The Configuration Page has been redesigned to increase ease of use and efficiency for users, while also providing improved functionality. These enhancements have been made in response to feedback from users. As always, we welcome your feedback as we continue to improve Enforce. Please leave your feedback in the suggestion box at the bottom of the account overview page.
TABLE OF CONTENTS
- How to access the new Configuration page
- Contents of the new Configuration page
- Domain Status in the new Configuration page
- How to change the Sending Status in the new Configuration page
- How to change the DMARC Policy in the new Configuration page
- How to add a new service on your Enabled Senders list in the new Configuration page
- How to add a Netblock/IP in the new Configuration page
- How to add a DKIM key in the new Configuration page
- How to add a subdomain in the new Configuration page
How to access the new Configuration page
There are 2 simple ways that you can use to access the new Configuration page.
Method 1:
1. Once you are logged into your Valimail account, on the left menu panel, click on Domains.
2. On the domain page, click on the domain name (in this example, we will click on example.net) and that will get you directly to the new Configuration page.
Method 2:
If you want to view the Authentication Report window before you go to the new Configuration page, you will want to use this method.
1. Repeat step no. 1 from Method 1
2. Using this method, instead of clicking on your domain name, navigate over to the far right and click on View.
This action will open up the Authentication Report tab where you can take a look at the email activity of your domain.
3. In order to get to the new Configuration page from here, all you have to do is click on the Configuration tab, next to the Authentication Report.
For easy toggling between the two pages and the best possible experience between analyzing email data and configuration of services/IPs for your domain, the Configuration page and Authentication Report page are practically two tabs of the same window within the Enforce platform.
Contents of the new Configuration page
The new Configuration page aims to improve the level of functionality of the current layout, while also presenting the information in a more scalable way and increasing the ease of use.
Below we list all the contents of the Configuration page and in the following chapters, we take a look at the functionality of each of them.
The new Configuration page can be split into 5 main sections as follows:
Section 1
- The Domain Configuration - This status tells you if you are successfully pointing DMARC to Valimail
- The DMARC Policy - Tells you which policy is currently set for your domain.
- The Sending Status - This tells you what is the sending status of your domain, if it's an Active domain, a Blocked one, or used for Reporting Only.
Section 2
- The DNS Configuration - You will see here if you are pointing DMARC, SPF, and DKIM to Valimail for your domain.
We recommend that you point DMARC, SPF, and DKIM to Valimail for any domain you wish to manage in the Valimail platform so that we can make sure it is protected at all times.
Each of these 3 items provides instructions on how to point those records to Valimail.
Once you point all 3 records to Valimail, they will show like this:
Section 3
- The Enabled Sender module, the Netblock module, and the DKIM key module.
Section 4
- The Add External Reporting Domain area - It is possible to send your DMARC reports to an email address that does not fall within the scope of your own domain through DMARC External Destination Verification. If you own the domain company.com, you can send your reports to an address (example) rua@mailreports.net, where company.com has no authority over mailreports.net and they are two completely separate domains.
However, in order to achieve this, the report receiving domain (mailreports.net) needs to provide approval that it is agreeing to receive reports containing the DMARC data of your domain (company.com).
You can find more info on this topic here: https://support.valimail.com/support/solutions/articles/48001225072-external-domain-verification
Section 5
- The Email Subdomains module - Here, you can add any sending subdomains that need to be classified and configured.
Domain Status in the new Configuration page
The definition of the Domain Status on the Configuration page refers to the DMARC configuration status of the domain (whether you've pointed the domain's DMARC record to Valimail or not).
If you are pointing DMARC successfully to Valimail, the Domain Status will always show Configured.
If you are not currently pointing DMARC to Valimail for that domain, the Domain Status will always show Not Configured.
When you point DMARC to Valimail, sometimes the changes you make in the DNS will take a bit longer to finish propagating through the internet. That is one of the reasons why we encourage a TTL of 300 seconds when pointing DMARC, SPF, and DKIM to Valimail, just so that the changes will take effect as soon as possible. Just remember that if you do not see the Domain Status as Configured in Enforce immediately after you pointed DMARC to Valimail, you should wait for a few minutes.
How to change the Sending Status in the new Configuration page
The Sending Status of a domain can be set to Active, Blocked, or Reporting Only.
This topic is explored in greater detail in the following article: https://support.valimail.com/support/solutions/articles/48001213597-what-are-the-differences-in-domain-sending-status-in-enforce-active-reporting-only-and-blocked
Caution: Changing the domain status is a very serious and impactful move and it can cause big disruptions in email traffic if an Active domain is set to Blocked for example. Therefore, please refrain from taking that action if you are not sure about it. Before considering making this action on any domain, please make sure you consult the article above.
