a common, trusted friend that tells you "yep, that's him". That friend is the certificate authority (CA). - In practice, the CA doesn't actually oversee the key exchange, but instead, anyone with a public key can ask the CA to certify it. The CA then issues a signed certificate which says "This key is Mr. Recipient's". - When you receive a signed certificate, you then verify that the signature on the note matches the CA's one that you have on file (in your "trusted CA store"). - You can have certificates that aren't directly signed by a CA, but by another certificate which is itself signed by a CA. As long as you can go up the chain until you hit a CA that is in your trusted CA store, you have established a "chain of trust" and everything in that chain is trusted. You can also have certificates that are not signed by a CA but self-signed. This is a "I'm who I pretend to be, trust me bro" certificate : at the top of every chain of trust is one such cert. For public-facing certs it's usually a private company's that OS and browser manufacturers trust like Verysign or Let's Encrypt, in enterprise settings, it's the one Bob the IT manager has issued and has put into everyone's trusted stores using group policy (or hasn't, so you have to click "I understand the risks, proceed" every time). A "certificate" in the colloquial sense is the key + information about the owner + attestation of authenticity from the CA. A term you'll often find is "CSR" or "certificate request", which is just key + owner info that you send to your CA so that it can sign it and give you your certificate. Finally there are certificate revocation lists: they are just lists emitted by the CAs themselves telling the world "yo someone managed to copy my handwriting (aka stole the private keys we used for signatures), do not trust it anymore".

Reply

[-]

RussEfarmer@reddit

Windows Server 2008 PKI Certificate Security is the bible of PKI, especially in a Windows environment. It's pretty dense but covers everything. For more of a general overview, Paul Turner's PKI Bootcamp on youtube explains things well with good visuals.

Reply

[-]

good_bye_for_now@reddit

For me what works best is talking to a LLM I mostly start with the basics and then go down a few rabbit holes. My last rabbit hole I went through was about the process of how and when root CA's renew and where they are stored, was super fascinating stuff. I once did the same with bitcoin and when the magic was gone I realized it's like the most stupid thing we humans ever did. Let's make climate change worse by counting up nonces, like wtf.

Reply

[-]

BlackSquirrel05@reddit

Well the real simple version is: A key to a door. The lock can be viewed by anyone. The key is what allows you into the lock which is public. The key and the lock can also both be used as a type of ID. [https://dev.to/pinwheeler/explain-certificates-like-im-five-1c0e](https://dev.to/pinwheeler/explain-certificates-like-im-five-1c0e)

Reply

[-]

Jaki_Shell@reddit

[www.google.com](http://www.google.com) Kidding Kidding... This blog post does a really good job of explaining all of the fundamentals step by step. It a long read, but by the end you will really understand the whole structure. [https://smallstep.com/blog/everything-pki/](https://smallstep.com/blog/everything-pki/)

Reply

[-]

BioshockEnthusiast@reddit

Thank you a ton, bookmarked to start going through it on my lunch today.

Reply

[-]

NNTPgrip@reddit

After we got tossed to private equity #3, and combined with yet another IT group, I FINALLY met someone else that knows about certs, and I fucking still know more. Goddamnit. Can I just be done with being the fucking SME on this? I am currently trying to draw the line at least at code signing certs, but I am being forced to jump into that since everyone is just *crickets* on the relevant meetings. If I ever finally get the fuck out of here, my next job with never know I ever knew anything about certs.

Reply

[-]

ZPrimed@reddit

Sadly, so is DNS to a large portion of IT

Reply

[-]

HeKis4@reddit

Certs I can *somewhat* understand since it relies on funny math, but I'll never get why people don't understand DNS. It's a distributed key/value dict with a well-known entry point, nothing more.

Reply

[-]

ZPrimed@reddit

i'd love to live in a world where everyone working in IT actually has some fundamental understanding of what the first half of your last sentence actually means. "distributed key/value dict" you've immediately lost like 50% of the audience and I'm not even a programmer (although I did have about a semester of comp. sci courses before changing to a mgmt degree).

