Ive been implementing a forwarding agent with dovecot+postfix, everything goes fine, public IP is AAA.AAA.AAA.AAA
xxxxxx.com.ar has this SPF record
"v=spf1 mx AAA.AAA.AAA.AAA -all"
MX points to same AAA.AAA.AAA.AAA IP, but google (i also receive a lot less but same reports from Zoho Mail) is bothering with false? DMARC rejections:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support#google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>733545798811562331</report_id>
<date_range>
<begin>1616544000</begin>
<end>1616630399</end>
</date_range>
</report_metadata>
<policy_published>
<domain>xxxxxx.com.ar</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>AAA.AAA.AAA.AAA</source_ip>
<count>4</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
**<spf>fail</spf>**
</policy_evaluated>
</row>
<identifiers>
<header_from>xxxxxx.com.ar</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>xxxxxx.com.ar</domain>
<result>pass</result>
<selector>default</selector>
</dkim>
<spf>
<domain>mail.minte.com.ar</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
Weirdest thing: look how google reads a valid email from this domain:
any help will be greatly appreciated, im afraid google will end marking AAA.AAA.AAA.AAA as SPAMMER
thanks !!
As Zoho Support Team said, the problem is with SPF alignment.
On analyzing the attached DMARC report, we see that email sent using the source IP "XXX.XXX.XXX.XXX" had passed the SPF & DKIM authentication.
Please be informed that DMARC policy is evaluated based on "SPF authentication & SPF Alignment" or "DKIM authentication & DKIM Alignment".
In the below attached report, we see the SPF Authentication is passed but SPF alignment fails as the From domain "client.com.ar" & Return Path domain "server.com" are different and that's the reason its mentioned as fail.
To know more about DMARC policy,
https://postmarkapp.com/guides/dmarc#how-does-dmarc-work
This is due to postfix aplying SRS, so reply-to is #forwarder-domain.com so breaks SPF alignment with the sender domain.
Seems unsolvable.
Related
I have problem with google and I can't send email to any gmail or Gsuite emails
got report from mail server log
Feb 17 12:16:30 server postfix/smtp[19451]: 853E35E55A: to=<xxx#gmail.com>,
relay=aspmx.l.google.com[209.85.144.27]:25, delay=0.38, delays=0.05/0/0.15/0.17,
dsn=5.7.26, status=bounced (host aspmx.l.google.com[209.85.144.27] said: 550-5.7.26 This
message does not have authentication information or fails to 550-5.7.26 pass
authentication checks. To best protect our users from spam, the 550-5.7.26 message has
been blocked. Please visit 550-5.7.26
https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26
information. w19si7586061qkp.34 - gsmtp (in reply to end of DATA command))
and I'm not blacklisted in any spam website ( I do check in most of website which provide blocklist checker)
also I didn't have any problem in SPF or DKIM or DMARC
here is SPF checker
https://prnt.sc/26xomwz
here is DKIM checker
https://prnt.sc/26xoodg
here is DMARC checker
https://prnt.sc/26xopgo
here is DMARC report from google
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support#google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>10254909114662490508</report_id>
<date_range>
<begin>1644969600</begin>
<end>1645055999</end>
</date_range>
</report_metadata>
<policy_published>
<domain>cbs-canon.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>5.161.45.186</source_ip>
<count>187</count>
<policy_evaluated>
<disposition>quarantine</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>server.cbs-canon.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>server.cbs-canon.com</domain>
<result>fail</result>
<selector>default</selector>
</dkim>
<spf>
<domain>server.cbs-canon.com</domain>
<result>none</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>5.161.45.186</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>cbs-canon.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>cbs-canon.com</domain>
<result>pass</result>
<selector>default</selector>
</dkim>
<spf>
<domain>cbs-canon.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
how can I know where is the problem
That is odd. The sending source IP is definitely in your SPF, and the DMARC record includes aspf=r, so the header from address in a child domain is valid and matches. I'd also note that your DMARC has p=quarantine, but gmail is acting like it's reject. This is gmail though, so you can't expect it to behave well.
I expect that the problem is that you don't have an SPF record set for server.cbs-canon.com, so make sure that exists and allows the same sources as cbs-canon.com. It looks like you're not doing DKIM signatures either, meaning that both SPF and DKIM are failing, resulting in a DMARC failure. Try adding that DNS record, or redirecting/including server. to your root domain.
Adding more info for #Synchro 's answer.
It is the fact that the Return-Path address is using the server.cbs-canon.com domain and there is no SPF record in that zone. You only need an SPF record for the domain used in your Return-Path address. For your server's emails that would be server.cbs-canon.com. For Google that would probably be just cbs-canon.com.
The same goes for DKIM. The receiving server is checking for the selector named default in the domain server.cbs-canon.com (so doing a query for TXT record default._domainkey.server.cbs-canon.com), which does not exist.
DMARC will then check if either the SPF (Return-Path) or DKIM (d=) domain aligns with the Header.From domain (or sharing the oranizational domain in case of relaxed mode).
Probably the easiest fix for you right now is to copy the SPF TXT record and DKIM selector record to the server.cbs-canon.com domain.
I am in the process of migrating our staff's email client from Window's Live Mail to Gmail. I have gone through the process of connecting each staff's email from our domain to their respective Gmail accounts (so each staff has two valid email addresses, e.g. bob.our_domain#gmail.com and bob#our_domain.com). I am able to receive and send mail from the linked account, but emails sent from bob#our_domain.com are tagged with an alarming red question mark and read "Gmail could not verify that our_domain.com actually sent this message (and not a spammer) ". I understand that this is an error with SPF configuration but for the life of me cannot figure out what the correct configuration looks like.
