training – Zupertails Blogs

Mails bounce or get flagged as spam when sending to Google/Yahoo/Hotmail/Apple

25/02/2025 Zupertails office 365, tech, training

Whoever holds the gold makes the rules

Late 2023, Google and Yahoo announced new guidelines for sending e-mails to their networks.
Yes, you read it : “to“, not “from“.
If you’re an e-mail user and recently got a notification that your mail was refused by Gmail, read on and find out what the reasons could be and how you – as an admin – can resolve these issues.

Show me the money

Regular mail versus bulk mail

“The big boys'” requirements differentiate between regular (coming from you or me) mail usage and bulk senders, such as mass mailer for commercial purposes.

Having read the guidelines, I can narrow them down to the following…

it's SPAM — spam, bacon and eggs and spam

Let’s start out with the requirements that are applicable to all senders :

Make sure that domain spoofing is practically impossible by implementing SPF in a strict way (use the “-all” flag) and sign your mails with a DKIM key, where possible.
Make sure that recipients do not flag your messages as SPAM, either manually or automatically.
Now, this sounds like quite a general guideline… Google stuck a number to this statement and will start flagging you as a “spammer” if more than 3 out of your 1000 (0,3 %) mails to their systems get marked as SPAM.
That 0,3% doesn’t sound like a lot.
And it isn’t.
That’s why you as an IT implementer should make sure that your customer is not at any time sending out unsollicited mail. Ever.
Activation of MFA, using a separate mailing software for addressing your customers en masse and securing the customer’s domain are a NECESSITY. Protecting mail flow is no longer a matter of just username and password.

Bulk senders need to tighten the situation a bit more.

Now, before we list what the requirements for bulk senders are, I have to make clear that being defined as a “bulk sender” is a very “grey zone” kind of moment.
In official terms of Google, they define a “bulk sender” as an entity that sends 5000+ messages/day.
We’ve seen this number being interpreted by Google themselves as a much lower number in a few cases.
Basically it’s advised, to apply the requirements below for ALL your clients, as it’s best practice to tighten security as much as possible in every case.
The grey zone interpretation style of Google’s own rules also suggests this in between the lines.

Obligatory SPF and DKIM as stated above. If you’re using M365 as mail solution, there’s no reason not to set this up. It doesn’t cost anything extra and it’s a small effort that can count as a quick-fix.
DMARC policy needs to be active.
A simple “p=none” policy is ABSOLUTELY NO LONGER a good thing.
This post explains the reasons why you should in fact do something with those reports: https://www.nospamproxy.de/en/dmarc-policy-why-p-equals-none-is-a-bad-choice/
You’ve set up a DMARC record. Excellent!
Now actually make sure all your mail-sending clients (Outlook, CRM tools, printers, …) are conform with all the measures you’ve put in place.
Have a cloud-hosted CRM packet that sends over your domain name? Have it use either a M365 connector or add it’s fixed IP to the SPF record.
If it has DKIM support, use it. Always.
The number one bad guy in mass mailers that ‘ll get your domain flagged as “bad reputation” is not having a one-click unsubscribe button/link in mails that you receive after subscribing to them. (RFC 8058)
A “List-Unsubscribe” header needs to be present in the mail headers , as well as a visible unsubscribe link in the message body.
This link must not lead to a complex unsubscibe procedure with multiple questions, but must literally be “1 click”.
Another self-proclaimed Google/Yahoo standard in these grey zone rules, implies that the unsubscribe must be done within 2 days after request.

Pointer Sisters

Some extra Pointers and tools

Make sure your “From” address and the from-header are the same. Especially the domain name in the address is the more important factor here. The term this applies to is called “domain impersonation“
Where possible (not in a M365 case), try to add a valid reverse PTR DNS record that corresponds to your outgoing mail server name.
In most cases, you have to address your internet provider in order for them to add a reverse PTR record as this applies to the fixed IP addresses given out by them.
Reverse PTR records only make sense in cases where you actually send mail from a fixed IP.
As an example : I have mail server running that announces “mail.zupertails.be” as DNS name in my headers, while having a fixed IP at the office, where the server resides.
My ISP needs to add mail.zupertails.be as a reverse PTR record, linked to my fixed IP.
I’ll spare you the tech details, but trust me on this 😉
Actually read the RUA and RUF reports that you set up in your DMARC record.
They can help you understand (even when it’s already too late and your domain has been flagged as “bad”) how your mails end up in spam.
https://mxtoolbox.com/DmarcReportAnalyzer.aspx can help you greatly in understanding these otherwise unreadable reports.
There’s no quick-fix solution when your domain is flagged as “bad” or “spam”.
Domain reputation is partially an organic thing.
Every email receiving provider handles the timeout period in its own way and has no concrete documentation for outsiders available on the details as how long your domain is flagged on their side.
You can get extra information on the health of your domain and what’s causing it to suck on https://dnschecker.org/domain-health-checker.php
ARC headers are yet another way of verifying the legitimacy of your mail flow.
https://www.validity.com/blog/how-to-explain-authenticated-received-chain-arc-in-plain-english/
Not every sender or receiver for that matter checks on ARC headers or allows the implementation of it.
If the link above is too much to read : ARC allows you to add a list of hosts, that allow the rewriting of mail headers, for instance in cases of mass mailing.
M365 supports ARC.
Stating the obvious : always send your mails in RFC 5321 and RFC 5322 format, that have their origins in 2008