Reply

[-]

NNTPgrip@reddit

You got that right. Also, hand in hand with the certs. "Can you issue me a certificate for 10.5.3.45?" ...um we talked about this, remember?

Reply

[-]

Kirides@reddit

We need security right? So... Use a PKI where everyone has access to. Don't use ICAs, especially more than one. Never ever think of providing ACME protocol support for automatic SSL and while we're at it, send the CA bundle to the customer as pfx and let all users manually import that into their trust store. Wait, scratch that, just "ignore TLS certificate errors" in all software with a provided flag.

Reply

[-]

SonyHDSmartTV@reddit

I don't believe anyone actually fully understands certificates. It's a dark art, an ability many would consider to be unnatural.

Reply

[-]

BlackSquirrel05@reddit

There are in fact parts of certificate services and flags on certificates that were built for a "Might be needed one day." scenario in the RFC... Mean while... They're never used... Or only used in a very specific scenario that I don't even recall. Some of it is truly some random wizard on top of the spire from decades past.

Reply

[-]

HoodRattusNorvegicus@reddit

Yeah! Things about to get even worse with various legacy systems that does not support automatic renewal when 1 Year certificates are replaced with 6 months on 5 days.. and then down to 47 days in a few years..

Reply

[-]

Low_Engineering1740@reddit

Second this -- many Sysadmins I've worked with in the past did not understand it. In some sense I don't blame them because it's not SUPER often that you're doing these things, many vendors either do it for you or just walk you through it. +PKI is actually super deep and complex (but also so cool once you start to understand it)

Reply

[-]

jake04-20@reddit

And then go "Certs have always confused me 🤪" and leave it there.

Reply

[-]

_haha_oh_wow_@reddit

I am regularly amazed at how many vendors fight it: "No, you need to whitelist us." "No, it's 2026: We stopped doing that shit years ago. Wtf?"

Reply

[-]

Crispinwhere@reddit

Love when they whip out the "can you just whitelist us?" question. I mean, I could, but you're still going to get blocked when you send to all those gmail, yahoo, and Microsoft mailboxes.

Reply

[-]

_haha_oh_wow_@reddit

You could, but you really shouldn't.

Reply

[-]

HPapi@reddit

...I've heard this so many times. NOPE and NOPE. DKIM, SPF and DMARC... I dont play games.

Reply

[-]

_haha_oh_wow_@reddit

"Waaaaah! I don't want to correctly configure anything! How dare you!?" -Vendors

Reply

[-]

AverageCowboyCentaur@reddit

P=none is the best policy, then just sit back and let Google worry about the rest /s But really it's pretty insane how often this gets missed. Here is an awesome tool I found. It's Dig but tun from a website, I cannot tell you how many times this has saved my butt trying to solve some strange issue with mail/servers/hosting https://toolbox.googleapps.com/apps/dig/

Reply

[-]

SoonerMedic72@reddit

I like [https://mxtoolbox.com/](https://mxtoolbox.com/) for mail issues. It even explains some of the common mistakes.

Reply

[-]

m4tic@reddit

mxtoolbox 100% gives me ammo to say "you're the problem"

Reply

[-]

somewhatimportantnew@reddit

You can use [spoofchecker.com/spoof-checker-tool/](http://spoofchecker.com/spoof-checker-tool/) to easily see if it's configured properly.

Reply

[-]

BWMerlin@reddit

Often other departments are signing up for things and not letting IT know about it until well after the product or service has been implemented, they have run into issues, reached out to the vendor for support and then vendor points out that they have not setup DKIM/DMARC/SPF and that all they need to simply do is "ask your IT department to set this up for you". It is then, and only then that IT becomes aware of this product or service and the shit job other department has done implementing the entire project and now IT is on the hook to support this system they knew nothing about five minutes ago.

Reply

[-]

bk2947@reddit

In my experience companies that don’t setup their email correctly just expect everyone else to put them on the allow list.

