That is very interesting.  Now that I know they are sending as schoolmessengermail.com, I can dig into these saga deeper.  The SPF record for schoolmessengermail.com is basically the same result as the original notification to add the "include:customerspf.schoolmessenger.com" so that matches up properly:

"v=spf1 exists:%{i}._spf.sparkpostmail.com ~all"

SM uses the sparkostmail.com platform to send most of their email.

I really would like to see the email headers from an original email sent by SM recently as schoolmessengermail.com to see the DKIM signature.  The reason being that I do not see the DKIM DNS record that they requested the customers add for the "spe1" selector in the schoolmessengermail.com. They could have setup/used a different selector but I would need to see the original email headers to know that.

@LynnLovettBarr If you could start a new email, attach the original schoolmessengermail.com email to it, and send it to djones (a) ena.com, that would be much appreciated.  I am sure I will get a number of questions/tickets from our own customers on this so I would like to get out in front of it as much as possible.

Thanks,

Dave

@dajones70I'd be happy to do that; I'll email you shortly. If you could provide any more explain-like-I'm-5 insight on how to fix it, I would greatly appreciate it as well.

SM is going to have to "flip a switch" on their side to start sending as your domain again and DKIM signing as that domain after the requested DKIM CNAME record has been added.  You would go to your public DNS hosting provider's DNS manager tool to add the DKIM CNAME record and adjust the SPF record.  I don't know your school's domain yet or I could lookup the DNS hosting provider and give more specific details.

For example, if From: domain visible to parents/recipients is example.com, SM would start DKIM signing the emails as example.com.  They can't start doing that until the DNS DKIM record has been added.  DKIM signing of email simply does some math based on the email body and Subject: (plus a few more things) to "stamp" it as authentic and not altered.  Then the recieving mail server, Google for example, can know for certain the email came from an authentic sender and was not altered significantly.  When the DKIM signing domain and the From: header domain match/align, then DMARC will pass.

DMARC is simply a combination of SPF and DKIM with a little icing on top for maximum spoofing prevention of your email domain.  Either SPF has to pass and align with the envelope-from (think of a postal letter on the top left where "return to sender" mail bounces back to) or DKIM has to pass and align with the From: header for DMARC overall to pass.  It's even better when you get both SPF and DKIM to pass and align -- like double goodness to prove to the receiving mail server that the email is not spoofing your domain.

DMARC, SPF and DKIM can all be setup and working for the bad actors as well so this doesn't stop junk or spam email.  But what it does do is makes the From: address inside the < > trustworthy by the recipient.  If you see From: "Santa Clause" <santa@clause.com> then you can be sure that it was sent from an approved/authenticated server of clause.com.

For those of us who aren't quite as technical, there is a thread about this in the SchoolMessenger Communicate forums, https://help.powerschool.com/t5/SchoolMessenger-Communicate/Do-I-have-to-change-email-settings-as-of.... 

Cheri

@dajones70  This is making more and more sense. Thank you for offering to look up the DNS hosting provider. Our domain is svcmontessori.org via GoDaddy.

So it sounds like we would have to do steps 1 and 2 from the original post via the DNS Record manager in GoDaddy like this and this?

Also, did my email come through? Definitely want to make sure I'm getting you the information that would help you.

Really appreciate you!

Everything I read says that Google and Yahoo will also require bulk email senders to have one-click unsubscribe in all their emails. Yet I don't see anything mentioned about that here. Are we required to have that unsubscribe option turned on in mailgun?

@LynnLovettBarr svcmontessori.org doesn't have an SPF record so this becomes a bit more risky to setup from scratch.  I did not receive your email but I am looking on our mail logs now.  Your SPF record needs to include your approved sources of email so I need to find your email to see where it came from before I can recommend the SPF record.

You can go into Godaddy's DNS Manger for your svcmontessori.org domain (called a zone in DNS) and add the DKIM record now to get that in place for SM to flip the switch back to sending as svcmontessori.org.

Record type = CNAME

Record name = spe1._domainkey

Record value = spe1._domainkey.spe.schoolmessenger.com

@dajones70  Definitely good to know. That explains why our website briefly went down last time our tech person tried to do that first step. 😅 Weird, sorry about the email not coming through. I'll try forwarding the copy I sent myself to see if that comes through.

Thanks a bunch for all these details. I'll see if we can get the DKIM record set up.

Ok.  I got the original email from @LynnLovettBarr 's test email which proved what I was thinking.  DMARC reports from many of our mutual customers showed that the SM emails coming out of the sparkpostmail.com platform were being DKIM signed as spe.schoolmessenger.com.  The test email had a From: address of schoolmessengermail.com so they don't match/align!!!

