SPF, DKIM, DMARC: Are You All Set With the New Email Sending Requirements?

Written by

Starting this year, both Gmail and Yahoo! Mail will have stricter requirements for those who are sending out mass emails like you would do when you send out using Dada Mail. These include making sure your SPF, DKIM, and DMARC records are available, correct, and aligned.

Quickly Test Compliance

If you use Gmail, you can use it to test compliance quickly. Send a test mass mailing from your mailing list to your Gmail account.

Tip: send a test mass mailing message to any email address in Dada Mail by clicking the Options tab, then the Testing tab. Add the gmail address to the textbox labeled, Send test to these email addresses:. Then click the button labeled Send Test.

Receiving it is a a good initial sign! If you don’t, first check your Spam folder – this may be a clue something needs to be tweaked.

Open up the message and check the source of the message itself by clicking, “< > Show Original” under the “More” menu item (it’s labeled as three vertical dots)

A few important headers will be shown at the top, hopefully showing one or some of the following: SPF, DKIM, and DMARC compliance. Each of these should have a value of, “PASS”, plus perhaps some additional information:

At least in our example, Gmail is explicitly telling us that DKIM is passing.

But what about SPF, and DMARC? We may have to look below at the source of the message and do a quick search. Look for “spf=pass” and “dmarc=pass” (and for completeness, “dkim=pass“) to see the raw information embedded in the message source itself.

The information found in the Authentication-Results header give me a good feeling that SPF, DKIM, and DMARC are all set up correctly and that my mailing list is in compliance and there’s nothing else I may need to do. Yahoo! Mail will also have the Authentication-Results header available for you to view.

If any of these reports are labeled, FAIL or are missing completely, you’ll want to look closer into getting those issues resolved as soon as you can.

More Sophisticated Validation Tools

DMARCLY has a great validation tool for these records. Simply send a test mass mailing from your Dada Mail mailing to the following address:

check@dmarcly.com

Results will be mailed to the List Owner of your mailing list:

Here’s a few quick ways to solve some of the problems you’ll find:

Quickly Fix Problems (cPanel-based accounts)

cPanel-based accounts actually have a Email Deliverability tool to make sure your DKIM and SPF records exist and are correct and a tool to repair them. Repairing those records here could very well be all you need to do.

Quickly Fix Amazon SES Problems with SPF

To successfully send with Amazon SES, your SPF record will need to include amazonses.com as a permitted sender. For example, this SPF record does exactly that:

v=spf1 ip4:128.0.0.1 include:amazonses.com +a +mx ~all

If your SPF record does not have, include:amazonses.com and you are sending via Amazon SES, you may need to add this to your SPF record.

Conclusion

We’ve just scratched the surface on DMARC, SPF, and DKIM records. It can get a little more complicated and very quickly. If you need some help with your own Dada Mail install, and wrestling with this issue, please contact us for a consult, and learn how we can help you get things straightened out.

Dada Mail 11.22.0 Released!

Written by

The latest version of Dada Mail, v11.22.0 is here! What’s new?

Focus

This version of Dada Mail includes experimental support for the Mailgun API, along with a few bug fixes.

Features

Mailgun API Support (Experimental)

Mailgun is a third party email sending service, like Amazon SES. For an overview of third party email sending services, see:

https://dadamailproject.com/d/third_party_email_services.pod.html

Additional information on Mailgun support:

https://dadamailproject.com/d/features-mailgun_support.pod.html

Bugfixes

Searching members is broken in v11.21.0 #1171

#1171

Plugin: Change List Shortname outdated – does not update many tables #1168

#1168

Delivery Problems? Double Check Real Time Blocklist Status

Written by

More often than we’d like to see, mail servers run by shared hosting companies end up on email Real-Time Blocklists. These RTBLs are checked by incoming mail servers to determine if they should accept the email messages they’re receiving. If the mail server you’re using to send out is on one of these lists, the chances that mail will be accepted is lowered. It makes sense then to have your outgoing mail server not be on one of these lists!

If you’re running Dada Mail on a shared hosting account, you’re most likely also using their provided mail server, which is also shared. Any abuse on the mail server from one of their clients that lands them on an RTBL will affect everyone else using that same mail server. Oftentimes these mail servers will also be the target to spam bots that find a way to abuse the mail server to send email on their behalf .