Reply

[-]

PlasticJournalist938@reddit

shadow IT. A lot of times departments will go spin these things up without involving IT. Then they are being reactive after the fact. Why it took me over a year to get a large higher ED university to p=reject because they kept popping up.

Reply

[-]

Beginning_Ad1239@reddit

At some point you just have to set it to reject and let the shadow IT junk go to spam. Of course with plenty of warning.

Reply

[-]

ApricotPenguin@reddit

It's not that they're forgetting, I presume that it's more likely that they don't understand what it is

Reply

[-]

NuAngelDOTnet@reddit (OP)

They understood it enough to set it up on their email server, but they're forgetting to set it up on subdomains when they add 3rd party services. That's the thing that blows my mind. lol

Reply

[-]

pinkycatcher@reddit

Because the IT department isn't setting those up, marketing or sales are.

Reply

[-]

NuAngelDOTnet@reddit (OP)

They have access to create a subdomain, though? That's where I get hung up. I get the rogue departments just signing up for stuff, but these are often subdomains that just don't have keys made up for them. I guess other people have a point, that the person who initially set it up may not be there anymore, but it seems like many IT Depts. don't even know what these features are so they don't know they need to set it up when they create that subdomain. Consider this post a PSA!

Reply

[-]

angrydeuce@reddit

n my experience *that* sort of stuff most often comes up when a different team makes the request, but for whatever stupid-assed reason don't give the people they're asking to do the thing the full picture of what the end goal is (job security? super secret squirrel? not knowing what they're even trying to do? I truly do not know) If I had a dollar for everytime I've had to go chase someone down after receiving a cryptic email and try to drag out of them "Dude, *what are you trying to* do *here?* Can you *please* just tell me the end goal??"...I mean shit, I'd damn sure not be dealing with *that* mickey mouse nonsense, believe that lol

Reply

[-]

angrydeuce@reddit

In my experience *that* sort of stuff most often comes up when a different team makes the request, but for whatever stupid-assed reason don't give the people they're asking to do the thing the full picture of what the end goal is (job security? super secret squirrel? not knowing what they're even trying to do? I truly do not know) If I had a dollar for everytime I've had to go chase someone down after receiving a cryptic email and try to drag out of them "Dude, *what are you trying to* do *here?* Can you *please* just tell me the end goal??"...I mean shit, I'd damn sure not be dealing with *that* mickey mouse nonsense, believe that lol

Reply

[-]

simple1689@reddit

In the SMB world, I've YET to see a subdomain be used. Marketing goes out and does this on their own and wants to use the parent domain. They don't understand email security so they don't understand why it would be better to use a subdomain.

Reply

[-]

PaintDrinkingPete@reddit

Even if that’s often the case, most of those services I’ve ever used has, as part of the account setup, DNS record verification step which includes things like MX records, SPF, Dmarc, Dkim, etc…so yeah, I’m kinda at a loss like OP how those things get missed.

Reply

[-]

jailh@reddit

What blows my mind is the number of 3rd party services WHO's JOB IS JUST SENDING MAILS and who don't harass their customer to setup this correctly with them.

Reply

[-]

dts-five@reddit

They don't actually care whether it's used or used properly to its full potential. They just want to make that initial sale.

Reply

[-]

ZPrimed@reddit

It's just greedy sales wankers, all the way down

Reply

[-]

Mindestiny@reddit

That's pretty much the entire MarTech world in a nutshell. For companies that literally do nothing but marketing and social media, it's stunning how clueless they all are about configuring the platforms to actually do what they're promising their clients.

Reply

[-]

bentbrewer@reddit

You know what’s going on… shadow IT (or someone that doesn’t know got told to “set it up”).

Reply

[-]

RangerNS@reddit

All this demonstrates is that one person, once, knew how to set it up. It says nothing about the institutional knowlage, policies or procedures.

