Why use email domain authentication?
By default emails sent via Workplace Management are sent via the Spacewell mail server. However, it is often desired to make these email appear to be sent via the clients email address*.
The email itself will still be sent via the Spacewell email server, but the email will look like it originated from the specified client email address. This can lead to the email being labeled as spam by a receiving mail server. This is most often the case if the receiving mail server is the same as the server the email pretends to be from. (So any email sent via Workplace Management to the employees of the client)
There are several options that can be taken to prevent this problem.
*Most likely, a contractor that gets a work order email, should receive this email from for example ‘facilities@clientname.com’ instead of 'norely@spacewell.com). See email settings part in the client settings article for information on how to set this up
Add an SPF (Sender Policy Framework) record to the clients DNS
By having the client add the necessary SPF record to their DNS, the receiving mailserver can verify that Workplace Management is allowed to send emails on behalf of the clients domain. The following inclusion needs to be done on the DNS:
include:_spf.axxerion.com
If you would like to have more information in regards to SPF, please refer to the documentation that can be found online like this post from DMARCIAN.
Testing the SFP record
If you want to test if the SFP record is added correctly, you can use free online tool to see if the spf record is available. Easy to use tools are:
DKIM (Domain Keys Identified Mail)
A second method, which can be used in conjunction with the previous, is DKIM. With DKIM, a key is generated within Workplace Management, which is in turn added to the DNS. For more in depth information about DKIM, please refer to the documentation that can be found online like this post from DMARCIAN.
Generating the key
Within Workplace Management, navigate to the client settings via the tile on the dashboard.
Navigate to the tab “Email” and press on the icon for “Signing domains”
Click on “new”
Fill in the following fields:
Domain name: the domain name for which the key applies (e.g. http://client.com )
Active: if the DKIM record is active
DKIM selector: This is used by the receiving agent or client to retrieve the public key from the DKIM DNS text record, which has the name: <selector>
._domainkey.<domainmame>
It is possible to configure multiple domains using the same specific selector for the DKIM record.
E.g. fill in ‘spacewell’ or ‘workplace-management’ so you can easily recognize that the DNS text record that you might requestClick on the top right icon with the key to generate a private and public key
If the private key was externally generated and is encrypted, fill in the password for this private key.
Copy the PUBLIC key and share this with the customers IT department as they need to add this to their DNS. Make sure the DKIM setting is active once the record has been added to the DNS.
Send a test email from Workplace management and validate that is signed correctly
Background information on the non-editable fields
Hash Algorithm: The hashing algorithm used for the DKIM signature. Currently only SHA-256 is allowed.
Public Key in PEM format : The public key is extracted from the private key and is not editable.
Private Key in PEM format : The private key must be in PEM format. For DKIM the private key must be a RSA key. Note that a new key pair can be generated with the page function 'Generate key pair'. It is also possible to enter a private key from an external source. Note that the private key is always stored in an encrypted format by a newly generated strong password.
Key length (bits) : The length of the private key is the number of bits of the 'modulus' of the private key. Currently only value2048 is allowed.
DKIM troubleshooting
Determine the sender domain name, for example ‘http://client.com’
Check that the domain of mail headers "From:" and "Mail from:" is present in the Email Signing domains and that it is active (see chapter Configure DKIM mail signing above).
Make sure the DNS TXT record of the email signing domain is present in the DNS of the sending domain. You can use the following website to vailidate the DNS entry: DKIM Core
Send a mail from the Workplace Management client layer to you own mail account:
Contact -> Mailings -> Create new mailing
Add sender contact. The email of the sender contact must match one of the signing domains defined in this client layer, for example: testdkim@somedomain.com
Add one or more recipient contacts, this can be you own email address.
Click "Send message"l, note that it can take some time before the mail goes to status "sent". Use refresh to show the latest status.
Check if the mail is received in the mailbox.
Open the email message source and make sure the DKIM-Signature header is present, for example:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; t=1467293263; s=selector1; d=dkimtest.axxerion.com; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date; bh=wgyYNgRSqIvawIOIl/ZZ4lB8xSDZ067gS0biO571JF4=; b=JLQRTJEQi6LcMRb8fBGPGjbh/j6GjL6vB+2BiHWXU9JIFjC6KgvuZwGXvCRMKb6V Rd/Qc6NHIBZ+Km24oyhAc02Tqs6f+zThfI9B3IEEt466TAIhg1OjrXNDtosUhivPul/ UntOyB6OZO0qVyywfKCwY7dMFTB1YltnGKTTXufut2p0StslDks/SOfGV4yBXsWf07N Mj4R480+2iBcYDISNumz4jiz5b2poU8Z0hpSSlMRDKzXzHzyig4ODcJ4yx2R75oJ2Vd ztTQ0voxEi7utmgFOeirP0XY9KEr9Y/NQG7GwfTtIFgCZUzHw/eOo2RtsKZchifx4HT x5j5v1HonA==
You can use the mail client 'thunderbird' with the 'DKIM Verifier' extention to validate the DKIM-Signature:
Download thunderbird from here
Configure you mail account:
Edit -> Account Settings -> Account Actions -> Add mail account
Fill in the pop3/imap server and you userid/password.
Install the DKIM Validator add-on:
Tools -> Add-ons -> Get Add-ons
Search for 'DKIM' -> install
You can configure the 'DKIM Verifier' in Tools -> Add-ons -> Extensions -> DKIM Verifier -> Preferences
To enable debugging: Advanced -> enable debugging and Show detailed errors
Open the mail with the DKIM Signature
Open the error console with: <ctrl> + <shift> + j Detailed info and error messages are now shown.
Allow the use of the clients own mailserver
If the above options are not sufficient or the client would allow to use there own mailserver, that is also possible. Navigate to “Client settings> Email”. Fill in the following fields (be aware: these values should be provided by the clients IT department):
|  |
Limitation
When using the clients own mailbox, there is one major limitation compared to using the native mail feature in Workplace Management. When Workplace Management sends an e-mail to the client server and it fails, it will not retry this e-mail. The simple reason is that if the system would do this, it might be blocked due to a possible identification as a DDoS attack (“spamming” the server with requests). In case the native e-mail feature is used, an e-mail is retried for 24 hours before failing.
Testing settings
If you want to test if the above settings apply to your e-mail, you can already test those using the methods mentioned in the articles. But one specific way which has proven to work good is the use of mail-test.com. Here you get an e-mail address where you can send an e-mail to, and it checks the spam rating of the e-mail. So enter this e-mail in any location in Workplace Management and make sure an e-mail is sent to that contact. Once it has, press on “check your score” and you have a list of possible problems and solutions on what you can change. Be aware: this is an external tool, so make sure to not send sensitive information in the test e-mail. Also, the tool is used mostly for newsletters, which means that it checks some aspects of the e-mail which are not relevant for application e-mails from a system like Workplace Management.