Very funky and interesting tools that will help you on your way of becoming the ultimate mail flow troubleshooter :

Gmail’s Postmaster tools : https://gmail.com/postmaster/
MxToolbox has way more tools available than the one in their main menu : https://mxtoolbox.com/NetworkTools.aspx
Check your domain health. Often. https://dnschecker.org/domain-health-checker.php

Zuper out

Hosting a karaoke party on Discord (and streaming it on Twitch.tv)

26/12/2024 Zupertails training

Obligatory preliminary introductory 🎶

I’ve recently gotten a renewed interest in “playing” karaoke, due to my favorite karaoke café in town shutting down and me feeling the need to sing in public.
Yes, I’m weird like that 🙂

Gotten triggered by the fact that the lovely people at twitch.tv have a separate category for “Karaoke Party” even though their guidelines state the opposite, I started looking into setting up a similar party, because “meh”.

If you’re looking for the guide on how to join my own karaoke party, click HERE

Different setups require different approaches

There’s a couple of ways to get similar results here.
You have to ask yourself the question whether you want to host a karaoke party physically at your own location, host it solely online or make it into a sort of “hybrid” situation.

Depending on that question, you might need different audio devices and use different audio/video sources in your favorite streaming software.
I’ll use “OBS Studio” (not to be confused with the somewhat similar but more memory-hogging “Streamlabs OBS”) in this example.

For the sake of this guide, I shall assume you already know how to set up OBS to start your streaming adventure.
If you haven’t done this before, https://www.lifewire.com/twitch-streaming-with-obs-studio-4151808 will be a quite helpful guide into this.

In this guide I will use my very own hard- and software setup as guideline; feel free to use any hardware and software that you see fit. You’ll only need a somewhat good microphone and an internet connection. Webcam is already optional, but adds more to the immersion, of course.
The most important thing to keep in mind with karaoke is to have fun with your friends.

Step by step

Hardware choice
Preferred karaoke software
Setting up Discord
Setting up OBS

1. Hardware

Audio

Your audio input will be the more important one here.
A good microphone will make all the difference in improving the quality of your performance.

As a lower rank audiophile, I’ve got a variety of microphones lying around, because singing might require a different mic than just talking to your streamers.

For my streams and other audio shizzle, I use either :

Blue Snowball iCE (link) , with an small pop filter in front of it.
This very budget-friendly streamer mic is perfect for voice recording or talking to your peers in an excellent quality.
Hyper X Cloud Alpha (link), because I wanted a wireless headset with a respectable microphone, but awesome chamber drivers. A higher rank audiophile would have gone for a wired headset btw 😉
(no laughing plz) Singstar PS2 microphones incl. their respective USB connector

You can’t buy these things new anymore, but believe me when I say that when you find these puppies in a working state on a second-hand market, you buy them.
The have one of the better sound quality for non-professional gear and I see them going from €10 to €40 for a set with USB amp.One thing you should know about the Singstar mics is that they’re (almost) plug and play in Windows. More on that during the setup phase…

Video

As mentioned above, video hardware is less important here.
However, it increases the entertainment value of your stream when you actually see who is performing.
When going to a real life karaoke gig, you like to look at the “artist”, right ?

I won’t bother you with the details on my webcams. Just know that I have one set up in the top corner of my game room for VR purposes and that it’s a 4K resolution model made in China, therefore cheap as hell 😀

Other video advice I can give you is to have at least one extra screen that you’ll use exclusively for your karaoke needs, in this case.
Make sure you can read the the lyrics on your favorite karaoke platform and you’re good to go.

2. Prefered karaoke software

Now, in order to keep your setup as low-cost as possible, you could play your karaoke sessions through a simple Youtube search.
There’s more than a handful of YT channels that provide songs that have lyrics over them. Popular ones include :

Next to Youtube, you can either download specific local Karaoke videos or use a dedicated piece of karaoke software, such as…

KaraFun
Kanto Karaoke
PCDJ Karaoki
Siglos Karaoke Professional
…

…of which the Karafun Windows software is my personal favorite. It also has an Android and iPhone app for your on-the-road singing needs, as well as support for multiple screens, web-requests and much more.
For the professional apps such as these, there’s a small price attached to them.
Karafun used to have a “weekend price”, but now you’re paying €7,99/month (cancelable anytime), which still is peanuts for an evening of fun.
For that price, you get access to 61000+ songs in their library.

No I’m not sponsored by Karafun 😉

3. Setting things up on the host side : Discord

Of both host and guest setup, the Discord host setup is the tricky part, as you’re going to have to keep a lot of audio flows in mind. Especially when you’re also streaming your karaoke session to your favorite streaming platform in the process.

For this example we’ll try to keep it simple, as Discord has a specific channel type for this called a “stage” channel, but it requires you – as an admin – to continously swap out people in the spotlight and allow speaking rights.
If you’re into controlling everything yourself, Discord has a nifty guide on this type of channel –>
https://support.discord.com/hc/en-us/articles/1500005513722-Stage-Channels-FAQ

For our “easy mode”, however, you’ll be creating a separate voice channel where you apply specific rights to it (unless you want anyone that can join your server to be able to sing, that is…)

In this channel, if nobody’s performing, you can allow everybody present to be able to speak, but ask them to mute their microphones somebody starts performing.
Since you, the admin, will most probably be the one who is streaming, you can also mute these users on your side, so that the viewers on-stream only hear what you want them to hear : the singer and their music.