If you’re experiencing mail delivery problems you can double check if you’re on one of these RTBLs. These tools will allow you to check on your status:

There’s not too much you can personally do to get delisted, if its the hosting account’s mail server that’s on one of these lists – you’ll need to wait for them to open up a ticket and have the sometimes slow process of delisting happen.

If your mail server is chronically listed on RTBLs, consider using a third party email sending service, which allows you to get around this problem, by using a network of mail servers that keeps a good email sending reputation. We list a few third party email sending services in this support doc. Dada Mail also has support for Amazon SES on the API level, and since v11.22.0 Dada Mail has experimental support for Mailgun on the API level. Try out those resources to gain better deliverability for your installation of Dada Mail!

Dada Mail v11.21.0 Released!

Written by

Summer Sale! 20% off Pro Dada Subscriptions, Installs + Upgrades.

Use code, SUMMER2023 for 20% off when you request a installation/upgrade of Dada Mail.*

* Offer good until September 5th, 2023

The latest version of Dada Mail, v11.21.0 is here! What’s new?

v11.21.0 has a few nice features pertaining to the message archives. Look for new pagination navigation elements in both the public user-facing archives, as well as in the admin side in the list control panel,

Pagination is now present in the list archives, making navigating through past messages much easier.
Pagination is now present in the list archives, making navigating through past messages much easier.
Pagination is also now present when looking at the archives in the list control panel
Pagination is also now present when looking at the archives in the list control panel

Search has also been improved, with pagination there as well. Search is also now available in the admin side in the list control panel!

Search is also paginated. Caching of all archive screens and search can help greatly improve app performance while browsing with archive messages
Search is also paginated. Caching of all archive screens and search can help greatly improve app performance while browsing with archive messages

Finally, caching has been greatly improved, especially for the archive screens, helping with server and app performance.

Dada Mail's internal screen cache saves rendered screens so that the backend SQL database isn't accessed more than necessary
Dada Mail’s internal screen cache saves rendered screens so that the backend SQL database isn’t accessed more than necessary

Full changelog for v11.21.0 is below:

11.21.0

This version of Dada Mail is a feature release, with a few bug fixes.

Features

Search for message archives has been added to the admin view of the archives in the list control panel.

Message Archive Pagination

https://github.com/justingit/dada-mail/issues/1127

Pagination has been added to the user view of messages archives, including search. Along with pagination being a nice-to-have feature, since search results were not pagination in past versions, queries could have been returned with an incredible amount of search results to be shown on the single screen. This realistically could have been a detriment to server performance if too many search queries were returned in a small amount of time.

Pagination has also been added to the admin view of the messag archives in the list control panel, including search.

reCAPTCHA protection on the Global Configuration plugin #1155

It seemed a good idea to protect the use of reconfiguring the entire app through this plugin by further protecting the form that allows you to do so with a CAPTCHA. This is now the case.

https://github.com/justingit/dada-mail/issues/1155

Change DADA::Security::SimpleAuthStringState to use an SQL table/database

The login forms are protected by a simple CSRF-like scheme. The backend using a DB File, rather than having the information needed for the protection saved in the SQL backend. In rare circumstances, the prerequisits to use these DB Files can be unavailable on the account.

This version changes this to have that info saved in a SQL table, and removes the need to use the DB Files.

Using the new backend should be transparent to the user – nothing extra is required. There will be a new table in the database named, dada_simple_auth_str.

Bugfixes

Scheduled Jobs (cronjobs) don’t list all the individual jobs that can be run #1161

https://github.com/justingit/dada-mail/issues/1161

List Control Panel Archive Index Screen shows empty interface if no archived messages are available #1162

https://github.com/justingit/dada-mail/issues/1162

Screen Cache is cleaned out every time scheduled jobs (cronjob) is ran #1163

https://github.com/justingit/dada-mail/issues/1163

Individual archive message screens (public view) aren’t always cached #1164

https://github.com/justingit/dada-mail/issues/1164

“Forward to a Friend” form doesn’t have any required fields #1165

https://github.com/justingit/dada-mail/issues/1165

Screen, Data Cache is not flushed when installer is run #1166

https://github.com/justingit/dada-mail/issues/1166

Dada Mail v11.20.1 Released!

Written by

This version of Dada Mail is a minor bug release.