How to change the DMARC Policy in the new Configuration page
When you are finished configuring all the sending services and/or IPs that are authorized to send emails on behalf of your domain, you are ready to take your domain to the next and final step: DMARC Enforcement.
When that step is reached and you decide to switch your domain to DMARC Enforcement, you will need to go to the Configuration page to change the DMARC Policy from None to Quarantine/Reject.
Here are the steps which allow you to accomplish this:
1. Log into your Valimail account.
2. Click on DOMAINS.
3. Click on the domain that you wish to make this change for.
4. Click on the current DMARC Policy status.
5. A pop-up will appear, giving you the 3 options for the DMARC Policy: None, Quarantine and Reject. The one marked in blue is the current status of your DMARC Policy. Each of the 3 DMARC Policy statuses has a short definition, explaining what that specific policy means.
Click on your new desired DMARC Policy
6. Click on CHANGE POLICY.
Quarantine and Reject are both considered DMARC Enforcement.
7. There is also an Advanced Options link on that pop-up and clicking on that will show you additional configuration options for your DMARC policy:
Our recommendation is that you do not change anything on this Advanced Options page unless you have a specific use case for these options. It is recommended that you verify any changes on the Advanced Options page with a member of the Valimail Support team.
Here are some important aspects of this window:
1. Enforcement should always be 100%, anything lower than that is not considered Enforcement.
2. The subdomain policy should always use/follow the top-level domain policy, just like in the screenshot above. Having the top-level domain at DMARC Enforcement but a subdomain at None does not put your entire domain at DMARC enforcement.
3. Strict Alignment should not be checked for SPF or DKIM unless you are absolutely sure you have a legitimate business reason to do so. Checking Strict SPF or DKIM alignment can seriously affect your email deliverability.
How to add a new service on your Enabled Senders list in the new Configuration page
Whenever you get to the conclusion that a certain sending service that currently sends emails on behalf of your domain is an authorized sender, you will then need to configure that sender to send properly DMARC-authenticated emails on behalf of your domain.
Steps:
1. Log into your Valimail account.
2. Click on DOMAINS.
3. Click on your domain.
4. Click on Enabled Sender or Netblock.
5. Pick the sending service you want to authorize from the drop-down. You can also start typing the name of that service to find it faster.
6. Select the sending service.
7. Enter a comment if needed and then click on ADD. (You can say as a comment, who is using that service from your organization. This will greatly help you track down that service owner in the future, should you need to).
Note: Adding a sending service to your Enabled Sender list does not necessarily mean that from that moment on, the emails sent by that service on behalf of your domain will also pass DMARC. In order for that to happen, you must make sure that the emails that the service is sending are SPF aligned for your domain. If they are already being sent with SPF alignment, there is no other action you need to do. If they are not sent in SPF alignment for your domain, you will need to contact the service owner (person/team who is using that service) and ask them to turn on SPF alignment for your domain from their admin console. Adding a service in your SPF record (Enabled Senders), is only the first half of the configuration process, and it means you are basically authorizing/whitelisting that service.
How to add a Netblock/IP in the new Configuration page
When you identify an internal IP that does not necessarily belong to a service that is sending emails on behalf of your domain, or someone in your organization is using just 1 or 2 IPs from a certain sending service, that means those IPs are authorized and they should be configured to send DMARC authenticated emails on behalf of your domain moving forward.
Steps:
1. Log into your Valimail account.
2. Click on DOMAINS.
3. Click on your domain.
4. Click on Enabled Sender or Netblock.
5. Once the pop-up window opens up, first make sure the tab called Internal Sender is selected:
6. Make sure you add the IP or IP class in the Netblock IP Address Range. If that IP belongs to a known sender, you can select that sender from the Associated Sender box. This is important for the classification of email traffic purposes.
If the Netblock is just an internal IP, there is no need to associate it with any sender.
You can also add some notes (just like you can do when you add a sending service) in the Name (Optional) field but as the field says, that is just optional. Any note added in there will be just so that you know who exactly in your organization is using that IP.
Note: Adding an IP in your Netblocks does not necessarily mean that from that moment on the emails sent by that IP on behalf of your domain will also pass DMARC. For that to happen, you must make sure that the emails that IP is sending are SPF aligned for your domain. If they are already being sent with SPF alignment, there is no other action you need to do. If they are not sent in SPF alignment for your domain, you will need to contact the service owner (person/team which is using that IP) and ask them to turn on SPF alignment for your domain, from their admin console. Adding an IP in your SPF record (Netblocks), is only the first half of the configuration process, and it just means you are authorizing/whitelisting that IP.