Shamelessly stolen from Winbuzzer's website ;-)

This page (https://zupertails.be/wur/?p=539) explains in a bit more detail how this works on the performer’s side

Don’t forget to unmute everybody when your performer is done 😉

4. Setting up OBS

First off, you have to consider what you want your viewers to hear and see when they check out your live stream.

In case of a karaoke moment on Discord, you will want them to see/hear :

All the sound of your Discord session. This includes your users talking and singing.
A limited window of your Discord screen. Your viewers don’t need to see your list of channels and servers on the left, they just want to see the interaction and the performance)
Optional sound from some overlay such as StreamElements or anything else that allows user interaction.
Your very own microphone.
The sound (and optionally but preferably the video) from your own karaoke software, as you’ll be performing as well.

Keep in mind when you’re streaming and you want to interact with your Twitch/Youtube/… audience onstream, that you mute yourself as well, during somebody’s performance. You don’t want to be the ass-like host that talks during people’s performances, when you deny others !

As I don’t like reinventing the wheel, here’s an already relatively big starter guide on adding specific audio sources from windows or apps to your stream :
https://obsproject.com/kb/application-audio-capture-guide

As for sharing your Discord window without all the clutter on the left, again no wheel reinvention will be done :
https://www.youtube.com/watch?v=RLpAOlmmz4A

Keep in mind that it’s preferable to have your Discord sit in a dedicated screen or part of a (bigger) screen, so that it never changes size, when you follow the Youtube guide above.
Failure in doing so, will result in a messed up or badly cut out window being displayed, after you use the ALT-key method to cut off parts of the screen.
Always make sure to think about the resolution and screen size you’re streaming in, so that the shared Discord session fits in nicely with the screen ratio.

There, that’s it.

If you think, I missed anything in this guide or if you need more detailed information, give me a heads-up on whatever platform you know me in.
I’ll be glad to add to this guide where needed.

Musical greetings,
Z.

Joining a Zuper karaoke session!

26/12/2024 Zupertails training

How to join Zupertails’ karaoke stream

If you see me streaming some karaoke event on Twitch or just notice me being active on my Karaoke channel on Discord, feel free to drop in.
Karaoke is meant to be enjoyed by many instead of solo and is more of a social event than anything else.

Don’t have my Discord yet?
Join on https://discord.gg/srsx5V8ZzA
Ask me to give you a specific karaoke role (“Cyber Singer Mika“) if you don’t see that voice channel in order for you to be able to join one of my karaoke channels.

I’ll try to maintain a list during our fun session in order for everybody to get an equal amount of “screen/singing time”.
There is, however, no obligation whatsoever to sing. If you wanna hang out and chill, that’s also fine. Socializing is what karaoke is about (among other things lol)
During somebody’s performance, i advise to mute your microphone, as it might interfere with the performer’s concentration (and it’s just considered to be a dick-move in general to talk during somebody singing)
During your performance, you can either share your screen/app where you’re getting the karaoke song from (Youtube, Karafun, …) and we all watch your screen sharing session that you use to sing along to.

Or… you can use a slightly more advanced setup with VoiceMeeter (a free piece of software) to mix your MIC input with the actual sound and have us listen to only your voice channel, containing voice and song at the same time.

Discord will almost perfectly sync your voice with your screen sharing session. Screen sharing or mixing with VoiceMeeter will result in practically the same experience for the listeners, except that we don’t get to see the lyrics onscreen in the latter option.

There are tons of guides on how to configure VoiceMeeter out there, should you want to use it.
https://voicemeeter.com/first-steps-connect-your-mic-and-mix-your-voice-with-any-pc-sound/ is a good place to start.
But that’s not what this post is about 😉

Sending M365 mail from your all-in-one scanner/printer

22/02/2024 Zupertails office 365, tech, training

Precursor

Imagine the following : you recently migrated your mail platform from the “classic” POP/IMAP mailbox setup towards Microsoft 356’s mail solution.

If you’ve done the M365 setup correctly and migrated everything towards your new cloud environment (see tons of previous posts 😉) you’ll soon run into some issues when trying to send an e-mail from your super-cool all-in-one printer/scanner/copy/fax machine, which is hooked up to the network and ready to send scanned documents in your (domain) name.

One of these issues being that you receive a NDR from your recipient relating to something like “Error 550 5.7.1 The user or domain that you are sending to (or from) has a policy that prohibited the mail that you sent” or anything basically that falls back to “we don’t trust this e-mail, because you smell of spam/phishing/malconfigured SMTP/…”

Your printer – in this example – still has port 25 and (for instance) uit.telenet.be as outgoing mail server (yes, I’m Belgian – hence the .be TLD on my site)

(PS : don’t want to read this entire story ? CTRL-F your way to “How do I set this thing up ?”)

Behind the scenes

What happened behind the scenes before and after your migration, concerning mail flow ?

Before your migration,

you used to have and old-school mail provider that allowed a lot.
Your recipients didn’t care much or already added your scanned mails with PDF’s in them in their ~~white~~ allow-list.
Maybe your mails got through, maybe they didn’t.

Your outgoing mail provider (let’s say it’s Telenet nv for the sake of the already mentioned example above) doesn’t really care what you send over their mail server, as long as you send it from an IP address on their network.

