Ensuring that your emails reach their intended recipients is crucial for effective communication. Your network administrator may need to update your email and DNS servers to improve your email delivery rates.
- Finalsite sends emails on behalf of your personnel, making them appear to come directly from your district or school.
- This step-by-step guide will help improve email delivery rates by:
- setting up SPF, DKIM, and DMARC
- configuring IP whitelisting
- monitoring email protocols
Authorizing Finalsite to send emails on your behalf helps prevent messages from being rejected or flagged as spam by email services used by your organization, parents, and students. Follow these guidelines to ensure your messages are delivered efficiently and securely.
In this Article
- Step 1: Authorize email sending and authentication
- What are SPF, DKIM, and DMARC?
- Configure your Global SPF, DKIM, and DMARC settings
- Step 2: Configure IP Whitelisting
- What is Whitelisting?
- Configure your Global IP whitelisting settings
- Office 365 configuration
- GSuite configuration
- Step 3: Verification and maintenance
- Step 4: Success!
Step 1: Authorize email sending and authentication
Authorizing Finalsite to send emails on your behalf helps prevent messages from being rejected or flagged as spam by email services used by your organization, parents, and students. Follow these guidelines to ensure your messages are delivered efficiently and securely.
What are SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are used to let email service providers know that you have authorized Finalsite to send email on behalf of your school district personnel:
- Sender Policy Framework (SPF): An email verification system that allows domain owners to identify the mail servers they use to send mail. This helps ensure that forged emails are caught by spam filters, while legitimate emails get through.
- DomainKeys Identified Mail (DKIM): A form of email authentication that adds an encrypted signature to your email messages, proving they came from a trusted source and were not modified in transit.
- Domain-based Message Authentication, Reporting & Conformance (DMARC): An email validation system that allows you to create policies for blocking fraudulent activity appearing from your domain. To pass DMARC, a message must pass authentication and alignment with SPF and/or DKIM.
Configure your Global SPF, DKIM, and DMARC settings
- From the Communications HQ interface menu, navigate to Settings > Global Settings.
- Click on instructions for setting up SPF, DKIM, and DMARC.
- Follow the on-screen instructions to verify the setup.
-
Set up SPF record: Update or set up an SPF record to include: _spf.bbnotify.net
- If your district does not have an SPF record, your network administrator will need to add a record to your DNS. We recommend adding the following:
host type value @ TXT v=spf1 mx include:_spf.bbnotify.net -all
- If your district does not have an SPF record, your network administrator will need to add a record to your DNS. We recommend adding the following:
- Important Note: If you require an additional SPF entry, be sure to include it in the same line.
- Add DKIM DNS records: Follow the instructions in your email application to set up DKIM DNS records.
- Set up DMARC: Implement DMARC policies to block fraudulent activities appearing from your domain.
-
Set up SPF record: Update or set up an SPF record to include: _spf.bbnotify.net
Step 2: Configure IP whitelisting
What is whitelisting?
Whitelisting is a security measure that grants access only to approved entities, such as email addresses, IP addresses, applications, or websites, while denying access to anything not on the list. For email servers, this may involve configuring them to accept messages from Finalsite's servers, either through SPF records or manual whitelisting of Finalsite's IP addresses. Consult your network administrator to determine if your email servers need configuration changes.
Configure your Global IP whitelisting settings
- From the Communications HQ interface menu, navigate to Settings > Global Settings.
- In Global Settings, select "Click here to improve your email delivery"
- Provide your email domain and click Verify.
- Verify SPF, DKIM, and DMARC records.
- Remove rate limits: Ensure no rate limits on emails from Finalsite CE relays by allowing IP addresses 192.230.230.0/24 and 69.196.242.0/24.
- When you see congratulation messages verifying records for SPF, DKIM, and DMARC, the verification is complete and everything is properly set up on your DNS. If you don't see congratulation messages for each one, have your network administrator set up the email authentication protocols on your DNS.
Office 365 configuration
All Office 365 users must update their connection filter policy to allow these IP addresses. Learn more in the article, "Configure connection filtering."
Here are the instructions:
- Sign in to the "Microsoft Security & Compliance Center".
- Click the Policies and rules item on the left sidebar menu and select "Threat Policies".
- Click the Policies and rules > Anti-Spam under the Policies. To go directly to the Anti-spam policies page, use https://security.microsoft.com/antispam.
- Click the Connection filter policy and select the "Edit connection filter".
- Add the IP addresses (192.230.230.0/24, 69.196.242.0/24) to the section labeled "Always allow messages from the following IP addresses or address range".
- Enable the Turn on safe list option.
- Click Save to complete the process.
GSuite configuration
All GSuite users must add these IP addresses to your email allowlist. Learn more in the article, "Add IP addresses to allowlists in Gmail."
Here are the instructions:
- Your current account, might not have permission to do these steps. Make sure you're signed in to an administrator account.
- In the Admin console, go to Menu >Apps > Google Workspace > Gmail > Spam, Phishing and Malware.
- On the left, select the top-level organization. This is usually your domain.
- On the Spam, phishing, and malware tab, scroll to the Email allowlist setting. Or, in the search field, enter email allowlist.
- Enter the IP address of the sending mail servers you want to add to the allowlist - for Finalsite mail services - 192.230.230.0/24, 69.196.242.0/24. To add more than one IP address, enter an IP range (using CIDR notation) or separate individual IP addresses with commas.
- Note: Enter public IP addresses only. This setting doesn't support private IP addresses.
- At the bottom of the page, click Save.
Important Note:
Are you using Barracuda Email Protection or other similar security vendors? Please open a ticket directly with the vendor to remove rate limits.
Step 3: Verification and maintenance
Finalsite uses TLS (Transport Layer Security) for email delivery. Ensure your server supports at least TLS 1.1 (TLS 1.2 recommended). If your server does not support TLS, configure it to accept unencrypted SMTP or upgrade TLS functionality. This may differ in instructions, depending on your mail server.
Step 4: Success!
By following these steps, you can enhance email delivery, ensuring messages reach your intended recipients efficiently and securely. If you have any issues or need further assistance, reach out to your network administrator or email service provider.