The Configuration Page has been redesigned to increase ease of use and efficiency for users, while also providing improved functionality. These enhancements have been made in response to feedback from users. As always, we welcome your feedback as we continue to improve Enforce. Please leave your feedback in the suggestion box at the bottom of the account overview page.



TABLE OF CONTENTS





How to access the new Configuration page

There are 2 simple ways that you can use to access the new Configuration page.


Method 1:

1. Once you are logged into your Valimail account, on the left menu panel, click on Domains.


a blue screen with white text

2. On the domain page, click on the domain name (in this example, we will click on example.net) and that will get you directly to the new Configuration page.


a screenshot of a phone


Method 2:

If you want to view the Authentication Report window before you go to the new Configuration page, you will want to use this method.


1. Repeat step no. 1 from Method 1


2. Using this method, instead of clicking on your domain name, navigate over to the far right and click on View.


a close up of a text

This action will open up the Authentication Report tab where you can take a look at the email activity of your domain.


a close up of a box



3. In order to get to the new Configuration page from here, all you have to do is click on the Configuration tab, next to the Authentication Report.


For easy toggling between the two pages and the best possible experience between analyzing email data and configuration of services/IPs for your domain, the Configuration page and Authentication Report page are practically two tabs of the same window within the Enforce platform.





Contents of the new Configuration page


The new Configuration page aims to improve the level of functionality of the current layout, while also presenting the information in a more scalable way and increasing the ease of use.


Below we list all the contents of the Configuration page and in the following chapters, we take a look at the functionality of each of them.


The new Configuration page can be split into 5 main sections as follows:


a screenshot of a computer


a screenshot of a computer




Section 1 

  • The Domain Configuration - This status tells you if you are successfully pointing DMARC to Valimail

The word Configured

The words Not configured

  • The DMARC Policy - Tells you which policy is currently set for your domain.


The words DMARC Policy: Reject

  • The Sending Status - This tells you what is the sending status of your domain, if it's an Active domain, a Blocked one, or used for Reporting Only.


The words Sending Status: Active



Section 2


  • The DNS Configuration - You will see here if you are pointing DMARC, SPF, and DKIM to Valimail for your domain.

We recommend that you point DMARC, SPF, and DKIM to Valimail for any domain you wish to manage in the Valimail platform so that we can make sure it is protected at all times.


Each of these 3 items provides instructions on how to point those records to Valimail.


a close-up of a logo

a screenshot of a computer


Once you point all 3 records to Valimail, they will show like this:


a close-up of a label


a screenshot of a computer


Section 3


  • The Enabled Sender module, the Netblock module, and the DKIM key module.


a screenshot of a computer



Section 4


  • The Add External Reporting Domain area - It is possible to send your DMARC reports to an email address that does not fall within the scope of your own domain through DMARC External Destination Verification. If you own the domain company.com, you can send your reports to an address (example) rua@mailreports.net, where company.com has no authority over mailreports.net and they are two completely separate domains. 


However, in order to achieve this, the report receiving domain (mailreports.net) needs to provide approval that it is agreeing to receive reports containing the DMARC data of your domain (company.com).

You can find more info on this topic here: https://support.valimail.com/support/solutions/articles/48001225072-external-domain-verification


a white rectangular object with a black border


Section 5


  • The Email Subdomains module - Here, you can add any sending subdomains that need to be classified and configured.


a screenshot of a computer





Domain Status in the new Configuration page


The definition of the Domain Status on the Configuration page refers to the DMARC configuration status of the domain (whether you've pointed the domain's DMARC record to Valimail or not).


If you are pointing DMARC successfully to Valimail, the Domain Status will always show Configured.

If you are not currently pointing DMARC to Valimail for that domain, the Domain Status will always show Not Configured.


When you point DMARC to Valimail, sometimes the changes you make in the DNS will take a bit longer to finish propagating through the internet. That is one of the reasons why we encourage a TTL of 300 seconds when pointing DMARC, SPF, and DKIM to Valimail, just so that the changes will take effect as soon as possible. Just remember that if you do not see the Domain Status as Configured in Enforce immediately after you pointed DMARC to Valimail, you should wait for a few minutes.






How to change the Sending Status in the new Configuration page


The Sending Status of a domain can be set to Active, Blocked, or Reporting Only.


This topic is explored in greater detail in the following article: https://support.valimail.com/support/solutions/articles/48001213597-what-are-the-differences-in-domain-sending-status-in-enforce-active-reporting-only-and-blocked


Caution: Changing the domain status is a very serious and impactful move and it can cause big disruptions in email traffic if an Active domain is set to Blocked for example. Therefore, please refrain from taking that action if you are not sure about it. Before considering making this action on any domain, please make sure you consult the article above.






How to change the DMARC Policy in the new Configuration page


When you are finished configuring all the sending services and/or IPs that are authorized to send emails on behalf of your domain, you are ready to take your domain to the next and final step: DMARC Enforcement.


