I have set up a mail server but when I send mail to gmail accounts I get
Authentication-Results: mx.google.com;
dkim=temperror (no key for signature) header.i=#h2993269.stratoserver.net header.s=porifera.site header.b=NDzL8dZn;
spf=pass (google.com: domain of support#porifera.site designates 81.169.136.154 as permitted sender) smtp.mailfrom=support#porifera.site;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=porifera.site
If I am understanding the output here correctly, the gmail server is looking for a dkim record with the domain h2993269.stratoserver.net with the selector porifera.site. This is backwards. h2993269.stratoserver.net is the hostname which I used as a selector because opendkim recommends doing so. The dns record looks like this:
This dmarc tester I found says the record is set up correctly.
https://www.dmarcanalyzer.com/dkim/dkim-checker/?dmarcdns%5Btype%5D=dkim&dmarcdns%5Bselector%5D=h2993269.stratoserver.net&dmarcdns%5Bdomain%5D=porifera.site
the dkim signature on the mail looks like:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=h2993269.stratoserver.net; s=porifera.site; t=1670839153;
which also has the selector and domain reversed so there must be an issue in my opendkim config
What have I done wrong?
Something about laying it out in a stackoverflow question has a way of clarifying the mind. I realised it must be an issue in my opendkim config so I went back through it all and sure enough my Keytable had
selector._domainkey.domain selector:domain:/path/to/key
but it should have been
selector._domainkey.domain domain:selector:/path/to/key
Related
I have problem with google and I can't send email to any gmail or Gsuite emails
got report from mail server log
Feb 17 12:16:30 server postfix/smtp[19451]: 853E35E55A: to=<xxx#gmail.com>,
relay=aspmx.l.google.com[209.85.144.27]:25, delay=0.38, delays=0.05/0/0.15/0.17,
dsn=5.7.26, status=bounced (host aspmx.l.google.com[209.85.144.27] said: 550-5.7.26 This
message does not have authentication information or fails to 550-5.7.26 pass
authentication checks. To best protect our users from spam, the 550-5.7.26 message has
been blocked. Please visit 550-5.7.26
https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26
information. w19si7586061qkp.34 - gsmtp (in reply to end of DATA command))
and I'm not blacklisted in any spam website ( I do check in most of website which provide blocklist checker)
also I didn't have any problem in SPF or DKIM or DMARC
here is SPF checker
https://prnt.sc/26xomwz
here is DKIM checker
https://prnt.sc/26xoodg
here is DMARC checker
https://prnt.sc/26xopgo
here is DMARC report from google
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support#google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>10254909114662490508</report_id>
<date_range>
<begin>1644969600</begin>
<end>1645055999</end>
</date_range>
</report_metadata>
<policy_published>
<domain>cbs-canon.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>5.161.45.186</source_ip>
<count>187</count>
<policy_evaluated>
<disposition>quarantine</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>server.cbs-canon.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>server.cbs-canon.com</domain>
<result>fail</result>
<selector>default</selector>
</dkim>
<spf>
<domain>server.cbs-canon.com</domain>
<result>none</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>5.161.45.186</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>cbs-canon.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>cbs-canon.com</domain>
<result>pass</result>
<selector>default</selector>
</dkim>
<spf>
<domain>cbs-canon.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
how can I know where is the problem
That is odd. The sending source IP is definitely in your SPF, and the DMARC record includes aspf=r, so the header from address in a child domain is valid and matches. I'd also note that your DMARC has p=quarantine, but gmail is acting like it's reject. This is gmail though, so you can't expect it to behave well.
I expect that the problem is that you don't have an SPF record set for server.cbs-canon.com, so make sure that exists and allows the same sources as cbs-canon.com. It looks like you're not doing DKIM signatures either, meaning that both SPF and DKIM are failing, resulting in a DMARC failure. Try adding that DNS record, or redirecting/including server. to your root domain.
Adding more info for #Synchro 's answer.