For DMARC to pass, DKIM signing must pass and align with the From: address OR SPF must pass and align with the envelope-from address.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=spe.schoolmessenger.com; s=spe1; t=1706809213;
i=@spe.schoolmessenger.com;

The above block was from a SM test email.  Anyone see the large text after the "d=" and notice that it does't match schoolmessengermail.com?  DKIM will pass but DMARC will not pass because those don't align.

Fortunately, the envelope-from domain is schoolmessengermail.com and SPF passed so DMARC passed.  Not because of DKIM but because of SPF.   Both should be aligned for best results.

Authentication-Results: mx.google.com;
dkim=pass header.i=@spe.schoolmessenger.com header.s=spe1 header.b=cDV8hdUt;
spf=pass (google.com: domain of bounces@schoolmessengermail.com designates 156.70.13.114 as permitted sender) smtp.mailfrom=bounces@schoolmessengermail.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=schoolmessengermail.com

If anyone sees a recent/new SM email with the From: address as their school/district domain, please send it to me as an attachment to preserve some information I need to see.  Forwarding emails resets the headers.  I want to see what domain SM is signing as.  The DNS CNAME record they are asking customers to setup should allow them to sign as the school/district domain but they might not actually be doing that based on the schoolmessengermail.com emails.

Mysteriously, our DKIM misalignment is now working. We have the "From" address as being from our domain, allowed via SPF and with SM's DKIM that they're finally using. Here's a pic -- black boxes hide our school domain.

black hides our school domain

It's still only passing from SPF, not DKIM, could easily be both.  See the DKIM-Signature: header line above with the "d=spe.schoolmessenger.com"?  That should be "d=redactedoutschooldomain" to aligh with the From: header.  So close...  They asked everyone to setup the DKIM DNS CNAME record so they could DKIM sign as the school/district domain but they aren't.  This along with the schoolmessengermail.com emails also DKIM signing with spe.schoolmessenger.com lead me to believe there is a lack of understanding of how DMARC works.

SPF good but a little fragile in a few cases like autoforwarding so SM should get the DKIM signing correct to ensure the most reliable delivery.  They are so close for customers who correctly setup the DKIM DNS CNAME record which can easily be verified with a simple DNS lookup.  If I worked at SM, I would setup a nightly script to check all customer domains for this DNS record and automatically flip the switch to start DKIM signing as the customer domain.  There really should be something like this script in place to toggle it on and possibly back off if the customer's DKIM DNS record became incorrect or missing by accident.

@dajones70 ah, you're correct!

I've also attempted to file a support ticket several times using the new form, but it doesn't seem to be working (I never get a 'ticket received' email back). Anyone else have any luck there?

@spsjsI've had the same issue; that's not just you. I'm wondering if anyone has tried calling and whether you got service that way? My reception is poor in my working area, so I haven't tried.

I wonder if someone from SM could be at'd here to see this thread.  If anyone can get an SM ticket opened, please point them to this thread.  I hope they would have someone monitoring this thread.

@KamranA ^^^ Please get this information over to the proper team that handles the DKIM signing of emails coming out of the sparkpostmail.com platform.

We had to get in touch with our assigned Customer Success agent who followed up with support regarding our ticket that "disappeared" from view after it was opened. We immediately got a reply after involving her and are finally able to send messages from our domain addresses once again. I recommend reaching out to your Customer Success person if you have yet to get a response back.

@rgustavson Do you have DMARC feedback reports setup on your school domain?  It would be interesting to know if they are DKIM signing properly.  They may have just changed the From: address and still aren't signing as your school domain.  If you send more than 5,000 emails a day through SM to Google recipients and SPF is not passing, then you could have some delivery problems still with Google (and Yahoo).

BTW, where Google and Yahoo leads, the rest will follow.  So this is only the start of everyone getting their DMARC (SPF and DKIM with proper alignment) setup correctly for all sources of your school domain email, not just SM.

@dajones70 I don't personally have access to the reports but I reached out to our Network Administrator, who was responsible for setting all this up on our end. After sending a test email he sent along this screenshot (with IP address redacted) after indicating that SPF, DKIM, and DMARC are all seeming to assign properly.

@rgustavson That screen shot above only proves that either SPF or DKIM aligns with hopkinton.k12.ma.us.  I bet on SPF is aligning and DKIM is still not being signed as hopkinton.k12.ma.us.  I see that you setup the request DKIM CNAME record in public DNS so SM could easily sign for your school domain.  I really think they don't know to do this last step like they don't understand how DKIM signing really works.  🙂

Oh, to be clean DKIM signing passed in the screen shot above but it also needs to align with hopkinton.k12.ma.us for DMARC purposes.  If the recipient had auto-forwarding of email enabled, then SPF will break and DKIM could be there to keep the message authenticated from hopkinton.k12.ma.us to keep Google and Yahoo mail servers happy.