(a small note : at the time of this writing Telenet no longer accepts anonymous port 25; they need authentication through an @telenet.be address and use port 587 with TLS encryption)
(another small sidenote : Proximus still allows anonymous port 25 at this time cough)

Whatever the case, it would allow senders to send any mail they want from any e-mail address they want, as long as they use their own internet provider’s mail address.

After migrating to M365,

Microsoft kind of enforces you to add certain DNS records, before 100% completing the setup wizard of their Online Exchange offer.
✅ green ticks tick my own boxes as well, so as an OCD-enjoying IT guy, I can’t not complete this wizard :p

One of these records you have to create is an SPF record, which partly regulates the mail flow for your domain by defining. (more on the SPF record on [this page])
Microsoft is also kind enough to allow you to send over their own SMTP servers (good guy MS !!!) and provides certain regulations in order to be able to do so.

Server/Smart Host: smtp.office365.com
Port: 587
TLS/Start TLS: Enabled
Username/Email address and password: pretty obvi what this is….

In a perfect world, you’d be able to just enter these settings in your super-duper all-in-one printer and you’d be good to go. 👌

HOWEVER…

On the dreaded day of June 30, 2023 Microsoft disabled out-of-the-box support for a tiny little protocol we know as TLS.
Specifically, they disabled support for TLS 1.0 and 1.1 (fear not).
A lot of these printers use this “older” protocol and – as you might already guess – this complicates the entire sending-of-mail process.

Never fear, though !

Microsoft built in a backdoor/workaround in their own security enforcement and still allows you to send mails like you would in “days of olden”.

How do I set this thing up ?

We’ll take this random internet screenshot from the mail settings tab in an OKI printer as an example :

Following all instructions you find on the internet, this would be the way to go.
And it is.

Using these settings in 2024 will result in a “cannot send mail” error on the printer.

Did you misconfigure something on this printer ?
NO.

Here’s what you need to change on the Microsoft side :

Through https://admin.microsoft.com browse your Users > Active Users and click the mail enabled user for your all-in-one device (Yes, you need to have a mail-enabled user for this)
On the screen that appears on the right, go to the “Mail” tab and click “Manage email apps“
By default “Authenticated SMTP” is not active.
Activate it and press “save changes”
That’s not where it stops, though.
Microsoft, sneaky as they are, still disable SMTP AUTH on a more global level.
So just activating the above, will result in the same sending error on your device.
sooooo, let’s go to https://admin.exchange.microsoft.com for part 2 of the config.
On the Exchange Online admin center go to Settings (in the left) column and pick “Mail Flow” (not to be confused the the “Mail Flow” fold-out menu in the left column).
One thing that needs to be de-activated is the “Turn off SMTP AUTH protocol for your organization“. (the tick needs to be unticked – super confusing option – double negatives and all)
Depending on the type of device, you may or may not need to opt-in the tick “Turn on use of legacy TLS clients“.
Even though Micro$oft disabled TLS 1.0 and 1.1, they still allow older TLS versions to communicate with the SMTP AUTH endpoint “smtp.office365.com”.
Press “Save”, give it a couple of hours tops and BAM, send at will with your Brother MFC something something, your mail enabled camera system, CRM software, …

I’ll leave the “plus addressing” tick for you to Google. It’s a cool feature, with little use-case.
Still cool though.

I haven’t talked about using an account that uses MFA, where you could use “app passwords” up to 2024, but due to security reasons Microsoft is discontinuing this feature

Peace out.
Happy mailing !

DKIM simplified and how it works (but not for beginners)

08/09/2023 Zupertails office 365, tech, training

Lifting shrouds from IT-related mysteries is what we do here.

DKIM… yet another mys(t)ery to so many, but actually not that much rocket science as it seems.
Let me explain :

Simplified as an acronym, DKIM stands for “Domain Keys Identified Mail” and is nothing more than “just another TXT record” in your DNS.
In a previous post, you could read up about SPF records and how they can diminish the amount of spam being sent FROM your domain name. DKIM takes this to a next step.
It’s the implementation of DKIM that will require some extra feedback from me, though.

Extremely simplified

Woodpecker.co explains DKIM as following :

“Take Game of Thrones to get the bigger picture of DKIM. Ned Stark is sending a raven with a message to king Robert. Everyone could take a piece of paper, write a message and sign it Ned Stark. But there’s a way to authenticate the message – the seal. Now, everyone knows that Ned’s seal is a direwolf (that’s the public key). But only Ned has the original seal and can set it on his messages (that’s the private key).”

Quite the analogy, if you’ve seen GoT (and no spoilers, even !)

What happens when using DKIM ?

The entire concept is based on encryption of a specific value that uses a public and a private key, that are generated in pairs and therefore cannot exist apart from each other.

The public value is stored (obviously) in a public location where all e-mail servers and clients can access it : the DNS server that holds your domain name (OVH, Skynet, Godaddy, Combell, …)

The private value is sent in an encrypted way over internet and can be verified through means of that private key, to check if it used the original correct signature.
It’s comparable to how an MD5 checksum works

(with the exception that at the time of this writing, DKIM can not yet be broken and it’s possible to “fake” an MD5 lol)

This hidden signature is then verified by the mail server, through which you send your signed mail, as well as all other mail servers where this message passes (in its original form).

