As of July 12, 2021, this "Learn Veracross" site has been deprecated. It will remain live through December 2022, but will no longer be updated. All knowledge content has moved to the new Veracross Community. Please update your bookmarks.
Overview
Email domain security can be added so that Veracross scans emails sent via distribution lists using the DKIM and SPF security protocols. This applies to inbound security processing and so does not apply to emails sent with Composer. There are two basic steps to enable this, one that you take with your email provider and one that you take with Veracross:
- Set up the email domain security with your own email provider.
- Enable and configure email domain security in Axiom via new links in the bottom right of the Communication homepage.
Once enabled, our servers will perform the DKIM and SPF security checks on top of the already-existing security checks. Read more about existing distribution list security here.
The Process
Once enabled, our servers check emails sent via distribution lists to make sure that the sender is not fraudulent. In the event that our email provider fails to report DKIM or SPF check results to us (which happens sometimes), we fall back to standard email security rather than stopping the email from going out.
Step One: Configure SPF and DKIM Email Domain Security With Your Email Provider
You need to take this step before configuring anything in Axiom. We are not able to provide specific guidance because email providers processes and interfaces vary quite a bit.
Step Two: Configure Email Domain Security in Axiom
Head to the bottom right of the Communications homepage where you will find two new links for viewing and adding domain security configuration. Add a new domain security configuration:
- Domain: Enter the email domain (e.g., yourschoolname.org)
- Enter the domain “OTHER” to refer to all possible domain names. See recommended settings below.
- Action:
- Verify: Process the email for DKIM and SPF results according to SPF and DKIM configuration
- Quarantine: Log the email but do not send it, regardless of the results
- SPF: Possible results are Pass, Neutral, Soft Fail, Fail
- Ignore: Allow any result
- Strict: Allow only “Pass”
- Relaxed: Allow “Pass,” “Neutral,” and “Soft Fail”
- DKIM: Possible results are Pass, Fail
- Ignore: Allow any result
- Strict: Only allow “Pass”
Check SPF and DKIM Status of Sent Emails
- The SPF and DKIM status are listed here on the Inbound Diagnostics tab of the email record. They are also available in the Diagnostics folder of email queries.
- Hover over the field names to see the possible statuses.
Recommended Settings
Ultimately, you need to decide how you want to set up your own email domain security, but here are a few recommended options to get you started. Before configuring email domain security, we strongly recommend querying existing distribution list emails and pulling in the new “SPF” and “DKIM” fields to check their values before potentially blocking emails from your own domain.
Block all domains but yours with relaxed security.
Configure two domains:
- Domain: yourschoolname.org | Action: Verify | SPF: Relaxed | DKIM: Ignore
- Domain: OTHER | Action: Quarantine | SPF and DKIM are irrelevant since the email is quarantined regardless
This configuration means that emails sent from your school’s domain (e.g., your own staff and faculty using their school email addresses) are permitted, but with relaxed security, and that no other domains are allowed.
Block all domains but yours with strict security.
Configure two domains:
- Domain: yourschoolname.org | Action: Verify | SPF: Strict | DKIM: Strict
- Domain: OTHER | Action: Quarantine | SPF and DKIM are irrelevant since the email is quarantined regardless
This is similar to the first scenario but employs greater security for emails coming from your own domain.
Allow all domains with strict security.
Configure one domain:
- Domain: OTHER | Action: Verify | SPF: Strict | DKIM: Strict
This configuration allows all emails from any domain (that pass the standard Email_1/Email_2 check) with strict security.
For Illustration Only: Mistakenly configure all emails to be quarantined.
Configure one domain:
- Domain: OTHER | Action: Quarantine | SPF and DKIM are irrelevant
This misconfiguration — shown for illustration only — would prohibit any email from being sent via a distribution list.