Of note is a nasty bug in the Bridge plugin that affected some messages that are sent to it. These messages would fail to be sent, and a line in your error log may be found,

parse_data: unable to open in-memory file handle at...

See the following issue:

https://github.com/justingit/dada-mail/issues/1135

Bugfixes

One-click unsubscription can’t be enabled #1139

https://github.com/justingit/dada-mail/issues/1139

Mis-speling in, “Subscribed” Message #1140

https://github.com/justingit/dada-mail/issues/1140

bridge – irrecoverable error processing message #1135

https://github.com/justingit/dada-mail/issues/1135

Rate Limits should be ignored for logged in administrators when handling unsubscribe requests #1130

https://github.com/justingit/dada-mail/issues/1130

Searching a list’s message archive in the public view may return 500 error #1141

https://github.com/justingit/dada-mail/issues/1141

Dada Mail v11.20.0 Released

Written by

Focus

This version of Dada Mail is a major feature release.

Features

Dada Mail Build Script

In past versions, the only person who could build a working copy of Dada Mail that can be distributed was the main developer (me!), as many different parts of the app lived only on my own Macbook, which are added using a local build script. As development continued, more additional parts were needed to make a working package/distribution of Dada Mail, making this problem worse over time.

This hampers development of others, as no one else can check out Dada Mail and start developing. It has been my goal to remediate this problem. v11.19.0 solved a very large blocker on this, by decoupling the Perl Library bundled with Dada Mail from the main dada-mail distribution.

Starting with Dada Mail v11.20.0, all the needed parts to build Dada Mail are now available on Github, along with the build script. This allows you to build a fully working version of Dada Mail and thus allow you to fork the main Dada Mail repo, as well as any of these other parts to do whatever you’d like. Happy hacking!

See the README on the Dada Mail github for information on how to build Dada Mail:

https://github.com/justingit/dada-mail

as well as the source of the build script,

https://github.com/justingit/dada-mail/blob/main/make_distro.pl

as well as the new doc on how to build Dada Mail from source,

https://dadamailproject.com/d/building_dada_mail_from_source.pod.html

“Bounces” tab in the membership screen

You can now see any bounced message reports have been created for a member, on their own screen, rather than having to search for them on the Bounce Scorecord, or via the Log Viewer.

Screens accessed by unsubscription links in mailing list messages that are followed (“clicked”) less than 5 minutes after the message are sent will have their JavaScript disabled. The short time between message sent to unsubsription link clicked is usually a sign that a human is not doing the clicking, and such behavior causes false unsubscribes, which makes list owners pretty sad. The software that is following the link seems to also understand JavaScript, which is why we’re disabling it. From my research, this is mostly those who use Outlook 365 with Advanced Threat Protection seems to be the biggest culprit.

This blog post does a good job explaining the problem, and offering a solution, which I’ve essentially adopted,

https://blog.healthchecks.io/2019/12/preventing-office-365-atp-from-clicking-unsubscribe-links/

The arms race to stop link pre-fetching continues.

Rich Filemanager upgraded to v2.7.6

DADA::App::HTMLtoMIMEMessage added to Debug Trace Options

This is what Debug Trace Options are:

https://dadamailproject.com/d/install_dada_mail-advanced_configuration.pod.html#Configure-Debugging

Better error reporting for problems with database connections

A small change/bugfix, but this may help those trying to figure out strange database connection problems, so it’s a win.

Breaking Changes!

KCFinder Dropped

I’ve decided to stop shipping with KCFinder. There are some open XSS security vulnerabilkities in the app and Rich Filemanager which is also shipped seems to have more features/is more secure.

If you were using KCFinder, Rich Filemanager will be selected for you by default.

Core 5 Filemanager is still bundled with Dada Mail, and the backend has been updated (by me).

Bugfixes

Data::Google::Visualization::DataTable defaults to using JSON::XS which may not be available

https://github.com/justingit/dada-mail/issues/1129

Dada Mail v11.19.0 Released!

Written by

v11.19.0 has been released – and this is a big update! The biggest update is actually with the including Perl library that comes with Dada Mail – over 150,000 lines within it have been updated!

Download Dada Mail today – if you’re a Pro Dada Subscriber, log in to your account, to download Pro Dada, which has no mailing list or subscriber limits!