Because…. the signature is added to the mail headers and is completely independant from how SPF records work, a proxy’ing mail server that just passes on your message, retains headers.
Theoretically, your mail could fail on an SPF, but could be perfectly valid on a DKIM basis !

Fool-proof ?

Is this method a fool-proof way of confirming ALL mails from your domain are safe now ?

A simple answer : NO.

DKIM is kind of the reverse of SPF, whereas SPF tells the receiving mail server what mail NOT to trust.
DKIM tells the receiving mail server that this specific mail, sent from this specific source is – in fact – OK to receive. DKIM does not guarantee that mails from your domain name, sent from a source other than the one defined in the key verification, are in fact safe, because the key in the verified mail message only counts for the specified source.

“Should I not bother to use DKIM, then ?”

You should still try to implement DKIM wherever possible, as all methods of securing your mail flow and getting spam/phishing mails out of this digital world, are most welcome.

What does DKIM look like & “comment ça marche” ?

Enough with the theory; let me explain how (and when) this works.

First of all, your own mail server, through which YOU send outgoing mail, has to have support for DKIM key generation.
Most ISPs (I think we can say “all ISPs”) will not use DKIM, as this would mean having to sign every friggin mail message that the millions of their customers send out on a daily basis.
All mail software would first have to talk on an encrypted basis to a public SMTP server to stuff that signed key in the mail header of their own mail message.
Seeing as most ISPs allow sending over their mailservers, without any authentication whatsoever, except for sending from their IP address range, this can ony mean : a big no-no.

Onward.

If your mail server supports DKIM (we’ll be using Microsoft 365 as an example), we can go ahead and create a DKIM.

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide explains in heavy detail how to create a DKIM pair on a M365 mail-based subscription (Exchange Online in short).
Go ahead and read the article.
The come back here, for a small moment of enlightenment.

…

All caught up?
Good.

The original private key is never shown and is only known to your very own mailserver.
You get to see – usually in the form of a next-next-next wizard – the entries you have to add as a CNAME record in your own DNS server that hosts the domain name from which you’re sending mail.

As cryptography goes, the mailserver recieves your request to send a mail to somebody.
Next, it adds a specific unique mail header to your outgoing mail, based on its own private key, in combination with the key known to the public (and thus shown in your DNS records, for others to reverse verify)

Before showing the layout of the DKIM record, let me show you what a signed mail header looks like.
If you’ve been following my instructions, you’ve already seen a DKIM record on the Microsoft website mentioned above, by the way :p

DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=newyork;
c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;
h=from:to:subject:date:keywords:keywords;
bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Analysis time :

Every DKIM signed mail starts with “DKIM-Signature:”
The obvious part “v=1” defines the versioning (duh). Ironically at the time of writing, the version will always be “1”
“a” defines the signing algorithm, usually RSA-SHA or RSA-SHA256
“d” stands for the domain name of the sender
“s” is short for “selector” which can be found in the corresponding DNS record (in this case) newyork._domainkey.example.net
“c” is the abbreviation for “canonicalization algorithm”. A tricky one to explain, but I’ll try my best.
You can see it contains 2 values. They represent header/body and define the (dis)allowing of slight header changes in mail forwarding.
“Relaxed” allows a certain change in the header (for instance when forwarding a mail).
“Simple” just tells the receiving mail server, that no change in the mail header part is allowed for it to still be a trusted DKIM key.
“q” is for “query” and tells the receiving end how to perform the DKIM check.
The q-part is optional. At the time of writing, the only valid entry here is “DNS/TXT”, which defines that a DNS lookup needs to be done, looking into a certain TXT field.
“t” is the timestamp
“x” falls together with the timestamp and stands for “expiration”, in case you have a fast-rotating key-pair in your DKIM setup and want to assure the receiving end of a higher security level.
“h” lists the signed header fields …
…while “bh” is the hash for the body part of the mail
“b” is the actual signature data.

Should you totally want to geek out more on the RFC for DKIM, you can get your groove on at https://dkim.org/specs/rfc4871-dkimbase.html

The DNS record(s)

Why did I keep this part for last ?
You could see in the above example, that the RFC leaves space for a different way of reading your DKIM record.
For now, we don’t have a different technology other than DNS to exchange DKIM data, but if DKIM were to be upgrading, so to speak, the possibilities would not be limited to DNS.

The actual public key would look like this :

NAME :
nameofyourselector._domainkey.example.net

TYPE :
TXT

CONTENTS OF RECORD :
v=DKIM1; k=rsa; p=KLJHLHkjhkhkluhiukhjiulYUHKJUIYUYNJKHLKHIOUHJhjkhkjhklhjkh

The content of this record will be provided by your mail server, when you go through the DKIM generating process

A different approach is the use of a CNAME record instead of a TXT record, where your key is stored elsewhere.
Depending on the suggestion your mail server gives you, you’ll implement one or the other.

Your CNAME record could look like this :

NAME :
nameofyourselector._domainkey.example.net

TYPE :
CNAME

CONTENTS OF RECORD :
heresmykey.something.anotherdomain.com

There we have it.
Theory and samples.

