I finally had time to do a support chat case, and got confirmation that the form is working to create cases (although I never received any email about it). Supposedly my case is being escalated to tier 2 for troubleshooting as "it should be working" (but is not). We'll see!

FYI.  Microsoft is now sending out notifications to Office 365 tenants to get their DKIM records setup for their platform.  I bet they actually DKIM sign as the customer's domain.  🙂

Anyone have any feedback or confirmation (by sending yourself an email to gmail.com and "show original" to see if SM is DKIM signing as their own domain and not spe.schoolmessenger.com?  Please post here if/when you have confirmation of that.

I believe this is the confirmation you are looking for @dajones70, we're m365/exchange online

Authentication-Results: spf=pass (sender IP is 156.70.13.179)
smtp.mailfrom=spsd.sk.ca; dkim=pass (signature was verified)
header.d=spsd.sk.ca;dmarc=pass action=none
header.from=spsd.sk.ca;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of spsd.sk.ca designates
156.70.13.179 as permitted sender) receiver=protection.outlook.com;
client-ip=156.70.13.179; helo=mta-70-13-179.sparkpostmail.com; pr=E
Received: from mta-70-13-179.sparkpostmail.com (156.70.13.179)....

Thanks for that info.  Yeh, Office 365 has had the option to DKIM sign as the customer/tenant domain for a while but most people don't know to enable it so Microsoft does the default thing of signing as tenant.onmicrosoft.com.  DKIM will pass with the onmicrosoft.com signature but it doesn't align, obviously so it won't pass DMARC with DKIM alone.  SPF tends to do most of the heavy lifting with DMARC passing but that is not based on the From: header that shows in mail clients.  Very easy to spoof the visible From: header in the mail client with SPF passing.  That is why DKIM signing as the From: domain is important for "authenticated email."

I am glad that Google and Yahoo are starting this effort slowly by enforcing authenticated email the larger senders that send over 5,000 messages a day.  If they didn't do it, then it would never get taken seriously.

@dajones70 

I have an email that I got someone to send to my personal gmail to ensure it was working correctly once powerschool made the changes.  

I am trying to understand all of this.  Just when I think I have it figured out, I read more information that leads me in a slightly different direction.  

Am I looking at the authentication results?

Authentication-Results: mx.google.com; dkim=pass header.i=@rackspace.powerschool.com header.s=smtp header.b=b4gzUOTb; dkim=pass header.i=@mailgun.org header.s=mg header.b="TF/qYVFI"; spf=pass (google.com: domain of bounce+af72db.5baa-j2vanzwol=gmail.com@rackspace.powerschool.com designates 69.72.47.78 as permitted sender) smtp.mailfrom="bounce+af72db.5baa-j2vanzwol=gmail.com@rackspace.powerschool.com"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=rackspace.powerschool.com

 We've had our SPF, DMARC and DKIM set up for ages now, but finally when SM made their changes our emails were finally flowing correctly to gmail accounts.

Now, our emails are getting picked up by our spam/phishing rules in Microsoft because they are coming from schoolmessengermail.com

It's my understanding that if we made the proper changes SM wasn't supposed to change any settings for our accounts.  But they did.

I also have had no luck with contacting support.  I called and got transferred only to wait on hold for 30 minutes to then be sent to a voicemail after being on hold. 

@jenmac your Authentication-Results header shows that it was DKIM signed as rackspace.powerschool.com and SPF envelope-from the same.  (It was also signed as mailgun.org.) DKIM and SPF passed but neither was from your school/district domain or even schoolmessengermail.com.  Incredible.

When DKIM is being signed as a third-party and passes, all that means is that it came from that mail platform unaltered.  It doesn't really do anything meaningful until it's signed as your own domain which is what the DMARC standard is trying to promote/enforce for anti-spoofing and assurance that the email really is from your domain.

For DMARC to pass one of these two things must be true:

- SPF pass and the envelope-from (where bounces go) aligns with your domain

- DKIM pass and the From: header (visible sender in mail clients) aligns with your domain

The envelope-from sender is not easily visible to the recipient so the most important one above is the From: header and this is where DKIM comes to help ensure it's not faked.

It's easy for major mail platforms to start signing as their own domain because they have control of there DNS.  It's hard for senders to start signing as your domain as it should be.  The challenge is with mail admins/engineers not understanding how this technology works.  Google and Yahoo (with others to come) are forcing the learning for proper implementation.

P.S. I see some customers on the rackspace.powerschool.com hosting platform and most on the spe.schoolmessenger.com platform based on dozens of DMARC reports. The Authentication-Results look different but the same problem exists coming out of the mailgun.org and sparkpostmail.com mass mailing platforms.

I have successfully used the online CHAT Support - go to: 

     https://help.powerschool.com/t5/Support-Case-Chat/ct-p/SupportCaseChat  

Then choose your product, fill in all fields, then click the "Launch Chat Support" at the bottom and WAIT....I've had to wait up to 15 minutes, but someone always comes onto the CHAT, and I am able to discuss via this CHAT SUPPORT my issue to get it resolved - hope that helps! 

Anyone able to get this working when their domain is hosted through squarespace?

I did reach out through the support portal and someone got back to me today letting me know that everything is good and ready to go.  But did not elaborate on what was changed.  

In my case I suspect they switched our org over by mistake (along with many other org's it sounds like) and now they have fixed that.  But I am waiting to find out if that is the case.  

The Knowledgebase Article, Important Changes Required for Email Deliverability, has been updated as of Feb 9, 2024, to provide more steps to be performed by the districts. Once your changes have been made, there is a step to open a support case for PowerSchool to update your Communicate account.

It may not be ideal but a workaround while you complete your process and finalize with PowerSchool is that you can send from the SchoolMessenger email domain by selecting use the default email. 

We recognize that many of you are encountering delays in receiving support, particularly given the heightened volume of requests due to upcoming DMARC changes and other factors. We sincerely apologize for any frustration this may have caused.

Please be assured that addressing your concerns is our utmost priority, and we are fully committed to enhancing your overall experience. Our support team is actively engaged in refining our processes to ensure swifter responses, prioritizing the resolution of critical issues.

We genuinely appreciate your patience during this period, and we want to emphasize our dedication to resolving all open cases submitted by our customers. Thank you for your understanding and ongoing support.

Has anyone been able to confirm that SM is actually DKIM signing as their own school/district domain?  Or if sending as schoolmessengermail.com is it still DKIM signing as spe.schoolmessenger.com?  I still haven't seen any evidence that SM is correctly DKIM signing as the From: domain so DMARC will pass based solely on DKIM.  SPF is pretty simple to do as it's been around a long time and it's easy to control the envelope-from domain from your own platform but it breaks when autoforwarded.

We are also waiting on a TIER 2 SUPPORT reply regarding our emails not being delivered the way they were previously.  If the email does get through, it goes to junk/spam.  How are you guys checking your support tickets?  they don't show in this portal at all.

@dajones70 thank you for all of the detailed information. We see a handful of DKIM failures due to the spe.schoolmessenger.com domain being used.

Domain is laramie2.org which from https://dmarcian.com/spf-survey/ looks accurate but I am new to all of this.