Below is the change log for v11.19.0:

Features

Enable/Disable mailing list specific email headers

Mailing list headers help mail readers categorize the messages you send as being from a mailing list, as well as provide meta information about your mailing list. Sometimes, they can get in the way of deliverability. We’ve made the use of them optional.

Find this feature in, Mailing List: Options labeled, Use mailing list headers (enabled by default).

The list headers you can enable/disable is found in the Config.pm file in the variable, $LIST_HEADERS. Here are the headers that can be enabled/disabled,

        Precedence      
        List         
        List-Archive        
        List-Digest         
        List-Help           
        List-ID           
        List-Owner        
        List-Post       
        List-Subscribe     
        List-Unsubscribe    
        List-Unsubscribe    
        List-Unsubscribe-Post
        List-URL            
        X-Mailer

Enhanced HTML editing via “Grab content from a URL”

Dada Mail can grab content for a mailing list message just by giving it a URL.

You can also crop the webpage to only send the content found in a specific HTML id or class attribute, and remove content found in HTML tags that have specific id or class attributes.

We’ve enhanced that last feature, by allowing you to set multiple attributes, be they HTML ids, classes, or any other HTML attribute found in a tag. You can also just remove all instances of any HTML tag.

Find this option where you edit your draft mailing list messages, under Grab content from a URL. The feature itself is labeled, Remove content found between the following ids, classes, or other attributes:

If you wanted to remove all instances of tags with the class of, “example”, you would add in,

        class="example"

for an id of the same name:

        id="example"

To remove all <img> tags,

        _tag="img"

Experiment with other HTML attributes!

This same feature is also available for fetching content from an RSS/Atom Feed.

Breaking Changes!

In past versions of Dada Mail, either “id” or, “class” had to be picked in a separate text box. This text box has been removed now that you can set a id, class, or other attributes in the text box that remains. If you are already using this feature (located only for fetching via a Feed URL), you will need to adjust your draft settings.

Installer: Ability to Switch the path to the Perl interpreter

Oftentimes (and especially on cPanel-based hosting accounts) there is an alternative Perl interpreter available to use, but isn’t at the default Perl path that Dada Mail is configured to use. This alternative Perl interpreter could be more up to date, and also use the modules that are available to the cPanel-based Perl module installer.

We’ve made it easy to switch to this alternative Perl interpreter located. Do note, that there’s no way to revert to the default Perl interpreter location. You would need to either reinstall Dada Mail from scratch, or manually reset the “shebang lines” yourself.

Upgraded Included Perl Library! (perllib)

Dada Mail comes with most all of the Perl CPAN Perl modules needed to run the app. These modules are located in the, dada/DADA/perllib directory. This collection of CPAN modules was very much out of date, and the exact list of Perl modules shipped wasn’t exactly known.

This has now been fixed, and steps have been taken to make sure that future releases will have an up to date included Perl library. The exact modules that are included have been removed from the Dada Mail git repo, and have been made into their own repo:

https://github.com/justingit/dada-mail-perllib

This itself is created using the following Bundle:

https://github.com/justingit/Bundle-DadaMail-IncludedInDistribution

So you can see which modules are included and install them yourself, rather than use the included perllib.

This change will most likely be transparent to most users, but the updates of these modules was huge in terms of code line count, and many bug fixes and security fixes within these modules are now bundled with Dada Mail.

Cross-Site Request Forgery (CSRF) Prevention can now be disabled

Cross-Site Request Forgery Prevention is an awesome feature to have, but sometimes can get in the way of working with the app. We’ve made a way to make it easily optional, so that you can get your job down, before enable it back on.

Find this within the installer under, Configure Security Options: Cross-Site Request Forgery (CSRF) Protection

We do highly suggest keeping this enabled.

Bugfixes

Grab content from a URL: Auto-generated PlainText version not cropped

https://github.com/justingit/dada-mail/issues/1115

Resend Subscription Confirmation via the list control panel broken

https://github.com/justingit/dada-mail/issues/1114

CPAN modules shipped with Dada Mail are outdated and impossible to maintain

https://github.com/justingit/dada-mail/issues/1113

List Control Panel Archive Screen: message_blurb() call memory leak?

https://github.com/justingit/dada-mail/issues/1116

Previews of message drafts always show in modal menu and not in new window in Drafts Index

https://github.com/justingit/dada-mail/issues/1117

Recurring Schedule Mass Mailings with Dada Mail

Written by

Dada Mail comes with ability to draft a message to be sent at a later time. You can also have this mass mailing be sent on a recurring schedule – and have the message itself come from an outside, dynamic source! The process to do all this is actually quite simple, and leads to your subscribers being delivered fresh content right to their inbox without any additional work on your part, once you’ve set things up

Let’s get right to it!