How to add a DKIM key in the new Configuration page
Configuring DKIM on any service/IP that can support it is the best way to authenticate that service as DKIM signing can greatly increase your deliverability rate in general for that service/IP.
We, therefore, encourage you to configure any service/IP via DKIM wherever possible. Some services might not support SPF alignment and instead require DKIM signing.
DKIM keys are always of 2 types, TXT or CNAME, depending on what the service that issues that key supports.
How to add a DKIM Key in the new Configuration page
1. Log into your Valimail account.
2. Click on DOMAINS.
3. Click on your domain.
4. Click on DKIM Key.
5. On the window that opens up, make sure you fill in all the correct items pertaining to that key:
a. Add the Selector of that DKIM Key.
b. Select the proper service to associate that key with it.
c. Make sure you choose the proper record type for that key (CNAME key or TXT if it's a TXT key).
d. Make sure you add the CNAME target of that specific key in the CNAME field if it's a CNAME key or add the TXT value of the key in the TXT field if the key is a TXT one. (Below are 2 screenshots of how a CNAME and a TXT key should look like when added).
e. Optionally, you can leave a comment that represents who gave that key to you, just so you can later track down the owner/admin of that key.
CNAME DKIM KEY:
TXT DKIM Key:
6. You might also notice an option called Advanced Options right above the Comments field. If you click on the dropdown arrow next to that you will see the following options:
IMPORTANT!
a. This is a newly created DKIM key - You can only check this option if the key you are adding is a newly issued one. Valimail will track the key age in case you want to rotate the keys manually.
b. Only allow exact domain signing - You can only check this option if the key you are adding has the t=s tag.
7. After you completed all the necessary fields with the proper DKIM key info, click on Add.
Note: After the DKIM key is added in Valimail Enforce, you need to reach out back to the person/team that gave you that key and make sure they enabled/verify the key in their admin console. This is very important because if that key is not enabled on the service owner's end, it will not sign any email sent with that service on behalf of your domain.
How to add a subdomain in the new Configuration page
When you have one or more subdomains that are active and are being used to send emails on their behalf you will need to make sure they are added and properly classified on the Configuration page.
There are 2 types of active sending subdomains: a multiple sender subdomain or a single sender subdomain. They are classified as such, judging by the sending services that are using those subdomains
a. multiple sender subdomain - if there is more than one sending service and/or IP that is sending emails on behalf of it.
b. single sender subdomain - if there is just 1 sending service or 1 IP which is sending emails on behalf of that subdomain.
This is an important difference that you will need to consider when adding your respective subdomain, both for configuration and classification purposes.
To read more about subdomains, please check out this article.
Steps to add a multiple sender subdomain:
1. On the Configuration page, please navigate to the Email Subdomains area, by scrolling toward to bottom of the page.
Once there, click on Add Email Subdomain.
2. Add the subdomain in the Name field and then click on Add Email Subdomain.
3. Once added, the subdomain will look like this:
This and any other multiple sender subdomains that you add will have their respective Enabled Senders, Netblocks, and DKIM areas in the platform, just like you have on the top-level domain.
Since this is a multiple-sender subdomain, you will need to point SPF to Valimail for it. In addition, if you want to manage the DKIM keys in Valimail Enforce for this subdomain as well, you will need to point DKIM to Valimail for this subdomain before that.
Once you point SPF to Valimail for this subdomain, you can add any services and/or IPs that need to be authorized as sending on behalf of it, in the Configuration page.
Steps to add a multiple sender subdomain:
IMPORTANT!
Single sender subdomains are not managed for SPF from the Valimail platform. They will continue to be managed for SPF from your DNS. DKIM keys associated with a vendor that uses a dedicated subdomain may need to be published on the organizational domain in Valimail Enforce. There are multiple reasons why single sender subdomains are not managed from the Valimail platform, but the most important one is that they require the SPF and MX records to be pointed to their DNS.
1. On the Configuration page, please navigate to the Email Subdomains area, by scrolling toward to bottom of the page.
Once there, click on Add Email Subdomain.
2. Add the subdomain in the Name field and then click on Add Email Subdomain.
3. Once added, the subdomain will look like this:
Since this is a single sender subdomain, you will not be pointing SPF to Valimail for it. Such subdomains are not required to be present in the Enforce platform, but it's better to have them added, just for classification purposes.
If you will add a single sender subdomain, you will just need to make sure that the Single Sender toggle option is enabled for this subdomain:
We hope that you will find all the info above very helpful in better managing your domains within the Valimail Enforce platform.
As always, if you have any questions, please don't hesitate to submit a ticket