When that step is reached and you decide to switch your domain to DMARC Enforcement, you will need to go to the Configuration page to change the DMARC Policy from None to Quarantine/Reject.


Here are the steps which allow you to accomplish this:


 

1. Log into your Valimail account.


2. Click on DOMAINS.

a screenshot of a computer


3. Click on the domain that you wish to make this change for.

a screenshot of a computer


4. Click on the current DMARC Policy status.

a screenshot of a computer


5. A pop-up will appear, giving you the 3 options for the DMARC Policy: None, Quarantine and Reject. The one marked in blue is the current status of your DMARC Policy. Each of the 3 DMARC Policy statuses has a short definition, explaining what that specific policy means.


Click on your new desired DMARC Policy 

a screenshot of a computer


6. Click on CHANGE POLICY.

a screenshot of a computer


Quarantine and Reject are both considered DMARC Enforcement.


 


7. There is also an Advanced Options link on that pop-up and clicking on that will show you additional configuration options for your DMARC policy:


a screenshot of a computer screen



Our recommendation is that you do not change anything on this Advanced Options page unless you have a specific use case for these options. It is recommended that you verify any changes on the Advanced Options page with a member of the Valimail Support team.


Here are some important aspects of this window:


1. Enforcement should always be 100%, anything lower than that is not considered Enforcement.

2. The subdomain policy should always use/follow the top-level domain policy, just like in the screenshot above. Having the top-level domain at DMARC Enforcement but a subdomain at None does not put your entire domain at DMARC enforcement.

3. Strict Alignment should not be checked for SPF or DKIM unless you are absolutely sure you have a legitimate business reason to do so. Checking Strict SPF or DKIM alignment can seriously affect your email deliverability.





How to add a new service on your Enabled Senders list in the new Configuration page


Whenever you get to the conclusion that a certain sending service that currently sends emails on behalf of your domain is an authorized sender, you will then need to configure that sender to send properly DMARC-authenticated emails on behalf of your domain.


Steps:


1. Log into your Valimail account.


2. Click on DOMAINS.

a screenshot of a computer 


3. Click on your domain.

a screenshot of a computer



 4. Click on Enabled Sender or Netblock.

a screenshot of a computer


5. Pick the sending service you want to authorize from the drop-down. You can also start typing the name of that service to find it faster.

a screenshot of a computer


6. Select the sending service.

a screenshot of a computer


7. Enter a comment if needed and then click on ADD. (You can say as a comment, who is using that service from your organization. This will greatly help you track down that service owner in the future, should you need to).

a screenshot of a computer




Note: Adding a sending service to your Enabled Sender list does not necessarily mean that from that moment on, the emails sent by that service on behalf of your domain will also pass DMARC.
In order for that to happen, you must make sure that the emails that the service is sending are SPF aligned for your domain. If they are already being sent with SPF alignment, there is no other action you need to do.
If they are not sent in SPF alignment for your domain, you will need to contact the service owner (person/team who is using that service) and ask them to turn on SPF alignment for your domain from their admin console.
Adding a service in your SPF record (Enabled Senders), is only the first half of the configuration process, and it means you are basically authorizing/whitelisting that service.






How to add a Netblock/IP in the new Configuration page


When you identify an internal IP that does not necessarily belong to a service that is sending emails on behalf of your domain, or someone in your organization is using just 1 or 2 IPs from a certain sending service, that means those IPs are authorized and they should be configured to send DMARC authenticated emails on behalf of your domain moving forward.


Steps:


1. Log into your Valimail account.


2. Click on DOMAINS.

Screenshot of the Domains tab 


3. Click on your domain.

Screenshot of a domain text



 4. Click on Enabled Sender or Netblock.

Screenshot of Enabled Sender or Netblock


5. Once the pop-up window opens up, first make sure the tab called Internal Sender is selected:


a screenshot of a email



6. Make sure you add the IP or IP class in the Netblock IP Address Range. If that IP belongs to a known sender, you can select that sender from the Associated Sender box. This is important for the classification of email traffic purposes. 

If the Netblock is just an internal IP, there is no need to associate it with any sender.

You can also add some notes (just like you can do when you add a sending service) in the Name (Optional) field but as the field says, that is just optional. Any note added in there will be just so that you know who exactly in your organization is using that IP.


a screenshot of a email




Note: Adding an IP in your Netblocks does not necessarily mean that from that moment on the emails sent by that IP on behalf of your domain will also pass DMARC.
For that to happen, you must make sure that the emails that IP is sending are SPF aligned for your domain. If they are already being sent with SPF alignment, there is no other action you need to do.
If they are not sent in SPF alignment for your domain, you will need to contact the service owner (person/team which is using that IP) and ask them to turn on SPF alignment for your domain, from their admin console.
Adding an IP in your SPF record (Netblocks), is only the first half of the configuration process, and it just means you are authorizing/whitelisting that IP.






