Technology, Tutorial, Ubuntu

How to do DMARC, SPF and BIMI settings (and other stuff) in Digital Ocean DNS settings

SECOND EDIT: DEC 12, 2022

FIRST EDIT DATE: Sept 1, 2022

I had a hard time with this one for some reason. My email provider (Webnames) has an email setup page which showed the SPF records without quotations. Even their tech support told me not to use quotations in the txt file entries in my server! I guess they hadn’t heard of Digital Ocean? Normally I have nothing but good things to say about Webnames but this one was a bit of a surprise…

To make a long story short, here is what you need to know about setting up a few important email settings in your Digital Oceans Networking / Domains settings, especially if you have webnames as your registrar and email service provider (ESP).

I may expand this blog post over time, so check the edit date and notes at the top.

DMARC

Dmarc is one of those email settings you should have, and have correctly. Without this setting done, BIMI won’t work for example.

EDIT 221212: Consider creating a standalone email address for this purpose. During process of creating a dmarc record it asks for an email address. I created a simple forwarding email address to possibly prevent future spam? I did dmarc @ companyname.com . Just wanted to throw this as a little tip too.

In your Digital Oceans networking section under your target domain:

Value Field:
Using this guide is really great. When you’re done you’ll have a block of text that looks like you should just paste in your Digital Ocean TXT field – but don’t:

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:email@example.com; ruf=mailto:email2@example.com; sp=none; ri=86400"

What you really need to do for this is as follows:

EDIT 221212: Not sure about quotes comment below anymore on Digital Ocean. Do your own research 🙂

Also VERY important is that your DMARC settings must have p=reject and sp=quarantine to work with BIMI. I cover that a bit later in blog but this example below has the default output which doesn’t work with BIMI…

VALUE field:
Paste all the stuff with the quotes – including the quotes (this is where I got messed up for a long time). So paste this entire part into the txt value field:

"v=DMARC1; p=none; rua=mailto:email@example.com; ruf=mailto:email2@example.com; sp=none; ri=86400"

Hostname field:

Enter this: _dmarc.example.com

Leave the rest as is. That’s it.

Note this: for some reason the tool above put another set of quotation marks around my text string. I saved it and nothing worked. I went back in to edit the record and discovered these extra quotes were added. Just note you should only have 1 set of quotes around your text string with Digital Ocean.

Another note, if you plan on using BIMI (makes the cool logo show up in people’s inboxes…) you’ll need to set the ‘p’ in the string above to either p=quarantine or p=reject

Test in the command line:

dig _dmarc.yourdomain.com txt

This dig command in your ubuntu terminal will typically show results much faster than online tools which have to wait for propagation across the internet.

If your changes are working you should see an ‘answer’ and the answer should be whatever you saved in the TXT field in your Digital Ocean DNS record above. If you get “Answer: 0” then something is wrong.

Compare against Google’s if you’d like:

dig _dmarc.google.com txt

SPF

These guys above also have a SPF setup guide. I’m guessing it’s as good as the dmarc one too. Maybe try it out….

Here is an example of what my ESP (Webnames) provided me:
"v=spf1 a:spf10.webnames.ca -all"
(but without the quotes)

Same instructions as above, except you don’t need to write anything in the hostname field except @ which will trigger the top level domain. If you want to apply to another domain, of course enter that here. Modify as needed.

Again, reminder to make sure you you include the quotation marks

Test in your terminal to make sure it looks good:

dig yourdomain.com txt

Compare against googles if you’d like:

dig google.com txt

BIMI

Before you begin this Bimi section, since this is largely about your logo, start by making sure you have a Bimi-compliant SVG file of your logo ready to go. I had lots of SVGs, but none of them fit this super specific constraint. What I finally ended up doing was finding the best version according to recommendations in terms of size and file size, and then run it through this online bimi convertor which finalized the job. Because I didn’t do this first, I had to do all of what you’re about to read, twice. 🙁

Another thing you should do before beginning is run your own domain through this very nice checker-tool. It will help show you if stuff (like dmarc) isn’t set up and save you time from trying to make Bimi work when you can’t…

As mentioned above, you have to have your dmarc p= function set to ‘quarantine’ or to ‘reject’. This tool is great as well and when you enter your domain it’ll also test your dmarc and SPF so you don’t waste your time trying to setup BIMI if those aren’t working. Once you get a checkmark here, proceed to set up your image and records.

First, I’m using WordPress which is always both good and bad – always. In the case of trying to simply upload an .svg file for this BIMI purpose, it’s bad. You can’t do it with regular user privileges.

So, I just hacked my solution which I’ll have to do every time I guess like this:

  1. CD to where my svg file is on local machine (copy it to clipboard and paste to terminal works)
  2. use SFTP command and root into your server
  3. CD to /var/www/wherevever-your-site-is/wp-content/uploads/yyyy/mm/file-name.svg (doesn’t really matter where)
  4. put file-name.svg if you see ‘100%’ then you know it uploaded from your local machine to the uploades file in your WP directory. Take a note of this now since it will not show up in your media it seems since it’s not a permitted media type by default. It should be exactly where you uploaded it above such as:
https://yourdomain.com/wp-content/uploads/yyyy/mm/file-name.svg

If you are using shared hosting, I’m not sure how you would force this SVG file into the same directory. Perhaps you can just use the files section and upload? Been a long time so it might be easy or you might have to ask your cpanel or shared hosting admins to do this for you?

Now you can use this for your BIMI image…

Now to get it started on Digital Ocean here is how I did it.

  • Took the output file from the Bimi generator above which looked like this:

default._bimi.yourdomain.com TXT v=BIMI1; l=https://www.yourdomain.com/wp-content/uploads/2022/08/file-name.svg; a=;

IN the hostname:
default._bimi

Now, pay attention on this little detail: this should auto-fill the rest of your domain so that it reads ‘default._bimi.yourdomain.com’ but if it doesn’t make sure it’s correct before saving.

In the TXT field:
"v=BIMI1; l=https://www.yourdomain.com/wp-content/uploads/2022/08/file-name.svg;"

(as always, with the quotations for Digital Ocean)

As always, test with the handy dig command:

dig default._bimi.yourdomain.com

compare against Google if you want

dig default._bimi.google.com

EDIT 221212

TO be clear about entering these records on Digital Ocean, here is a dedicated section:

Inputting BIMI records into Digital Ocean Records

For anyone using Digital Ocean, here is a quick step to get these records going:

  1. copy the default._bimi into the hostname field (or just type it, ha)
  2. Put the rest of the record output generated by the tool above, in the TXT records
  3. Save the changes.

OTHER RESOURCES

A great checker-tool to run at the end too. The big green check marks make you feel like a champ when you pass.

Here is a great checklist to go even further with this stuff

Tagged , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *