DNS Record Fix for SPF, DKIM, and DMARC (Hero Allies)

πŸ“˜ Knowledge Base: DNS Record Fix for SPF, DKIM, and DMARC (Hero Allies)

Overview

Hero Allies had multiple DNS records for SPF and DMARC, which caused email authentication failures. This document outlines:

  • What the DNS records looked like before
  • The issues that caused problems
  • The consolidated, corrected records (with Apollo’s recommended DMARC)
  • Records that were deleted and why
  • How DKIM selectors work and why multiple keys are normal
  • Next steps for verification

πŸ”΄ Before (Problem State)

SPF Records (Multiple β€” Invalid)

@                   TXT  v=spf1 include:_spf.google.com ~all include:dc-3ae7784a9e._spfm.heroallies.com
dc-3ae7784a9e._spfm TXT  v=spf1 a include:_spf.flowlu.com include:_spf.google.com include:sendgrid.net ip4:66.147.239.51 mx ~all
mailgun             TXT  v=spf1 include:mailgun.org ~all

  • Problem: Multiple SPF records at root (@) + sub-delegations.
  • Impact: Mail servers reject SPF as invalid because only one v=spf1 record is allowed.

DMARC Records (Multiple β€” Invalid)

_dmarc TXT v=DMARC1; p=quarantine; rua=mailto:report@heroallies.com
_dmarc TXT v=DMARC1; p=reject; adkim=r; aspf=r; rua=mailto:dmarc_rua@onsecureserver.net;

  • Problem: Two separate DMARC records existed.
  • Impact: Receiving mail servers ignore DMARC enforcement, making policy ineffective.

DKIM Records

  • Google Workspace DKIM was already set.
  • Mailgun and SendGrid require their own DKIM, managed via CNAMEs.

🟒 After (Fixed State)

SPF (Single Consolidated Record at @)

@ TXT v=spf1 include:_spf.google.com include:_spf.flowlu.com include:sendgrid.net include:mailgun.org ip4:66.147.239.51 mx ~all

  • Consolidated all sending services (Google, Flowlu, SendGrid, Mailgun).
  • Only one SPF record at the root domain.

DMARC (Apollo Recommended Record at _dmarc)

_dmarc TXT v=DMARC1; p=none; sp=none; pct=100; rua=mailto:report@heroallies.com; ruf=mailto:report@heroallies.com; ri=86400; aspf=s; adkim=s; fo=1

  • Updated to Apollo’s recommended DMARC configuration.
  • Policy: p=none (monitor only β€” no enforcement yet).
  • Alignment: strict (aspf=s; adkim=s) for exact domain match.
  • Reports: aggregate (rua) and forensic (ruf) both to report@heroallies.com.
  • Other options: daily reports (ri=86400), request failure details (fo=1), apply to all mail (pct=100).

DKIM

  • Google Workspace DKIM: Already configured, with selector named apollo.
  • Mailgun / SendGrid DKIM: Ensure CNAMEs from each service are present.

πŸ—‘οΈ Removed Obsolete Records

1. dc-3ae7784a9e._spfm

dc-3ae7784a9e._spfm TXT v=spf1 a include:_spf.flowlu.com include:_spf.google.com include:sendgrid.net ip4:66.147.239.51 mx ~all

  • Why deleted:
    • Previously referenced in the old root SPF via include:dc-3ae7784a9e._spfm.heroallies.com.
    • No longer needed after consolidating all mechanisms directly into the root SPF.
    • Keeping it would cause confusion since it is unused.

2. mailgun

mailgun TXT v=spf1 include:mailgun.org ~all

  • Why deleted:
    • Applied only to mailgun.heroallies.com subdomain.
    • Root SPF already includes include:mailgun.org, so Mailgun is authorized.
    • Unless sending from @mailgun.heroallies.com (not used), this record served no purpose.

πŸ”‘ Understanding DKIM Selectors

  • Each DKIM record uses a selector, which is simply a label before ._domainkey.
  • A few examples of how selectors can look for Hero Allies:

apollo._domainkey.heroallies.com   TXT   (Google Workspace DKIM)
s1._domainkey.heroallies.com       CNAME  s1.domainkey.u123456.wl.sendgrid.net (SendGrid DKIM)
mailgun._domainkey.heroallies.com  CNAME  mailgun.org.dkim (Mailgun DKIM)

Key Points

  • Having multiple DKIM records is normal β€” each service uses its own selector.
  • The selector name apollo in Google Workspace does not mean Apollo.io controls your mail. It’s just a label chosen when DKIM was first enabled.
  • Services like Google, Mailgun, and SendGrid can all coexist by publishing their own DKIM selectors.
  • The important rule: only one TXT/CNAME record per selector.

βœ… Verification Steps

Run these commands after DNS propagates:

dig heroallies.com TXT +short        # Check SPF
dig _dmarc.heroallies.com TXT +short # Check DMARC
dig apollo._domainkey.heroallies.com TXT +short # Check Google Workspace DKIM
dig s1._domainkey.heroallies.com CNAME +short   # Check SendGrid DKIM
dig mailgun._domainkey.heroallies.com CNAME +short # Check Mailgun DKIM

Or use online tools:

πŸ“Œ Next Steps

  • Confirm DKIM records for Google, Mailgun, and SendGrid are live and verified.
  • Monitor DMARC reports sent to your rua and ruf addresses.
  • Once stable, consider moving from p=none β†’ quarantine β†’ reject for stronger protection.
Made with ProductLift