Can you setup SPF and DMARC for a basic email?

[thecomputerguy]

I have a client who owns a domain but only uses basic POP/IMAP through Network Solutions.

I have already advised him to move to O365 but those steps have not been taken.

Google is tightening things up on their end and requiring passing of SPF & DKIM, which as of now those records are not in place. I know how to do this in O365 but I haven't worked with basic POP email in forever.

Are there records I can apply to satisfy the requirements google has based on the bounce back below? I normally just pop in whatever M$ recommends for records but obviously this isn't at M$.

(reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both)

----- Transcript of session follows -----
... while talking to gmail-smtp-in.l.google.com.:
>>> DATA
<<< 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both
<<< 550-5.7.26 do not pass). SPF check for [DOMAIN.COM] does not pass with ip:
<<< 550-5.7.26 [209.17.xx.xx].To best protect our users from spam, the message has
<<< 550-5.7.26 been blocked. Please visit
<<< 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more
<<< 550 5.7.26 information. jg40-20020a170907972800b00872733f3b9esi10681704ejc.855 - gsmtp
554 5.0.0 Service unavailable

 

[nlinecomputers]

You can use an online SPF wizard to generate the SPF record. DKIM is created by the mail server. Which they may or may not support. You will have to search the control panel for their email and see if it can be generated. y may have to contact their tech support. DMARC is like SPF something you can create with a wizard. SPF you can do immediately but the DMARC requires the answer to is DKIM supported or not?

 

[YeOldeStonecat]

Yeah SPF you create, you input IP addresses/ranges, and/or domains that are allowed to send email on behalf of. There are some wizards out there to help but it's a simple record you can just whip up.

They can get pretty long if a lot of mail servers need to be added.
Also your choice if to have "fail" or "soft fail"...with the -all or ~all towards the end I always - (fail)...if a server isn't authenticate to send on behalf, I want it to drop.

DMARC is just a newer version on what to do with the - or ~ and you can create that yourself, it's quick 'n easy.
I like to p=quarantine so mine always look like v=DMARC1; p=quarantine;

DKIM, yeah you need to find out the sending servers info on that one, and it can require some work. Microsoft 365 makes it easy, it presents it to you in a format you can copy 'n paste right into your cpanel when you're creating the cname record. But digging up other mails servers....heh...it can get to be a pain. Hopefully the host of this mail server documented it in some format that makes it easy for you. Some old school servers have wicked long keys that are a pain.

 

[Markverhyden]

Those are all TXT records added to the DNS record. Nothing magical. I'm sure Net Sol has articles on how to do this. And yes gmail is tightening things up. Another tech asked us about email when the destination was gmail.com they were getting bounces even though it was M365. I told him to make sure he had all 3.