If the envelope-from is spe.schoolmessenger.com and the From: header that recipients see in their mail client, then technically there is nothing that customers/school districts have to do and the responsibility lies in SchoolMessenger.

However if the From: address visible in the recipient's mail client is the customer/school distrct's domain, then the DKIM CNAME record needs to be setup per the email notification AND SchoolMessenger must start DKIM signing as the customer/school district domain so it will align per the DMARC standard.  The Google links in the SchoolMessenger email notification confirm this.

DMARC reporting is really the only way to know for sure and get proper feedback of all of your district email.  It's not simple so you have to use a service that will process the DMARC reports and put them into a format that shows the PASS and FAILS with the DKIM signing domain and the SPF envelope-from domain.  If the DKIM signing domain or the SPF envelope domain are not yours, then it's out of your control.  Those emails will look like spoofing and should get blocked by Google and others starting on Feb 1st if you have a DMARC record of "p=reject".

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@ena.net;

This is the desired DMARC record for maximum spoofing protection and maximum trust but it's not easy to get to this.  It normally takes 6 to 12 months of analyzing DMARC feedback reports and getting your SPF and DKIM perfect.

When I look at our School Messenger Communicate, logon as one of my "Attendance User Accounts", then go to Broadcasts, Messages, Daily Absence Message, Email - it lists our "FROM EMAIL=broadcasts@schoolmessengermail.com".  So do I ever need to do anything with this "Important Changes Required for Email Deliverability"???

Can someone please let me know on this? I'm sure there are many other "School Messenger Communicate" customers who are wondering this as well, since our system was set up this way for all my schools. 

I received an email directly from PowerSchool (School Messenger) concerning this (Subject of Email= Important Changes Required for Email Deliverability").

These changes do not need to be made if the school only uses the SchoolMessenger email domain when sending emails to parents, correct?

Quoting from above:

Should you not make these changes your account will be updated to send email from schoolmessengermail.com on February 1, 2024.

It appears that if you do not make the necessare DNS changes for DKIM and SPF, then SchoolMessenger will change the sending address to use spe.schoolmessenger.com if necessary.  I still see a lot of SchoolMessenger customers sending as spe.schoolmessenger.com so they basically don't have to do anything and will exactly the same on Feb 1st.

We made the setting changes here and contacted support as stated in the email and I am not getting any communication back from them.

I opened a case with support and it was promptly closed with no answer given.

We opened a case on Monday as well, and no response as of yet.  I updated the ticket today asking for a response as the Feb 1 deadline is approaching and we want to make sure we have a smooth transition.

Erin Rowsell
TLDSB

Please remember to give Kudos and/or select Accept As Solution on the helpful posts to thank the author and to help others find the solution. Thanks!

In theory we had the proper cname records for dkim signing for SM set up late last summer, but as of December it still wasn't working, which support blamed on my (admittedly incorrect) SPF record. I fixed the SPF record, but DKIM alignment still isn't happening. Opened another support case....

Hopefully the email admins at SchoolMessenger know the difference between DKIM and SPF and what parts of the email they are related to.  The SPF is the envelope-from where bounces go back to.  DKIM should be aligned with the From: header that is visible in the mail client.  Out of more than two dozen DMARC reports I have access to, only has one SPF/envelope-from as their own domain for emails coming from SchoolMessenger.  That school district must have wanted the bounce messages to go back to a mailbox that they monitor.  Most do not have envelope-from alignment and are using spe.schoolmessenger.com (not the school district's domain), so technically the SPF record does not need to have "include:customerspf.schoolmessenger.com".

Also, it would be very easy to have a nightly script check their customer domains for the presence of the DKIM CNAME record and automatically "flip the switch" to start DKIM signing as the customer domain and keep the From: header as the customer domain.  There really is not need to have to request the customer open a ticket for this to know when the DKIM record is in place.  This is public DNS so anyone can query it. 

@dajones70Thank you for your comments; they're helpful. I am not an IT person and am having trouble understanding. So currently, when my school sends an email, it essentially reads as

From: Lynn Lovett

<llovett@exampleschool.org>

via spe.schoolmessenger.com

In your opinion, does that mean I don't need to do anything? I'm wondering whether we're clear due to the "via spe.schoolmessenger.com" or if the problem is the email coming from "@exampleschool.org".