It is the fact that the Return-Path address is using the server.cbs-canon.com domain and there is no SPF record in that zone. You only need an SPF record for the domain used in your Return-Path address. For your server's emails that would be server.cbs-canon.com. For Google that would probably be just cbs-canon.com.
The same goes for DKIM. The receiving server is checking for the selector named default in the domain server.cbs-canon.com (so doing a query for TXT record default._domainkey.server.cbs-canon.com), which does not exist.
DMARC will then check if either the SPF (Return-Path) or DKIM (d=) domain aligns with the Header.From domain (or sharing the oranizational domain in case of relaxed mode).
Probably the easiest fix for you right now is to copy the SPF TXT record and DKIM selector record to the server.cbs-canon.com domain.
I have a domain registered at domains.google.com that I use with a G Suite account and also to send email from SES and mailchimp.
My DNS records look correct to me (Mailchimp instructions):
# TXT "v=spf1 include:_spf.google.com include:amazonses.com include:servers.mcsv.net ~all"
_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+aml1ryadtn7#dmarc.postmarkapp.com; sp=none; aspf=r;"
I use postmark's nifty service to get a weekly DMARC digest, and they report this error for mailchimp emails:
mcsv.net is authorized to send on behalf of mydomain.com, however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.
Here are relevant headers from a mailchimp email:
Return-Path: <bounce-mc.us17_88978185.265251-recipient=patentbots.com#mail125.suw11.mcdlv.net>
From: me#mydomain.com
Do I have an error in setup (either DNS or Mailchimp) that causes SPF DMARC alignment to fail? Or is this something that isn't supported by Mailchimp?
Mailchimp does not support SPF as it uses its own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. Mailchimp always fails DMARC's SPF alignment test because the Return-Path path doesn’t match the From address. MailChimp doesn't support custom Return-Path (even though Mandrill, which is owned by Mailchimp, does). This makes it impossible to be 100% SPF-compliant under DMARC rules with Mailchimp.
I'm not 100% sure, but I'd guess that if the domains for return-path and from header have to match, you would need to have a CNAME DNS record in your own domain pointing at MC, so that the domains could match, something like:
mc CNAME mail125.suw11.mcdlv.net
Then your return path might become <bounce-mc.us17_88978185.265251-recipient=patentbots.com#mc.mydomain.com>.
I don't know if a subdomain match like this is sufficient, i.e. whether DMARC considers mc.mydomain.com and mydomain.com to be sufficiently aligned.
I can see the management of this being a little tricky if you have lots of domains.
So I have the following SPF record for the domain hojio.com:
The TXT records found for your domain are:
v=spf1 ip4:194.150.114.22 ip4:194.150.114.0/24
include:support.zendesk.com include:smtp.zendesk.com ~all
The domain is on the ip 194.150.114.22 and a reverse dns lookup on that ip gives hojio.com
Gmail says:
neutral (google.com: 194.150.114.22 is neither permitted nor denied by
best guess record for domain of www-data#ksenikovweb01.dandomain.net)
client-ip=194.150.114.22;
As if its not finding any SPF record? This is strange, since I can use various online SPF record checker tools, that all give me the correct one. What am I doing wrong?
Are you sure that hojio.com is being used in the Return-Path? SPF works off the Return-Path, not the From address. So it doesn't matter if the From address is from a user at hojio.com, unless the Return-Path is the same.
From the Gmail message it looks like the Return-Path is www-data#ksenikovweb01.dandomain.net. The domain ksenikovweb01.dandomain.net does not have an SPF record, so that would explain the 'neutral' SPF rating.
I'm working on this for about 5 hours and I still couldn't find a way to not send the emails of my private server to the spam folder of gmail.