If you have any questions, don’t hesitate to contact me by mail, postal pigeon, smoke signal, …

Zuper out

Handy websites concerning this subject :

https://mxtoolbox.com/
https://easydmarc.com/tools/dkim-record-generator

O365 product training

31/10/2018 Zupertails office 365, tech, training

Good news

Microsoft just recently sent me one of their spammy messages that I usually overlook.
Instead, this time, it was a bringer of good tidings. Finally, Microsoft will force-feed you or your users with documentation, tips and tricks on how to use your Office 365 products and get the most out of it. There has been a built-in training centre for admins as well as regular users in the portal.microsoftonline.com landing page for a while now, but – speaking out of personal experience – not a lot of end-users visit this page.

Kindly read the message below, that contains the interesting part of the original mail :

The mail :

We’re pleased to announce that starting on November 29, 2018, all users of Microsoft 365 and Office 365 will receive helpful product training and tips for services in their subscriptions via email. This feature has administrative controls to enable and disable.

[How does this affect me?]
After this change takes place, email communications will be enabled-by-default for your organization’s users, allowing us to provide product training and tips aimed at helping them increase their productivity and to maximize their utilization of the products and services they use most. End users will only receive emails regarding services that they have been enabled for, and you can control whether or not your users receive these communications in the End User Communication tab in your Office 365 admin center. Your users also have the ability to opt-out of receiving these emails on an individual basis by accessing the Security and Privacy pane of their My Account Portal.

This feature will be on-by-default for all Office 365 and Microsoft 365 organizations on November 29, 2018.

If you wish to disable this service for your users, you can do so between now and November 29, 2018 and your settings will be honored.

[What do I need to do to prepare for this change?]
If you prefer your users receive product training and tips that are all tailored to the services in their subscription, then there’s nothing you need to do to prepare for this change.

If you do not want us to send product training and tips to your end users, please follow these steps to disable:

Log into the Office 365 admin center
Click on Services & Add-ins
Click on End User Communication
Flip toggle to “Off”

Sharepoint (online) for beginners (2)

30/10/2018 Zupertails office 365, Sharepoint, tech, training

Preparation (again) is everything

Should you eventually still be interested in Sharepoint Online after reading all the horror-stories and getting yourself mentally up to the task of making this key decision, prepare yourself for a lot more decisions 😉

If you’re a Belgian SME, you can probably skip most of this thought process. If you’re a somewhat larger company or an SME according to American standards, you’re in for a treat if you love planning things.
Consider the following tasks, depending on the size of you IT implementor and the size of the Sharepoint customer :

Plan hub sites
In short, hubs connect your libraries and sites into one easy-to read-and-manage central entity with its own look and feel.
The example picture (for a larger company) shows a specific hub (in green) for the HR department, where all department libraries are centralized.
The general idea behind this is to create a seperate hub for (e.g.) Finance, Marketing, Sales, …It’s common practice for smaller companies to put everything in one hub (with maybe the IT documentation in a separate one)
Managing your Search and Discovery result sets.
You can take feature this as far as you want. Managing search results in a Sharepoint environment and administring keywords can either be something you completely let live a life of its own OR you can fully manage your keywords, result templates OR anything in between.
Actually creating the site and developing graphical layout, customizing content.
Will you be sharing your documents externally to users not in your organization ?
Mentioned before in the previous post : plan the physical content of the Sharepoint site.
What will you be showing your users ? Will your SP environment become a complete file archive of all your documents or will you just be using the platform’s collaboration function on a project-basis ?

I won’t go as far as explaining everything in detail, seeing Microsoft has done this for me already.
You can find a very extensive planning overview on https://docs.microsoft.com/nl-be/sharepoint/introduction

As mentioned before, small enterprises are likely to use 1/10th of Sharepoint and might require a very limited amount of planning, to the point where it even comes down to replicating the original folder structure of a to-be-decomissioned on-premise server.
Sounds like a mouth-full, but practically speaking this is nothing more than a copy-paste action (albeit a tad more technical in the background)

On a note of keeping things simple and understandable, I’ll provide examples for an imaginary small company that starts using Sharepoint for the first time, so we can skip the whole larger planning phase and go straight to using Sharepoint Online (SPO).

Situation sketch

Remember our straw-producing company in an earlier example ?
They’ve gotten inspired by the entire Office 365 thing after experiencing the fun technical advantages of their mail and decided to move their data to ‘the cloud‘ as well.

Being the Belgian SME that they are, Shortstraw LLC has data hanging all over the place, spread among various computers, USB disks, cell phones and tablets.

They started out without a centralized server and are now ready to move to Sharepoint as a data storage platform. (or at least, that’s what they told you *dramatic music*)

Questions, questions, questions …

You, as IT partner for Shortstraw, can now start a limited amount of planning and meet up with CEO and CFO Oliver and Annie.
There’s a certain amount of practical questions you will need answers to, before even starting your move to SPO.

Total amount of data in GB/TB ?
This M$ page will tell you more about these limits.
Do they want all data synchronized on their computer(s) as local files ?
Who REALLY shot JFK ?
Will they be sharing files through SPO (especially to external sources) ?
What files will you split up into a personal Onedrive for Business account and a Sharepoint library?
How fast is the internet on-premise ?
Free disk space and operating system on the machine(s) that holds the data.
In case you’re wondering : Windows 10’s native Onedrive has support since halfway 2018 for so-called ‘streaming files’, which downloads your files on-the-go when you open it from Onedrive. Windows 8/7/… all need an actual physical copy on the disk when synchronising.
…

Setting it up. Getting started. Doing your thing.