Reply

[-]

NuAngelDOTnet@reddit (OP)

I guess that's what I'm asking. Don't we, as IT people, know that this framework exists? If you started working at a new company tomorrow, wouldn't one of your fact-finding things be to figure out how the email server is configured? Maybe not at the top of the list, but something you would familiarize yourself with? Or is it really taken completely for granted by many other people? Maybe I'm just "too close to home" / more aware of it because I still manage my own mail servers and don't use G-Suite or 365. Or maybe more people than I realize haven't ever had to be part of setting it up and genuinely don't know about it, even in IT departments!

Reply

[-]

lccreed@reddit

It might have been a different administrator who set that up. Also most main line email servers (exchange, Google workspaces, others) have automated record creation when you set up the tenant these days.

Reply

[-]

reserved_seating@reddit

Perhaps someone else did it before and they are no longer there or in that position.

Reply

[-]

IDontWantToArgueOK@reddit

I think it’s just a common knowledge\skill gap. Once more providers block sending that will sort itself out

Reply

[-]

CARLEtheCamry@reddit

I have nothing but a vague understanding of the terms, I was never taught it and where I work it's extremely silo'd so I have never had to do anything with email administration. And our email group was just outsourced, so wouldn't be surprised if they F ours up soon.

Reply

[-]

IDontWantToArgueOK@reddit

I’ve set it up for maybe 30 or 40 businesses now and still don’t fully understand it admittedly.

Reply

[-]

zer04ll@reddit

What's crazy is A, how simple it is and B the fact that companies make it seem like it is a crazy thing to manage and then charge monthly for it...

Reply

[-]

Significant_Sky_4443@reddit

I have configured to p=quarantine but now for a few months missed the step to configure p = reject any best practice to check this out before to reject? thank you.

Reply

[-]

NuAngelDOTnet@reddit (OP)

If you need to, you can use a tool like this to make the XML easier to read: [https://www.dmarcgenerator.com/dmarc-analyzer](https://www.dmarcgenerator.com/dmarc-analyzer) (no affiliation, just useful!).

Reply

[-]

DominusDraco@reddit

Have a look at DMARC Report, its basic, but its free and way easier than trying to go through dmarc reports manually. https://www.techsneeze.com/dmarc-report/

Reply

[-]

NuAngelDOTnet@reddit (OP)

Check your DMARC reports. They should tell you how often you're getting quarantined by other peoples' servers. Occasionally you'll see items in the report that say they were quarantined, but when you look at the IP address you'll realize it didn't come from your server and that you're being spoofed! And that's EXACTLY why you set all this up in the first place! If that's all you're seeing, then you're good to switch over to p = reject.

Reply

[-]

BlackV@reddit

Too many other fires and the person responsible for the primary domain might not be aware of the sub domain That stuff only gets worse as the business gets larger

Reply

[-]

1a2b3c4d_1a2b3c4d@reddit

> Is it really that much of an afterthought? When the Marketing Team signs the contract, yes. They expected the bulk emailer to handle everything.

Reply

[-]

koollman@reddit

I do not forget. I learn about third party services being set up when failure happen

Reply

[-]

catwiesel@reddit

most email servers are not set up by sysadmins.

Reply

[-]

Tatermen@reddit

BT (major UK telecoms monopoly) has several outbound servers that are just straight up missing from their SPF records and reverse DNS records. They refuse to fix it and instead blame our "spam filter" for rejecting their emails.

Reply

[-]

NuAngelDOTnet@reddit (OP)

Ugh, this is exactly what drives me nuts. When you really understand DKIM/DMARC/SPF, you just want to scream at them "no, it's NOT my spam filter! My server is respecting the wishes of YOUR server and REJECTING that email!" But they just don't have a clue what you're talking about.

Reply

[-]

matthewstinar@reddit

I've been toying with the idea of creating a 100% jargon-free explanation of DMARC for people who don't want to know, but IT needs them to understand just enough to cooperate.

Reply

[-]

fdeyso@reddit

“Imagine sending email as classic mail: spf is a fancy headed paper, dkim is a holographic signature, dmarc is a policy that says if it’s not a headed paper with our holographic signature it either gets rejected or dropped to junk. “ This seems to have worked.