The domain in questions is evergreensupplyonline.com.
Step 1 - Ensure SPF is enabled.
Our server is managed through cPanel, so I navigate to the authentication tab and enable both DKIM and SPF. The default SPF record is
v=spf1 +a +mx +ip4:166.62.38.87 ~all
Sending email with this configuration generates the error: SOFTFAIL with IP 208.109.80.60. Seems reasonable enough, the IP isn't listed and the ~all specifies a soft fail for unknown IPs (as far as I am aware)
Step 2 - Add the sender's IP to the SPF record
I add 208.109.80.60 to the record and my SPF record becomes
v=spf1 +a +mx +ip4:166.62.38.87 +ip4:208.109.80.60 ~all
Sending email with this configuration still generates a SOFTFAIL error but with a different IP (208.109.80.60). Based on this change I assume I won't be able to add a static IP for all of google's mail servers - not too much of a surprise.
Step 3 - Add Google's _spf domain
Following the instructions from https://support.google.com/a/answer/33786?hl=en
I removed 208.109.80.60 and instead include _spf.google.com domain. My SPF record now looks like
v=spf1 +a +mx +ip4:166.62.38.87 +include:_spf.google.com ~all
If I run my domain through https://toolbox.googleapps.com/apps/checkmx/ I get some some non-critical errors but everything relating to the _spf.google.com domain seems to check out. If I send an email with this configuration I still get a SOFTFAIL error.
I'm not sure where to go from here - I've tried all that my preliminary understanding of SPF will permit. Any suggestions, observations, or tricks are greatly welcomed. Cheers,
This does all look correct, apart from one thing. I looked up both the IPs you mentioned (using whois) and they belong to... GoDaddy, not Google, which entirely explains your problem. It's quite likely that GoDaddy is redirecting your outbound email traffic since they don't allow direct SMTP sending, so you may need to add GoDaddy's SPF as well, or move to a more enlightened hosting provider.
A minor thing: put the ip4 mechanism first as it's fastest to match for receivers (it requires no extra lookups), and you don't need the + qualifiers because that's the default action.
I'm trying to add SPF records on my DNS zone. The SPF records are from mailjet (spf.mailjet.com), the domain is brazilian (.com.br hosted on uolhost) and my server is on DigitalOcean. When i try to add the TXT record, mailjet says "Your SPF record is missing".
I added this TXT (suggested by mailjet) on my DNS zone (at uolhost):
v=spf1 include:spf.mailjet.com ?all
But i have some questions about it (i'm really a beginner on this subjects).
The TXT should be on digital ocean, uolhost or both?
I really have to wait 48h?
The TXT above is correct?
Sorry for my bad english. I really appreciate any help.
First you should make it -all instead of ~all, the whole reason to set up authentication is to prevent people from spoofing your domain.
v=spf1 include:spf.mailjet.com -all
Where you're SPF record goes, depends on where the SPF record is being sent from, or the 5321.From Which is the "Return-Path", etc. Not the "FROM" line.
So view the headers of your email and look for the return path email address.
Whichever domain that is, is the place in DNS you will add the TXT record above, if you don't know how to see the headers of your email just send an email to mailtest#unlocktheinbox.com it will send you your header information on top of the report, just look for "Return-path". There is also an SPF Section, when you have it set up right it will show "PASSED".
BTW, if you have multiple SPF records (one of an email service provider and the other of mailjet); then instead of adding 2 TXT records, please use a single TXT record with a combination like below:
v=spf1 include:spf.mailjet.com include:spf.protection.outlook.com ~all
(since we use outlook email service, hence outlook in our case).
We use gmail together with our own domain since 3 years and configured it once right, everything worked fine. Mostly.
But recently, some mails (< 2%) will sometimes being rejected of the destination mail server because of SPF-Issues:
Technical details of permanent failure: Google tried to deliver your
message, but it was rejected by the server for the recipient domain
xxxxxx.de by xxxxxxx.de. [xx.xxx.xxx.xxx].
The error that the other server returned was: 550 xxx.xxxx.xxx.xxxx is not
allowed to send mail from xxxxxx.com
This is the SPF-Record we have configured as TXT Record in DNS:
v=spf1 +a +mx -all
Is there something wrong? Last document changes in googles docs are speaking about slightly different settings:
v=spf1 include:_spf.google.com ~all
Instead of blind changes without any understanding around the more detailled topic i want to ask around, if our spf-record could be outdated or completely wrong?
Assuming you're only using Google Apps for Work to send email then yes - your SPF record is wrong. The correct SPF record for this case is:
v=spf1 include:_spf.google.com ~all
If you are also sending emails from your web server directly or from other third party services you will likely need to add additional directives to your SPF record.
I'm running my domain on two servers (primary server and blog server) and I manage my mails with Google Apps for business (MX records correctly set).
However, I want to send emails from both servers (primary is a send-only EXIM4 server) and they should not be marked as spam. Therefore I want to set a correct SPF record, but Google keeps telling me that spf=neutral instead of spf=positive.
My current SPF records looks as follows:
v=spf1 ip4:<blog IP> ip4:<primary IP> include:_spf.google.com ~all
What do I have to change in order to get my mails through spam detection?
Thanks
Figured it out.
The record was okay, but I had to create a TXT record with the content above. Not a SPF record, which is weird. But so is technology.