Tye Graham

Do I need to whitelist an IP for my SPF Records and Mail Gateway?

Discussion created by Tye Graham Employee on Dec 16, 2014

While it is not mandatory, for some network configurations it is necessary to whitelist our mail server if you wish to have Samanage send emails on behalf of your domain and to ensure that you receive the proper notifications from the application.  Whitelisting is specifically allowing emails from a certain source  to be allowed into your email inbox and easily pass through your spam filter or junk folder.  While we try to maintain a static IP for our application and servers, it is possible at times that the IP address will change.

 

For US Customers, all Samanage mail is sent from o1.mailer.samanage.com.  Our recommended practice is to whitelist o1.mailer.samanage.com on your network instead of the corresponding IP address (75.126.253.143).

 

For customers that fall under the EU datacenter, all Samanage emails are sent by Amazon SES rather than Sendgrid.  Provided below are commands to find the IP ranges:

 

On Mac/Linux

 

dig TXT amazonses.com +short| grep 'v=spf1'

 

On Windows

 

nslookup -type=TXT amazonses.com | find "v=spf1"

 


Note:  Keep in mind that those IP addresses are subject to change. If SES adds or removes any outgoing IP address, we will update the SPF record, so you need to check back from time to time, if you want to make sure you have the latest list of IP address ranges. Another thing to note is that there is no guarantee with regard to which particular SES IP address of the list of IP addresses, your email will be sent through. If you need to perform a whitelisting process for the emails you're sending through SES you will have to whitelist all SES IP address blocks.  As these are IP ranges are subject to be changed by Amazon, it is necessary to maintain this information.

 

Below is an example of how to whitelist a domain/IP address on a email client (Ex: Gmail)

 

1) Sign into the to Google Admin console.

 

 

2) From the dashboard, go to Google Apps > Gmail > Advanced Settings

3) In the Organizations section, highlight your domain.

 

4) In the Email whitelist section, enter the IP addresses of your contact's domain host to make sure any mail originating from these IP addresses are not labeled spam. If you would like to add more than one IP address, enter an IP range in CIDR notation or separate each IP address with a comma.

 

5) Click Save changes.

 

Note:  The steps to whitelist an IP on email clients may vary but should essentially share similarities.

 

Below is an example of how to add SPF Records on a DNS (Ex: GoDaddy):

 

1) Log in to your GoDaddy account and click on the domain you want to modify the records.

 

 

2) Launch the DNS Manager.

 

 

3) Scroll down to TXT (Text) section.

 

 

4) Create a new TXT record by clicking the Quick add button

 

5) Set the Host field to the name of your subdomain (e.g. "mail" if your email address is contact@mail.example.com), or to @ if you do not use a subdomain.

 

6) Fill the TXT Value field with your SPF record (e.g. "v=spf1 a mx include:secureserver.net ~all").

 

 

7) Click on the Save Zone File button at the top of the page.

 


Note:  Please keep in mind that your hosting provider?s DNS Manager layout may look a bit different than GoDaddy?s but should essentially work in a similar manner. 

If you wish to have Samanage notification emails received on your domain digitally "signed", that would required to create a DKIM record. Domain Keys Identified Mail (DKIM) is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain's administrators. Below are three data points that you would need:

 

1) Mail server name and IP addresses
o1.mailer.samanage.com / 75.126.253.143

 

2) Public DKIM Key

 

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPtW5iwpXVPiH5FzJ7Nrl8USzuY9zqqzjE0D1r04xDN6qwziDnmgcFNNfMewVKN2D1O+2J9N14hRprzByFwfQW76yojh54Xu3uSbQ3JP0A7k8o8GutRF8zbFUA8n0ZH2y0cIEjMliXY4W4LwPA7m4q0ObmvSjhd63O9d8z1XkUBwIDAQAB

 

3) DKIM selector

 

smtpapi

 


Here is an example of a DKIM signature header that appears in the emails we send out:
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mailer.samanage.com;
h=from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
s=smtpapi; bh=K1WFyPJXRp8vRfFI52U3Sc1J6EM=; b=lXRYSOfmrigoiobWWW
pl87YYU2ZmdMu1KhkLdBgGh9Mxm7HdOgcYbBP0jWIEXaBXlFxnWwO3eMIDZAKaV8
BDWFYxUx8RHbcYH7nvhzogdtfBbBVL7eN8mLfGYQVXFxVpEAW2IhXmjY0taKB07Y
JX4z1ATjqxoO7DoSpxI/zkiqE=

Outcomes