The error I'm receiving in google is:
Received-SPF: neutral (google.com: 212.113.177.3 is neither permitted nor denied by domain of info#skiuwi.com) client-ip=212.113.177.3;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 212.113.177.3 is neither permitted nor denied by domain of info#skiuwi.com) smtp.mail=info#skiuwi.com
I actually do not know what d'hell is the IP 212.113.177.3, but a search around the google told me to add some SPF to my domain, so I did.
But the emails continue to go to the SPAM folder. So I went to the SPF Record Checker
and they output the following results:
What am I doing wrong in the SPF?
You need to combine your two SPF records into one.
v=spf1 ip4:212.113.177.3 include:_spf.google.com ~all
Note that adding SPF isn't a magic bullet. Many components go into spam filtering - content analysis, the reputation of the sending IP, the age of the domain name being used, blacklisting, DKIM, etc.
I'm trying to get an SPF record set up on our domain, but it just seems to be get confused.
The domain is letterpart.com and the mail server is mail.letterpart.com. We send all of our emails from an Exchange Server at mail.letterpart.com, either directly or via Perl scripts that forward to the Exchange server. This is our only server and deals with incoming and outgoing mails.
We originally had
v=spf1 mx a:mail.letterpart.com a:cmail1.com ~all
which includes our mail server and that of Campaign Monitor which we sometimes use to send out marketing emails.
This, though, was giving us a soft fail:
Recipient address rejected: SPF Tests: Mail-From Result="softfail": Mail From="*****#letterpart.com" HELO name="mail.letterpart.com" HELO Result="none" Remote IP="94.72.251.210">
I spoke to our ISP, KCOM, and they came back with this reply:
I have checked the existing SPF record and found a possible cause of
your "softfail". The "all" mechanism was prefixed with a "~" which
gives a soft fail. I have changed the records "all" section to "-all"
which should produce a fail.
Now, when I send mail from Outlook, I get a hard fail:
spf-test#openspf.net on 22/06/2012 09:47
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<mail.letterpart.com #5.7.1 smtp;550 5.7.1 <spf-test#openspf.net>: Recipient address rejected: SPF Tests: Mail-From Result="fail": Mail From="*****#letterpart.com" HELO name="mail.letterpart.com" HELO Result="none" Remote IP="94.72.251.210">
I went back to our ISP and said that the change they made had indeed changed our soft fail into a hard fail, so can they now change it so we don't fail at all.
His reply was that this record is correct and that it shows that emails not coming from our domain will fail. I pointed out that the test I am sending was coming from our domain, and he just sent me a reference to SPF Record Syntax which is the same site I am testing the spf-test#openspf.net email on.
Have I completely got the wrong end of the stick when it comes to these records? I thought the idea was not to fail at all when sending from our domain.
Now. Our MX record shows the following:
mail.letterpart.com 94.72.251.212
But the SPF test email is showing the IP address as 94.72.251.210, and when I look at a header of an email sent from letterpart.com, it does indeed show it as coming from .210:
for *****#digitalessence.net; Fri, 22 Jun 2012 11:03:06 +0100
Received: from [94.72.251.210] (helo=mail.letterpart.com)
94.72.251.210 is the Wan1 interface on our Firewall. Should I add an IP address to the SPF or a range?
I was looking over your SPF records. It's listed as
v=spf1 ip4:94.72.251.210 a:cmail1.com ~all
It should look something like:
v=spf1 mx a ip4:94.72.251.210 a:cmail1.com ~all
Which will mean all the MX and A records for the current domain are valid. I really don't understand why your have a PTR set up for 94.72.251.210 back to mail letterpart.com, when mail.letterpart.com points to 94.72.251.212.
Yes, it sounds like you answered your own question - you should add 94.72.251.210 to your SPF record if that is where your emails are sent from (as far the outside world is concerned).
That's the easy way. The harder solution is to figure out why your mail server winds up sending from that IP address and correct the firewall rules so that mail emerges from your network on the IP address associated with the mail server's name. This seems more correct and might have other benefits - your mail headers look "forged" if they use a name that's different from the actual IP address they come from.