DNS Team
- Emily Cope
- Lucas Everett
- Krishna Ghamandi
- Shea Hardin
- Niki Merriwether
- Toni Ward
Enabling DNSSEC for an existing zone in Cloudflare
- After opening the domain in Cloudflare, click on the DNSSEC tab.
- Click the “Settings” button.
- Click the “Enable DNSSEC” button.
- You will see the DS Resource Records provided. Copy that record and send it to the bank to add at the registrar. It is recommended to wait 48 hours from when you enable it before setting it up at the registrar, to give it time to propagate. If it is enabled at the registrar too quickly, some people may be unable to get to the website.
Jack Henry SPF Include
Jack Henry uses include:spfref.jackhenry.com for SPF records, which is preferred to and encompasses include:spf1.netteller.com.
If you field a request to have include:spfref.jackhenry.com added to an SPF record and see that include:spf1.netteller.com is already in place, you can remove the NetTeller include as it is already a part of the new(ish) jackhenry.com record.
Finally, this is rare, but if you happen to see include:profitstars.com, then you can leave this one in place and not add include:spfref.jackhenry.com as the ProfitStars one already encompasses the spf.ref.jackhenry.com record along with other items and so it should remain in place.
SPF Records: Too Many lookups
This is a common problem found with SPF records. Each include, a, or mx counts toward a total of 10 lookups. IP addresses don’t count toward the total. The number is also recursive, meaning that if an include has its own includes, those includes are counted as well. Ultimately, it is up to the bank to manage their SPF record, but we can review and help combine any redundant JHA records.
CAA Records
A CAA record is security feature that offers the ability to restrict purchases of SSL certs to specific vendors. While CAA records can be added for any domain that we host, they are not required, and they can cause issues with future SSL cert orders.
DMARC Records
DMARC records work alongside SPF and DKIM records to protect a domain from unauthorized use. While DKIM works by digitally signing an email on the server at the time it is sent, SPF records are an authorized list of servers that send emails on behalf of a domain. Phishing and spam emails are a major problem, and DMARC, DKIM, and SPF records serve a vital role in protecting an institution’s domains from abuse.
Please note that while a DMARC record isn’t required to point to an email address at the same domain the record is on, there does need to be an additional DMARC record created if the domains don’t match. Please see the following example.
_dmarc.example.bank IN TXT "v=DMARC1; p=reject; fo=1; rua=mailto:someone@example.com; ruf=mailto:someone@example.com"
Since the email address for the example.bank DMARC record is pointing to an email address at example.com, another DMARC record needs to be created in the example.com zone to authorize it.
example.bank._report._dmarc.example.com IN TXT "v=DMARC1"
An institution may also utilize a third-party DMARC reporting service, such as Postmark. The reporting service will provide the DMARC record to add, and they will also send out a weekly digest of the compiled info. This is generally recommended over entering a personal email address in the DMARC record.