Mail Transports Manual

Some functionalities in ClockWise could send an email to employees, contacts or other relations from ClockWise. This could be when adjusting a password, an email for reminding to submit or approve periods, or email to a customer when you are billing. There are increasingly strict requirements between mail servers to prevent SPAM (undesirable email) from getting in the inbox. ClockWise has a few options to send emails in ways the receiving servers will designate the email as little as possible as SPAM by setting up Mail Transports.

Used terminology

DNS record - A setting for your domain name in the server that is usually managed by the hosting provider
SPF record - A type DNS record to grant other servers the permission to send mail with that domain name as sender
DMARC record - A type DNS record in which a key is stored such that the receiver could check that the email is created by a granted mail server.
DKIM record - A type DNS record that decides which way the receiver should check on SPF or DMARC records.
SMTP server - A server from your hosting provider that could be used to send emails from clients (mail applications)
Mail Transport - The way an email is sent.

Setting up Mail Transports

By default, Clockwise uses a mail transport that sends mails from the ClockWise server with the user's email address as sender, or a no-reply address from the ClockWise domain name. To set up an extra mail transport for your entire ClockWise account, or per matched email address or service, you could go to Configuration → Settings → Mail transports. Here you can find a button 'Mail transport toevoegen'

Mail transports

Transport matching

After pushing on te button 'Mail transport toevoegen' you get a section where the transport matching can be filled in. By default this is configured such that all mail will be dispatched by the to be set up mail transport. With this, the default mail transport could be edited.
Usually, a specific transport is set up per domain. Thus the mail that is sent with as sender an email address on that domain will be dispatched by this transport. Usually all of the employee's email addresses are from the same domain and then there is only one transport rule necessary.
An external SMTP server ofter only accepts email from a specific domain. When SMTP is chosen as transport type, and that SMTP server is set up in this way, it is necessary to have a transport matching for that domain.
When you want to send mail from a email address which is not a no-reply address, it is necessary to fill in a domain such that DNS records could be checked on the proper settings. When you use DKIM, a domain is also mandatory.
Matching on a local part could be useful for testing or if for a specific email address in ClockWise a different transport must be used.
As subsystem a specific system, like billing or password-communication could be chosen. Note: this option is possibly not available yet.

Adding mail transports

Transport types

A few different types of mail transport could be chosen. Each have their own properties and the choice for a specific transport mechanism is often made by considering the requirements from an already existing infrastructure.

Mail transport 'ClockWise server'

With this transport, mail is sent from the servers from ClockWise. If the domain of the sender has an SPF record, it is necessary to expand this record with our incluce record in which ip addresses are contained which are used to send mail from. This is important, otherwise receiving servers could mark the email as spam.
The interface has a SPF check which checks if the filled-in domain has an SPF record, and if so, if the clockwise SPF include record is contained.

Mail transport type

It is also possible that this domain has a DKIM record. The use of this DKIM record can be enforced with a DMARC record. If there is a DMARC record present, it could be a indication that the server uses DKIM.
With DKIM, not only the sending server is checked, but also the creator of the email. Furthermore, some of the headers are checked if they are not changed. With the DKIM protocol, the header of the email is encrypted with a public-private key pair. The public key in placed in the DNS records such that the receiver could verify the contents. Having a valid DKIM record could be an extra trigger for the receiving server to not mark the email as spam.
If 'Use DKIM' is turned on for this transport, a keypair will be generated. Each email via this transport will be encrypted with this key. Therefore, it is important to change the DNS records for the domain that belongs to this transport such that the receiving server could check the header.