The right tools for the job.

When starting a migration to Sharepoint Online, a couple of tools come to mind. There are a few nifty pieces of software that can do the job quite well.

Metalogix
Avepoint
Sharegate
Microsoft Sharepoint Migration Tool
OneDrive synchronisation
Sharepoint out-of-the-box upload/drag-and-drop

I’ll be discussing the last three, as they are free of charge (not counting the actual license cost of your O365 subscription obviously) and have little to no learning curve.

For the ease of this example, I’ll just assume we have some structurally placed files and folders on an on-premise file server/NAS/other easily accessible location for a Windows computer.

More prep !

Nothing ever comes easy (except for your mom – obligatory mom joke, couldn’t resist). More prep work is required before we can move our files to SPO.

A small theoretical explanation (practical examples will follow, don’t worry) :

First of all we’re going to want to create the location(s) where we want to store the files online. This is usually done by creating one or more document libraries. Simplified, you could compare them to shared folders on a file server.
Best practices tell us to set your initial user rights (more on this later) on a library basis, if necessary.
In a more extreme manner, you could even create Sharepoint subsites or Site Collections.

Secondly, you’re going to need to create security groups to apply to your libraries, where we’ll be removing the default security settings, in order to set specific rights to specific libraries.
This can either be done in Azure AD or straight from Sharepoint.

My n°1 suggestion is to keep the admin user as an owner of your libraries – or at least as power user – as we’ll be needing a specific user account for the automated migration process anyway.
If you’re into manual labor, you can have your users perform their own migration, but this is ill-advised.

My three free tools

Before you start to panic, I promise I’ll get more into detail about every method mentioned. The examples below will just give you a sneak peek on the easy of use.

Sharepoint out-of-the-box upload/drag-and-drop

Quite straightforward.
You either choose ‘Upload’ in the menu above your library or just drag and drop your file to where the library is located on-screen.

Screenshot of the open Upload menu in a document library.

OneDrive synchronisation

Same approach, different method.
You select the ‘synchronize’ button above the library, whereas you’ll get a verification from OneDrive to see if you really want to start a synchronization between your computer and this specific library.

Sychronizing will require a significant amount of disk space if you’re not working on Windows 10 (W10 uses the aforementioned file streaming method)

Microsoft Sharepoint Migration Tool

This tool automates the uploading (and pre-analysis) for your data towards the Microsoft Cloud.
Preferably, use the migration tool, when all your local data is stored somewhat centralized. This tool is best run from the (Windows) server itself where the data is held, for speed reasons, among others.

Microsoft SPMT has a very easy and intuitive look and feel, but will require you to create the libraries before starting the migration process.
Also make sure you have sufficient disk space, as this tool creates a temp folder as large as the entirety of the data to be transferred. (temp folder can be selected in the migration options)

SharePoint Migration Tool

That’s all folks.

Prepare for a hands-on moment in the next Sharepoint post !

Sharepoint (online) for beginners (1)

20/07/2018 Zupertails office 365, Sharepoint, tech, training

What the flip ?

Introducing “Sharepoint” is always a tricky one.

Microsoft simply puts it down as an “Online Collaboration Platform”, which is actually one of the most simple ways of explaining the whole thing.
Sharepoint can be used as a sort of online organized file dump, but that would be something like using only the glove compartment of a Ferrari.

It’s often compared to a mixture of “Google Drive”, “Huddle” and a WYSIWYG website editor like WordPress, where you can manage all of your corporate content (to a certain limit), create intranet webpages, automate business processes through workflows, build custom apps etc.

I’ll mainly be talking about Sharepoint Online (SPO) , from hereon. Know that there exists an on-premise version as well, that had its root somewhere between the year 2003 and 2007, but still exists on current-gen Windows servers.

Is Sharepoint the right product for you ?

As with all products, it’s best to perform a study on why you would need it and if it’s the best solution for you, before you actually buy it. There’s a very big change SPO might not be exactly what you need and there’s that other chance, you’ve struck gold and it fits your needs perfectly.

A 30 day demo can be obtained through various means, of which the classic Microsoft demo environment is the most popular one : https://products.office.com/nl-be/try
If in doubt –> always demo it first.

Consider the following questions before usage :

Do your employees work remotely?
Do your employees often move from one client location or meeting to another?
Do your employees need access to various devices so they can do their jobs?
How are your employees currently accessing the content that they need?
Do you have customer-facing requirements, like a place to share information, an online catalogue, an online Request for Information form, or an online Request for Quote form that your customers need to fill out?
Do you share documents with your customers often?
Are you using USBs to transport and work on presentations, requests for information, or marketing collateral?
Does your staff ever complain that they wish there was an easier way to access your content?

You might have guessed, from the commercial way these questions have been formed (thank you, proserveit.com) , that Sharepoint will be a fitting answer for all of them.

I’ll also gladly push away some common misconceptions surrounding Sharepoint and its use, since potential users will start Googling and will eventually find articles that scare them away from this online platform.

Sharepoint is just a place to store your files

NO!
It’s a friggin’ collaboration platform. You’ll be able to work on project-based or group-based items, follow up your colleagues, create automated tasks, …

The IT department will be in charge of setting up our environment and maintaining it

NO!
Maybe the IT department will need to explain the very concept of Sharepoint and set up the initial workspace environment a bit, but you as a user will be very able to create your own project pages, invite colleagues, change the look and feel of your SP workplace and much more.