Reply

[-]

FunkadelicToaster@reddit

It's called Shadow IT and IT was never involved in setting up that third party service in the first place, so whoever set it up thinks they can just add their email to the service to send out emails and be done with it.

Reply

[-]

fdeyso@reddit

OR a lot of time IT doesn’t understand how these work and why they matter. “We receive the emails so it must be ok”, yup your MX record is working congrats.

Reply

[-]

shokzee@reddit

It's usually a visibility problem. The original setup engineer knew what was needed and configured it, but when a new platform gets added later, nobody in the ticketing workflow knows to ask "does this tool send email as our domain?" until something bounces. Third-party tools almost always have their own DKIM/DMARC docs, but finding them requires knowing to look. DMARC aggregate reports solve this retroactively: once you have an rua= address set up, every new sender shows up in the data whether or not anyone remembered to configure it.

Reply

[-]

altodor@reddit

Personally I like the 3rd party services that make you show domain control by setting up your SPF/DMARC with them in it in addition to whatever txt record they start with is.

Reply

[-]

shokzee@reddit

Agreed. We’ve been using Suped for our DMARC/SPF/DKIM enforcement and monitoring and it’s streamlined things so much.

Reply

[-]

Maleficent_Past5729@reddit

Most admins just assume if the main domain works, the subdomains are fine too. I've been using Unspam Email to catch these weird gaps lately, though it's still annoying to have to manually fix every new service marketing signs up for. It really is a mess out there.

Reply

[-]

GuavaOne8646@reddit

Specialized knowledge most people fail to understand plus being a pain in the dick is probably the gist.

Reply

[-]

joeyblahblarck@reddit

I built a DNS scanner if you all are interested. It tells you some simple setup and vulnerabilities that the domain might be missing to improve your DMARC record and email deliverability. https://www.dmarcsecure.com/scanner Try it out, I also have a weekly report email generated for those that don’t want to manually parse XML.

Reply

[-]

NuAngelDOTnet@reddit (OP)

Nifty! However it gave me a failing grade on one of my domains because I used the recommended Fastmail settings: [https://www.fastmail.help/hc/en-us/articles/360058753494-Adding-MX-records-to-GoDaddy#signing](https://www.fastmail.help/hc/en-us/articles/360058753494-Adding-MX-records-to-GoDaddy#signing)

Reply

[-]

joeyblahblarck@reddit

I’m looking for ways to improve the system, mind if I send you a DM to get more information?

Reply

[-]

AvaRobinson506@reddit

Marketing teams spin up tools without looping in IT properly

Reply

[-]

danieIsreddit@reddit

This has always been my experience.

Reply

[-]

commiehedhehog@reddit

I love when their web dev deletes DNS entries because they don't know what they are so they obviously don't matter

Reply

[-]

retiredaccount@reddit

Of course, don’t forget to set up the appropriate reject records for the secondary domains that are not supposed to originate email. Convincing the network team of the need to do that may be even harder than convincing them to do it for the main domain.

Reply

[-]

ryancrazy1@reddit

The amount of customers that didn’t want to pay us to host their emails calling us asking why their emails get rejected… sorry bruh, call your email provider.

Reply

[-]

MrJoeMe@reddit

My opinion is there a lot of companies out there that have a lone ranger IT person that doesn't quite keep up on latest security or technology. Or the company has a shoestring IT budget and it shows. Or the company has so much red tape that nothing gets done. Too many people in IT department and no one wants to put their neck out to make changes.

Reply

[-]

1nspectorMamba@reddit

2nd one here

Reply

[-]

ZPrimed@reddit

1+2 for me, plus a dash of shadow IT. I had to wrest control over DNS from someone else who barely understands it in order to make sure it's setup correctly and protect it from being filled with nonsense.