Thank you again! This ask from SchoolMessenger has been above the pay grade of everyone at my school so far.

Correct.  The "via spe.schoolmessenger.com" means they are DKIM signing as spe.schoolmessenger.com so nothing needs to change.  I think SM should change the from to be "From: noreply@spe.schoolmessenger.com" today to make the DKIM signing align with the From: domain but who knows what they are actually going to do.  Should be interesting tomorrow and the next few days.

@dajones70  Thank you so much! I appreciate you taking the time to explain it in simpler terms. Yes, we'll see what happens-- should be interesting. I hope you have a great week.

Can someone pretend like I'm an idiot and help me out with this?  I always struggle with SM support.  

It looks like I need to make an SPF record AND a CNAME record...but I according to this KB article, it's unclear what I'm supposed to put in 'Name' or 'Value' field.  I guess the SPF record makes sense...

Type='TXT' Name='@' Value='customerspf.schoolmessenger.com' TTL='1 hour'

But CNAME, not so much.  Imagine my domain is example.com please?  Thanks.  

The DNS name of '@' can be just a blank value in some DNS servers.  You didn't mention what DNS server or hosting provider you are using for your public DNS.  If in knew the actual domain name, I could help with exact details on that question.

The SPF record is a _single_ TXT record that starts with "v=spf1".  You must only have one record at the top level of your DNS zone matching the email address domain.  SM is recommmending you add "include:customerspf.schoolmessenger.com" to your SPF record.  If you are going to add it, I recommend adding it toward the end of your SPF record before the "~all" or "-all" which must be at the end per the SPF standard.

If I knew you domain, I could provide the exact SPF record value that needs to be in the public DNS hosting.

The DKIM record is a CNAME (aka alias) record with the name of "spe1.domainkey" meaning SM is using a DKIM selector of "spe1".  You can have many selectors for different sources of email sending on behalf of your domain.  The value is exactly what they have above in the original notification.

To repeat, I have seen very few of our customers that use SM actually send as their own domain in the From: header (visibile in the mail client) or the envelope-from (where bounces go back to) so this notification is really causing a lot of fuss for nothing.  Accoring to about two dozen of our customers that use SM they are DKIM signing as spe.schoolmessenger.com and sending with an envelope-from domain of spe.schoolmessenger.com so this will continue to work fine with out anyone making any changes.

If you can setup a test contact to a gmail.com address and send yourself a test email, open the email and go to the "More" option (the vertical three dots) in the far right beside the email date and select "Show Original."  You will see the SPF and DKIM information in the top section.  If it's sending and signing as spe.schoolmessenger.com, then you have nothing to worry about.

So far, we have heard a number of people say that SM is not taking any action when they open up the support ticket per the original notification to let SM know that the DNS records have been added.  SM could easily run a script to query DNS for their customers and find out for themselves if the DNS records have been setup correctly and automaticallt enable sendingn and signing as the customer's domain.

Hope this helped,

Dave

Hey Dave

Thanks for this...since I'm rarely in there, and you offered, I use GoDaddy and my domain: ecsdcards.com

Any additional help on the CNAME and SPF is greatly appreciated!  Thanks.

Cory

A quick Google search shows that Godaddy's DNS uses the "@" sign in the host field to mean the top level of the domain.

The SPF record for ecsdcards.com is currently:

v=spf1 include:_spf.google.com ~all

so the new SM addition (that you probably don't really need) would make it:

v=spf1 include:_spf.google.com include:customerspf.schoolmessenger.com ~all

The DKIM CNAME record is pretty straight forward and is the same for every SM customer:

Host = spe1.domainkey
Value = spe1._domainkey.spe.schoolmessenger.com

Make sure you do not have a trailing period at the end of the host above because that would make it mean something completely different.

Once you have updated your SPF record, give it a few minutes to update out on the Internet and use https://dmarcian.com/spf-survey/ to check your SPF record for proper formatting and syntax.

@chadkafka Some changes are dependent upon whether or not you are a hosted customer. 

If you didn't receive an email you may want to ask your Power School specialist or IT department if they did (if that's not you).

Otherwise if you are concerned you could reach out to powerschool too.  I would suggest the online portal for the most timely response. 

Awesome...thanks @dajones70 Super appreciate it.