You can’t customize Sharepoint. It will look like any other SP environment

NO!
Sharepoint (Online as well as the on-premise version) has a relatively easy way of customizing every page and/or creating templates based on your company colors or personal preferences. Not only the page theme, but also the way your libraries are shown and much more can be fully customized.

SP is not user-friendly

NO!
C’mon, really ? You’ve worked with Microsoft products before, right?
Can you really say Microsoft’s end-user products are not user-friendly ? And be honest !
If you can actually find a software package by M$ that you find to be user-unfriendly, try to find an alternative and tell yourself again how great that alternative works out for you, will you ?
As with all new software, you might have to learn the basics, but even creating a new Sharepoint project or page just feels like typing a Word document or creating a flyer in Publisher.

I’m pumped! Let’s do this!

Before you get all over-hyped, there’s a few things to take into consideration before moving your data to the cloud and de-comissioning your old server(s).
Doing so, will avert potential headache afterwards, for either the IT implementor as for the users that will actually be … using … Sharepoint.
The baseline here is : “Don’t do a full copy-paste”

Just in case, we might need this document…

Take a breather and think about how much data you’d like to move over to SPO.
Do you really want to bring over all those old archived files, that you will never ever be looking into?
There’s no real harm in actually copying them over to SPO, but wouldn’t you rather work in a clean and clutter-free environment than be surrounded by piles of old paperwork ?

New document (1)(1)(2)-final_by_john.docx

The various options for versioning — Various options for versioning

For the love of God/Allah/Vishnu/The Flying Spaghetti Monster/…
Having a document like this is bad enough practice as it is, but don’t bring this over to your new Sharepoint environment.
Judging by this filename, there have been tons of new versions of this document created over time, while keeping the original ones around for … I don’t know … archiving ?

Sharepoint has built-in versioning, that can be customized to your heart’s content : approval options, type of numbering, amount of copies to keep, …

You’ll only end up using more storage than you actually need as well as creating a chaotic and unstructured work environment.

Next to all that, the above filename situation might be created by multiple users trying to access the same file and saving it as their own version.
Again in Sharepoint, you can actually co-author a document or even set a certain lock notification on the document for obligatory check-out of the document before editing it.

No more excuses 😉

Don’t think “Files and Folders” anymore

If you know how a database structure works, you’ll have better insight in why and how you shouldn’t be using the classic files and folders layout anymore, because Sharepoint, when you simplify it, is just one giant database.
Don’t feel bad if you don’t know what the internal workings of a database server are. I’ll gladly explain the Sharepoint way of thinking, so that you get the most out of your new structural storage.

First of all, keep in mind that Sharepoint is a collaboration platform. The essential part here is that one word : “collaboration“.
Obviously there’s still a need for rights and structural placement of folders, but the main idea is the working-together part.

You can create cross-functional groups, completely separate from your existing classic company structure where you now have a CEO > Management Group > Employees rights piramid.
Consider the people who own the file content, as opposed to the ones that get to “use” it and base yourself on “projects” instead of folders. Create Sharepoint pages per project, for instance.

Try to add as much logical keywords to your documents instead of categorizing in one single folder. Remember those many times you thought about that one file that was good for folder A , folder B and even folder C, and you had to make the decision of putting it at least somewhere?
Well, Sharepoint uses sort of a labeling system called Enterprise Keywords, where the actual location of your file matters less than the correct label(s) you attach to it.
Just make sure that the users who need this file, have access to the file, folder or library it’s in and you’re good to go. The Sharepoint search function will do all the work for you.
Not even to mention the awesomess of the program called “Delve“, that digs deeper in projects, files, statistics etc.

Planning your libraries

The Internet, Jen ! In Sharepoint everything is divided into lists and libraries. Remember my database reference above ? Well, a list or library is nothing more than a database table.
As with all database systems, there’s a certain limit to what you can do. In this case, the often discussed 5000-items limit in a Sharepoint library is to be taken with a grain of salt.

You might have heard from the above mentioned item limit.
The number of items in a Sharepoint library should not exceed 5000 according to Microsoft advice. So, what happens if you get you 5001st item in a library ? Does the internet explode ?

Let me elaborate on this.

First off, the Sharepoint definition of an item is either a folder or a file, meaning that if you have 200 subfolders that contain 1 file in total, you have 201 items.

This whole limit thing has to do with the indexing speed for the software that runs in the background.
In order to quickly find your data, your server environment needs to read and analyze your data first, after which this analyzer-process writes something like a table of contents.
This table of contents is then used for search actions, because a ToC reads faster than actually having to scan your documents on-the-fly.

Microsoft has set a pretty round number on this, so it is easily remembered.

Should you go over the limit of 5000, the automatic indexing process simply becomes not-so-automatic and will take around 24 hours, depending on the process timing by Microsoft, which is something you yourself cannot change.
There’s actually another limit : 20000 items. Here, the indexing starts to go wrong and may start reporting faulty results or missing files.

What I’m saying is : “DON’T PANIC ; don’t limit yourself to the 5000 items barrier if indexing within 24 hours is good enough”

Onward !

Hopefully, I didn’t scare you too much here on the whole Sharepoint thing.
If you’re still planning to move your data to Microsoft’s cloud environment, keep reading on the entire process of migrating and what tools to use best in a next post.

Peace out!