How to add a DKIM key in the new Configuration page


Configuring DKIM on any service/IP that can support it is the best way to authenticate that service as DKIM signing can greatly increase your deliverability rate in general for that service/IP.

We, therefore, encourage you to configure any service/IP via DKIM wherever possible. Some services might not support SPF alignment and instead require DKIM signing. 

DKIM keys are always of 2 types, TXT or CNAME, depending on what the service that issues that key supports.



How to add a DKIM Key in the new Configuration page



1. Log into your Valimail account.


2. Click on DOMAINS.

Screenshot of Domains 


3. Click on your domain.

Screenshot of a domain name



4. Click on DKIM Key.


a screenshot of a computer


5. On the window that opens up, make sure you fill in all the correct items pertaining to that key:


a. Add the Selector of that DKIM Key.

b. Select the proper service to associate that key with it.

c. Make sure you choose the proper record type for that key (CNAME key or TXT if it's a TXT key).

d. Make sure you add the CNAME target of that specific key in the CNAME field if it's a CNAME key or add the TXT value of the key in the TXT field if the key is a TXT one. (Below are 2 screenshots of how a CNAME and a TXT key should look like when added).

e. Optionally, you can leave a comment that represents who gave that key to you, just so you can later track down the owner/admin of that key.


CNAME DKIM KEY:

a screenshot of a computer


TXT DKIM Key:

a screenshot of a computer




6. You might also notice an option called Advanced Options right above the Comments field. If you click on the dropdown arrow next to that you will see the following options:


a screenshot of a computer


IMPORTANT!

a. This is a newly created DKIM key - You can only check this option if the key you are adding is a newly issued one. Valimail will track the key age in case you want to rotate the keys manually.

b. Only allow exact domain signing - You can only check this option if the key you are adding has the t=s tag.



7. After you completed all the necessary fields with the proper DKIM key info, click on Add.



Note: After the DKIM key is added in Valimail Enforce, you need to reach out back to the person/team that gave you that key and make sure they enabled/verify the key in their admin console. This is very important because if that key is not enabled on the service owner's end, it will not sign any email sent with that service on behalf of your domain.






How to add a subdomain in the new Configuration page


When you have one or more subdomains that are active and are being used to send emails on their behalf you will need to make sure they are added and properly classified on the Configuration page.

There are 2 types of active sending subdomains: a multiple sender subdomain or a single sender subdomain. They are classified as such, judging by the sending services that are using those subdomains


a. multiple sender subdomain - if there is more than one sending service and/or IP that is sending emails on behalf of it.

b. single sender subdomain - if there is just 1 sending service or 1 IP which is sending emails on behalf of that subdomain.


This is an important difference that you will need to consider when adding your respective subdomain, both for configuration and classification purposes.


To read more about subdomains, please check out this article.


Steps to add a multiple sender subdomain:


1. On the Configuration page, please navigate to the Email Subdomains area, by scrolling toward to bottom of the page.

Once there, click on Add Email Subdomain.


a white background with a black line



2. Add the subdomain in the Name field and then click on Add Email Subdomain.


a screenshot of a login page


3. Once added, the subdomain will look like this: 


a screenshot of a computer



This and any other multiple sender subdomains that you add will have their respective Enabled Senders, Netblocks, and DKIM areas in the platform, just like you have on the top-level domain.

Since this is a multiple-sender subdomain, you will need to point SPF to Valimail for it. In addition, if you want to manage the DKIM keys in Valimail Enforce for this subdomain as well, you will need to point DKIM to Valimail for this subdomain before that.

Once you point SPF to Valimail for this subdomain, you can add any services and/or IPs that need to be authorized as sending on behalf of it, in the Configuration page.





Steps to add a multiple sender subdomain:


IMPORTANT!

Single sender subdomains are not managed for SPF from the Valimail platform. They will continue to be managed for SPF from your DNS. DKIM keys associated with a vendor that uses a dedicated subdomain may need to be published on the organizational domain in Valimail Enforce. There are multiple reasons why single sender subdomains are not managed from the Valimail platform, but the most important one is that they require the SPF and MX records to be pointed to their DNS. 



1. On the Configuration page, please navigate to the Email Subdomains area, by scrolling toward to bottom of the page.

Once there, click on Add Email Subdomain.


Screenshot of Email Subdomains



2. Add the subdomain in the Name field and then click on Add Email Subdomain.


a screenshot of a login form



3. Once added, the subdomain will look like this: 


a screenshot of a web page



Since this is a single sender subdomain, you will not be pointing SPF to Valimail for it. Such subdomains are not required to be present in the Enforce platform, but it's better to have them added, just for classification purposes.


If you will add a single sender subdomain, you will just need to make sure that the Single Sender toggle option is enabled for this subdomain:


a screenshot of a computer






We hope that you will find all the info above very helpful in better managing your domains within the Valimail Enforce platform.


As always, if you have any questions, please don't hesitate to submit a ticket