Reply

[-]

ReptilianLaserbeam@reddit

our company is in constant contact with potential clients, some of which are from the financial sector, banks, mostly. There isn't a week that goes by without someone complaining to US because their clients email got rejected or quarantined due to DKIM/DMARC/SPF... I honestly don't know what people are they hiring, or how they haven't gotten hit if they can't enforce the basics.

Reply

[-]

RagnarStonefist@reddit

Our org was part of a cybersecurity incident last year because we didn't have strong anti-spoofing controls in place. We brought in some consultants who configured our email to block every single email that fails SPF/DKIM and the results have been eyeopening. We get multiple requests a week from employees who 'want their customer whitelisted' because their emails keep getting caught in our spam filter. It's the same story every time - either DMARC or SPF or DKIM failure. My instruction has been to whitelist nothing, so I release it, and the next time they get an email from that customer they ask again. It's a little shocking to me how many companies have misconfigured DNS.

Reply

[-]

ohdannyboy189@reddit

This is why it's important to use a DMARC tool to monitor and manage email success and failures. I use dmarcian for my personal domain so it's simple but highly effective. This is really helpful for larger orgs that need to see what kind of DMARC/DKIM failures are accuring when marketing adds some new random email solution.

Reply

[-]

nycola@reddit

This is currently happening with one of our customers. Sales guy is like "just whitelist the address" "It's already whitelisted, it is their rule that is telling our server to quarantine this message, their IT needs to sort this out. I either need the contact of an IT person there, or you need to forward my previous message to them to send to their IT team. For now, just check your spam filter under "DKIM" and it will show you all of these emails" A week later... "This is becoming an urgent matter, you needs to resolve this immediately"

Reply

[-]

ViolinistBusy9070@reddit

its not about forgetting, its about accountabillity. no defined process for onboarding new tools means, there is always a chance of gap. all of them in the organization must follow the strict policy wheather its is marketing or HR's . that one single rule eliminate 90% of Problem.

Reply

[-]

Pixel91@reddit

I reckon part of it is that, for years, it wasn't really enforced all that much. Nobody cared. So nobody looked into it. And when the first big ones started rejecting poorly configured MXes, the sysadmin-who's-also-the-janitor quickly googled how it works once, sets it and then, as you say, forgets it.

Reply

[-]

jaymef@reddit

In a lot of cases its a set and forget type deal

Reply

[-]

dehaggard@reddit

Mxtoolbox.com.

Reply

[-]

wildfyre010@reddit

Most people - sysadmins included - don't understand DKIM and DMARC.

Reply

[-]

Rocklobster92@reddit

For me personally, I've always worked at places where someone else handled that setup, or at the very least someone set it up long before I started and I haven't had to make any changes. I have a hard time understanding something I've never had to deal with before, even if I've read about it or know the concept.

Reply

[-]

traydee09@reddit

Many "sysadmins" are not qualified for the jobs they do. that, and to be fair, its not like its something you deal with every day. its easy to forget things, that arent directly in front of you.

Reply

[-]

boli99@reddit

1. explain the situation and whats needed from their side 2. see eyes glaze over 3. try to explain better 4. receive complaint that 'you always make things more difficult than they need to be. cant you just do what our guy wants' 5. get directed to 'just do it' by management 6. just do what their guy wants 7. see them claim that it was that easy after all. 8. wait 9. wait 10. delivery failure report 10. delivery failure report 10. delivery failure report 10. delivery failure report 10. delivery failure report 10. delivery failure report 10. delivery failure report 10. delivery failure report 10. delivery failure report

Reply

[-]

NuAngelDOTnet@reddit (OP)

Are you me?

Reply

[-]

Rocklobster92@reddit

I'll be honest, I work for a smaller company. If I need to work on setting up a third party service, it's either never been done before, or something we do so rarely that we defer to the third party to tell us what they need. I'd rather ask you what specifically you need from us, rather than guess what you want and ask if it looks good. It also takes the responsibility off of us. If you specifically state what keys to add to our environment, and we add specifically those keys, if something breaks we can point back to doing as instructed. If we do it ourselves and something breaks, both you and I now don't know what's going on.