Continue reading…

v11.16.0 – Important Security Vulnerabilities Fixed, Upgrade Highly Suggested

Written by

v11.16.0 has been released! This released was pushed out to fix a fairly critical security issue dealing with CSRF. Below is the change log, which we think paints a good picture of what the problem is, and what we did to remediate it.

If you’re a customer/client of ours that we’ve provided an installation for, please get in touch, so that we can talk about getting you upgraded. If you don’t know exactly what coverage you have, we can help you look up your order information. Generally:

  • Customers with Lifetime Upgrade Coverage have all already been upgraded to v11.16.0. If you’re one of the customers, check the versions you’re running, and make sure it’s at least v11.16.0.
  • Yearly Upgrade Coverage customers will want to contact us to get upgraded.
  • One-Time installation and Upgrade customers do have 30-days of complementary upgrades. Please take advantage of that!

11.16.0

Focus

This version of Dada Mail has been released primarily to fix a security vulnerability dealing with Cross-Site Request Forgery (CSRF).

Enhanced Cross-Site Request Forgery (CSRF) Prevention

In theory (and confirmed), a bad actor could give someone a carefully crafted web page via email, SMS, etc, that – when visited, could allow them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password – which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins.

For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party.

Security enhancements added to v11.16.0:

  • CSRF protection to all list control panel screens (including plugins) when logged in

  • Initial CSRF protection on the actual list control panel login form is enabled by default

    This feature was available in Dada Mail, but was not enabled by default

  • CSRF protection for any a user who logs into their profile would be able to do when logged in

  • CSRF protection for the initial profile login form

  • Login cookies for both the list control panel and profiles have the, “SameSite” flag added, and set to, “Lax”

  • Login cookies for both the list control panel and profiles have the, “secure” flag added, and set to, “1”, if the connection is under https

  • Google reCAPTCHA added to the Change List Password, Change Dada Mail Root Password, Profile login, and Profile Registration

    You’ll want to set up Google reCAPTCHA in the included Dada Mail installer.

More Details

Here’s an overview of CSRF:

https://owasp.org/www-community/attacks/csrf

v11.16.0 comes with Cross-Site Request Forgery prevention using the Double Submit Cookie pattern: (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie).

To enhance this, we also “HMAC the token with a secret key known only by the server and place this value in a cookie” (as described in the above doc), and set cookies to have, SameSite set to, Lax (instead of not setting SameSite at all), (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute),

Additional Suggestions to Help Harden Security

  • Run Dada Mail under https

    Running Dada Mail under https will protect sensitive data from being able to read in transmission.

  • Set up Google reCAPTCHA

    Google reCAPTCHA helps stop automated submission of forms in Dada Mail.

Features

RESTFUL API supports Global Public/Private Keys, Creating New Mailing Lists

Please see:

https://dadamailproject.com/d/install_dada_mail-advanced_configuration.pod.html#Configure-Global-API-Options

and,

https://dadamailproject.com/d/features-restful_web_services.pod.html#Global-Public-and-Private-Keys

Changes

Default Membership: View address order is now Date Added/Subscription Date/Descending

Previous order was email address alphabetically/descending

Bugfixes

Switching between lists accepts “GET” requests

https://github.com/justingit/dada-mail/issues/1067

“logout” accepts “GET” requests

https://github.com/justingit/dada-mail/issues/1066

You can send a mass mailing to no one

https://github.com/justingit/dada-mail/issues/1064

Link Prefetching Protection in Dada Mail v11.15.0 (and other security enhancements)

Written by

Dada Mail v11.15.0 comes with some important safeguards and improvements when it comes to protecting against link prefetching in the email messages it sends out. It’s a big enough issue, we’re suggestion everyone upgrade their Dada Mail (really!).

What is link prefetching, and why is it so important for email messages from link prefetching? Read on!

Continue reading…