Email related settings for CiviCRM

Settings

You can bookmark your current settings with this permalink (note that the link changes every time you change a setting). Text in blue like this has been generated by the form values you enter. Other text is generic/examples/descriptive etc.

Org domain {org}

The main domain for your organisation.

CiviCRM site domain

The domain name used to access your CiviCRM site.

Email Domain setting

CiviCRM setting on Mail Accounts screen. This determines the domain used for VERP addresses.

From address

As set in CiviCRM

ESP MX domain

This is the (sub) domain that has an MX record pointing to the SMTP service’s servers.

DKIM domain

The (sub)domain that is used to create the DKIM signature.

DKIM selector

Mailgunny specific (to my knowledge) settings

List-Unsubscribe domain override setting Rewrite VERP (normally checked. Uncheck if using mailgun-native-send)

CiviCRM host https://

CiviMail generates

Return-Path:: civi.verp@
List-Unsubscribe:: mailto:civi.verp@

https:///civicrm/mailing/unsubscribe?reset=1&civi.verp
From:

SMTP service

Rewrites VERP and adds DKIM

Adds DKIM

Return-Path:: esp.verp@; civi.verp@
List-Unsubscribe:: mailto:civi.verp@

https:///civicrm/mailing/unsubscribe?reset=1&civi.verp
From:
DKIM:: d=
s=

Inbox services

SPF Check

Is SMTP service's IP address an allowed sender for the domain in the return path ? Check SPF TXT DNS record for and compare.

DKIM Check

Check the DKIM signature matches the message content

Look up the DKIM public key from the TXT record at ._domainkey.

Can the signature be verified?

DMARC Check

Requires an aligned SPF or DKIM or both

SPF: Is the domain from the Return-Path () DMARC aligned with the From domain ?

Is this DKIM domain () DMARC aligned with the From domain ?

So DMARC result is:

Yes, passes.

⚠ No! Fail.

Google/Yahoo bulk sender policy Check

Pass if we have DMARC pass including aligned DKIM.

Yes, pass.

⚠ No, fail.

SMTP Bounces

If delivery to the inbox is rejected at SMTP delivery time, the ESP sends the information back to CiviCRM in a webhook over http to the Civi site at

This requires a ESP-specific CiviCRM extension to handle the request and log the bounce. Alternatively, the SMTP relay must be configured to send an email to a catch-all inbox that CiviCRM can process, but this is inefficient (and some ESPs charge for forwarding incoming mail).

Unsubscribe via mailto:

An email is sent to the mailto unsubscribe address, civi.verp@

This email will be delivered by the MX host for the domain.

CiviCRM requires exclusive access to this inbox, which is processed by a scheduled job.

DNS records

Domain	Record type	Value
	TXT	The main domain's SPF record (which should already exist) may be required to include either your ESP's sending servers, if you are using Native-Send and a Return-Path CiviCRM setting including the main domain, or no Return-Path CiviCRM setting and you're sending From real organisation's email addresses.
	TXT	Suitable DMARC policy (none/reject/quanrantine) and specifying either strict or relaxed alignment for DKIM and SPF. Example: `"v=DMARC1; p=none;rua=mailto:dmarc@artfulrobot.uk;fo=1;aspf=r;adkim=r;"`
	A	IP of CiviCRM server. Required to access CiviCRM including http unsubscribe method.
	MX	Needs to point to the domain of a mailserver that will deliver 'unsubscribe' emails to an inbox that CiviCRM can process.
	TXT	The SPF record for the final Return-Path domain must validate the IP address of your ESP's SMTP relay servers. Typical example: `v=spf1 mx -all` An SPF record for the CiviCRM "Email Domain" or the domain of the "Return-Path" setting. This is required if there is a situation in which email is sent in this way (e.g. Native-Send could cause this.). Typically not required. Typical example: `v=spf1 mx -all`
	MX	Needs to point to the domain of your ESP for handling bounces. There may be multiple records. example: `mxa.eu.mailgun.org` and `mxb.eu.mailgun.org`
	TXT	The SPF record for the final Return-Path domain must validate the IP address of your ESP's SMTP relay servers. Typical example: `v=spf1 mx -all`
._domainkey.	TXT	DKIM public key: `v=DKIM1; k=rsa; ...`
	MX	Must point to an inbox provider's mailserver for Civi to access by its scheduled jobs. e.g. this might point to . If the main Civi server also hosts this inbox.

Possible flows

Below are two possible flows, which tick off most requirements, but there are a lot of variables so there will be other valid configurations, too.

Flow A depends on the SMTP service for handling incoming email. Flow B minimises the role of the SMTP service to sending and bulk-bounce handling only.

Flow A

All mail generated by CiviCRM is sent via the SMTP service.

The Civi-generated Return-Path header (using the configured VERP domain) will be replaced by the SMTP service, however this setting is also used to construct the List-Unsubscribe mailto header.

All bounces are handled by the SMTP service which will (typically) send HTTP webhooks requests to an endpoint on Civi provided by an extension for that service.

Transactional mail uses the Return Path setting as its Return-Path header, unless not set, in which case it will default to the From address. But this will be replaced by the SMTP service with a Return-Path pointing back to the service. Bounces need special forwarding rules setup, which may or may not be easy/possible. Transactional mail cannot be bounce-processed as there is no VERP information included.

Unsubscribes via the mailto address in the List-Unsubscribe header (VERP domain) need to be routed to an appropriate inbox. You may be able to achieve that by using the SMTP service’s subdomain and setting up forwarding rules.

Unsubscribes via one-click or web page happen as always, using public Civi endpoints/pages.

Flow B

This requires a special mode of operation of the SMTP service that prevents it from replacing CiviCRM’s generated Return-Path header. On Mailgun this is called Native-Send.

All mail generated by CiviCRM is sent via the SMTP service, as with Flow A.

The CiviMail-generated Return-Path header (using the VERP domain setting) is not replaced by the SMTP service, and needs to point back to the SMTP service.

CiviMail bounces get handled by the SMTP service as in Flow A, resulting in HTTP webhooks.

Transactional mail uses the Return Path setting as its Return-Path header, unless not set, in which case it will default to the From address. Since this is not replaced by the SMTP service, it needs to route back somewhere sensible, e.g. an admin account. As before, there’s no VERP, so no automatic bounce processing.

Unsubscribes via the mailto address in the List-Unsubscribe header (VERP domain) need to be routed to an appropriate inbox. In the Mailgunny extension, you can provide a domain for this that differs from the VERP domain which means you can avoid setting up forwarding rules on the SMTP service, and have it go straight to the inbox for CiviMail processing.

Unsubscribes via one-click or web page happen as always, using public Civi endpoints/pages.