Reply

[-]

xUltimaPoohx@reddit

Is one of the 3rd parties Netsuite/Oracle? Currently dealing with their email spoofing bs.

Reply

[-]

NuAngelDOTnet@reddit (OP)

I get a lot of "netsuite." The one I've had the MOST problems with other people not understanding is something called "Mailgun." But I don't know much about it... other than the link to how to fix the "Sender Verify Failed" errors that I send to other IT departments!

Reply

[-]

ivanhoek@reddit

It’s because so many of them use gmail or similar and this is automatically taken care of

Reply

[-]

Daneyn@reddit

It's probably Not the sysadmins forgetting about it - it's the other departments that sign up for external services without talking to the sysadmins about SPF/DKIM/DMARC compliance rules and why it's important and they are completely oblivious to it.

Reply

[-]

Hale-at-Sea@reddit

Well you see, Dan in marketing got approved for a Really Expensive cloud tool that sends emails for him. Dan is very important though, far too busy to read setup instructions for obscure things like "DKIM". Good thing it's Cloud too, otherwise Dan might have had to notify IT about the new tools (Dan hates talking to IT, they ask too many questions). And IT will stay in the dark unless they set up some dmarc reporting, *and have someone checking it who can tell Dan what to do

Reply

[-]

xaeriee@reddit

Sounds like our community lacks some good mentors or guidance in this realm. If the mutual consensus is certificates and DKIM is rough I mean

Reply

[-]

Jaki_Shell@reddit

Is it really rough though? I find navigating the Microsoft portals way harder than anything DKIM or Certificate related personally.

Reply

[-]

xaeriee@reddit

To my point exactly, we aren’t born knowing this stuff, and Microsoft makes it tormenting to read through their docs sometimes.

Reply

[-]

Born_Difficulty8309@reddit

biggest offenders in my experience are marketing teams that sign up for some new email blast service and never tell IT. then three weeks later they come to us asking why their campaigns are bouncing. like yeah because you didnt add the SPF include or the DKIM key for that subdomain. we ended up making a policy where any new third party service that sends email has to go through a ticket first so we can add the records before they start sending. cut down on the fire drills a lot

Reply

[-]

MalletNGrease@reddit

Including IT was the afterthought.

Reply

[-]

YSFKJDGS@reddit

It's not an afterthought, most simply do not support it.

Reply

[-]

ChromeShavings@reddit

I know! My org deals with this constantly. I can only break it down to one word - education. And with that - fear of breaking a crucial communication stream. The SysAdmin field is constantly adding more and more responsibilities, and a specialist in email setup/security best practices is not really looked at. Or if it is, it’s really far down on the priority list.

Reply

[-]

ChecksOutIndeed@reddit

I pesonally think that they are not up to date with google's latest shit and just don;t wanna improve something that has worked for years

Reply

[-]

UrAntiChrist@reddit

IME, website devs hold that shit hostage lol

Reply

[-]

PhantomNomad@reddit

The company that does our accounting system uses a third party to send emailed reports. Our server was rejecting them because they where trying to send as us which of course they where not authorized to do in my DNS setup. Took forever for them to tell me what I needed to add to my server to let them through. I could have figured it out but I wanted them to so they would tell others that use their service. It's not hard, just need to remember to do it.

Reply

[-]

clickx3@reddit

I had the white house call me one time because we were rejecting their emails. They yelled at me until I explained Dkim to them.

Reply

[-]

NuAngelDOTnet@reddit (OP)

I legitimately believe this. It's such an overlooked thing!

Reply

[-]

ProfessionalEven296@reddit

In the past I worked with several large companies - We send them emails of what to do with DKIM for their subdomains we were sending emails on behlalf of, and they'd frequently come back with "Who are you? What do you want? No, we're not going to do that". Happened far too often; even ended up having it written into the contracts that their IT people would work with us, but we still saw pushback.

Reply

Reply to Post

183 Comments