DKIM mail transport

Mail transport 'ClockWise no-reply address'

If it is impossible or difficult to add SPF and/or DKIM records to the DNS records, for instance when you do not own the domain like a public service, a no-reply transport could be a solution. The mail will then be sent from a noreply@clockwise.info address. Any SPF or DKIM records are automatically configured as the sender address is owned by ClockWise and we filled in the data ourselves.
This could look less pretty for the receivers, because the sender is clearly from our service. Moreover, it is more difficult to reply to an email, because email sent to a no-reply address will not be forwarded.
In some mail clients a special header in the email will consulted when the user pushes the reply button, that is the reply-to header. If strict DKIM and DMARC checks take place at this address, the presence of a reply-to header could actually increase the change that the mail will be marked as spam. For this reason, the option to have the sender as reply-to address in the email is optional.

Mail transport copy sender address

Mail transport 'Exernal SMTP server'

A third possibility is to configure your own SMTP server. This server will probably already have the correct SPF and DKIM settings. Furthermore, the sent email could automatically be added to your 'sent email' folder. However, there are a few disadvantages:

  • THe SMTP server has to be reachable by our ClockWise servers.
  • There must be an account which makes it possible for all users to send mail from this domain. (This means that it is not possible to have an account per user.)
  • The credentials for the SMTP server can only be stored as clear text in ClockWise. This must be allowed by your security policy.
Mail transport external SMTP server

Preventing mail in the spam folder at Office 365

SPF record

Does your account have an SPF record? Then it is necessary to add ClockWise to this record when you use ClockWise to sent emails from email addresses from this domain. Via this record, receiving servers check if the email is sent from an authorised server.

How do I now if my domain has a SPF record? You can either check with online tools or look at the settings for your DNS if an SPF record is present. One of the online tools for this is https://mytoolbox.com/spf.aspx. There is also a tool in ClockWise that check the domain for SPF records when setting up the mail transport.

How can I add clockwise as authorised mailserver? A record looks like an entry in the dns with the following (sample) content:

"v=spf1 include:spf.mailserver.com -all"

In this record, 'mailserver.com' will be an existing mail server. To add clockwise to the record the text include:_spf.clockwise.info should be added, such that the record looks like:

"v=spf1 include:spf.mailserver.com include:_spf.clockwise.info -all"

Are there other options? It is also possible to configure clockwise to use DKIM, an external SMTP record with a generic account, or to send mail from noreply.clockwise.info. For more info, look at the section about the creation of Mail transports.

Outlook/office 365 settings for sending mail from ClockWise

In case that Outlook is used the spamfilters could be configured so strict, that only adding _spf.clockwise.info to the SPF record is not enough. The mail server from outlook could also be configured that only mail from yourdomain.com which is sent from outlook itself will be classified as 'not spam'.
For this, we found the following solution. With Office365 using an SPF record and without a DMARC record, a connection filter whitelisting can be set for spam mentions for messages within your own domain.
In these pictures you can see the settings for the connection filter in your own account

Office 365 admin centerOffice 365 connection filter 'default'

If this does not provide a solution, then there must be searched for different solutions.

Configure Office 365 as SMTP server.

To set up Office 365 as an SMTP server for ClockWise an SMTP Relay Connector has to be created. Go to the Exchange Admin Center and click on Mail flow and after that on Connectors. Click on the "+" symbol to add a new connector. Choose at From: Partner Organization an at To: Office 365. Click on Next to continue.

Office 365 as SMTP server mail flow settings

Give the relay connector a Name and optionally a Description and click on Next.

Office 365 as SMTP server new connector

At "How should Office 365 identify email from your server" select 'IP address' and click on '+' to add an IP address.

Office 365 as SMTP server verify ip address

As adress the network of ClockWise could be added: 217.115.198.64/27 . Optionally also the IP address from your ClockWise instance can be added. For this, you can search for the IP address belonging to account.clockwise.info, where account is your instance name.

Office 365 as SMTP server add ip address

As the last step, click on Save to save this connector. Furthermore, add a mail transport via SMTP in ClockWise to use Office 365 as SMTP server via this connector. (See https://support.happyfox.com/kb/article/522-office-365-smtp-relay-connector for more information on setting up the SMTP server settings in Office 365)