Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: ReetP on October 05, 2018, 03:12:45 PM
-
Hmmmm, had a bit of bovver with my SPF records allegedly not being right. In a discussion with the hosting provider over this and wanted to check my facts.....
[root@test ~]# dig -t txt impamark.co.uk
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> -t txt impamark.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39272
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;impamark.co.uk. IN TXT
;; ANSWER SECTION:
impamark.co.uk. 2709 IN TXT "v=spf1 mx a -all"
;; Query time: 0 msec
;; SERVER: 192.168.97.1#53(192.168.97.1)
;; WHEN: Fri Oct 5 15:03:12 2018
;; MSG SIZE rcvd: 61
As far as I am aware that is correct?
When I test with mxtoolbox.com It all seems OK apart from one bit
Prefix Type Value PrefixDesc Description
v version spf1 The SPF record version
+ mx Pass Match if IP is one of the MX hosts for given domain name
+ a Pass Match if IP has a DNS 'A' record in given domain
- all Fail Always matches. It goes at the end of your record.
Any ideas why it shows Fail on -all ? Is that just due tio the way it 'processes' the rules, so anything after -all that hasn't matched is classed as a Fail?
All the tests below it show green ticks.
SPF Contains characters after ALL No items after 'ALL'.
SPF Syntax Check The record is valid
Any thoughts appreciated. I'm pretty sure my hosting provider has suffered a network block due to some spammer on my IP range but just wanted to be sure of my facts first.
-
The "-all" indicates that email from any other host not previously specified gets an SPF 'Fail' result. In your case - if the system trying to deliver any email from "impamark.co.uk" is not in your MX or A records, the SPF result is "Fail".
I see no problems with your SPF, PTR, or MX settings -- as long as
* your system is sending your email directly and is not relaying it through a smarthost somewhere
* you don't have any web systems running off-site trying to send email directly using your domain
Testing impamark.co.uk at https://www.kitterman.com/spf/validate.html shows that it should be OK.
mxtoolbox says your MX record is OK:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a212.83.143.44&run=toolpage
Same for your A record:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a212.83.143.44&run=toolpage#
Your PTR record looks OK:
nslookup -type=ptr 44.143.83.212.in-addr.arpa
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
44.143.83.212.in-addr.arpa name = mail.impamark.co.uk.
The A record for mail.impamark.co.uk looks OK:
nslookup mail.impamark.co.uk
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: mail.impamark.co.uk
Address: 212.83.143.44
'firehol' lists one of the IPs on your classC in one of their blocklists:
https://github.com/firehol/blocklist-ipsets/search?q=%22212.83.143%22&unscoped_q=%22212.83.143%22
-
Thanks for all that.
I realise I could specify the IP in the TXT record as well I guess - eg add 'ip:212.83.143.44' to the TXT record
I thought it seemed OK but the bloody hosting provider seems to get some of its network blocks blacklisted sometimes.
Just wanted to make sure it wasn't me making a cockup !
I can go back and tell them to sharpen up their act ;-)
Thanks
-
Just make sure you use ip4: and not just ip:
If you are running behind a static IP address I would recommend to specify that rather than "a" or "mx".
"v=spf1 ip4:212.83.143.44 -all"
-
Perfect !!
Thanks for the tips.
-
And when you are done use https://www.mail-tester.com/ to see whether you did everything right. If you have SPF and DKIM right you ought to get 10/10 score :-)
-
Great tip.
Will do :-)
Thanks
-
I think this relates to the issue I'm trying to solve here:
https://forums.contribs.org/index.php/topic,53848.0.html
I'm seeing increasing numbers of undelivered email with
<xxxx.xxxxx@telford.gov.uk>:
Connected to 212.159.9.107 but sender was rejected.
Remote host said: 550 <info@mediacopy.co.uk.co.uk> sender rejected - invalid domain (no MX or A record)
plus I clients and contacts are telling me email is going straight to their spam folder.
I don't know much about SPF records, but I assume I'm trying to align my outgoing ISPs mail server with my hosted domain ?
Presumably my dynamic IP through which SME connects to the ISPs mail server is not an issue.
Unless there is a better solution than connecting to the ISPs mail server ?
-
Im having a similar issue. Ive used the above link but cant get anything above 8 / 10
static ip
I dont know about dkim etc but have added it via cname
Any guidance from you gurus would be appreciated.
James
-
If you share a mail-tester link, then we can see where the problem lies.
-
Im having a similar issue. Ive used the above link but cant get anything above 8 / 10
static ip
I dont know about dkim etc but have added it via cname
Any guidance from you gurus would be appreciated.
James
One thing - I don't think you should use CNAME records for mail servers - you should have an A record for the server and then a MX record for it.
Then you can set up your DKIM with a TXT record.
-
If you share a mail-tester link, then we can see where the problem lies.
I have attached this
-
Well, then it is clear that you do not send with DKIM enabled. Have you created and published the DKIM keys (in DNS)?
https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96
P.S
I have not tried this way of doing DKIM, but I am sure someone else here has and can guide if needed.
-
Yup.... done it both single and multiple domains.
Easy. Certainly easier than it was originally !!
Note what I said above about the use of CNAMEs. Tread with care.
https://serverfault.com/questions/91712/dns-using-cnames-breaks-mx-records
https://serverfault.com/questions/18000/dns-subdomains-that-require-both-an-mx-record-and-a-cname
-
Well, then it is clear that you do not send with DKIM enabled. Have you created and published the DKIM keys (in DNS)?
https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96
P.S
I have not tried this way of doing DKIM, but I am sure someone else here has and can guide if needed.
I must have got something wrong its now lower
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.
The DKIM signature of your message is:
v=1;
a=rsa-sha256;
c=relaxed;
d=thesecurityinstaller.co.uk;
h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding;
s=default;
bh=W8LYD7UjVZovSJJz/TT+VYVFpOsJOHza8Uw8Pvf9Wd8=;
b=r+0Glm9IzdR8HBRx/0dz3SNl4EBdEYL2dyA+2eWQ5oYBbl5RV74s/gLGOBhTPifU1mBNlCW3r80KJQGs5Ul26niJAlXs5UyCESL02vmpIh1+eYxprWlVMlRboUbeCxt5ffagrOqYnbMbK76t/ME/6/R1rP1mNCzstXfAE6UQ1fIOwWiXk26rUFDfgCsdrwMUsHGoqx3QFWxsH5XqTpHtxh72MqxxxxxxxxxxxQ==
We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain thesecurityinstaller.co.uk using the selector default.
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours, it may take some time for the DNS to be propagated
-
I must have got something wrong its now lower
Que ????
We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain thesecurityinstaller.co.uk using the selector default.
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours, it may take some time for the DNS to be propagated
Yup - something is amiss
Is this your domain?
thesecurityinstaller.co.uk
https://mxtoolbox.com/SuperTool.aspx?action=mx%3athesecurityinstaller.co.uk&run=toolpage
https://mxtoolbox.com/domain/thesecurityinstaller.co.uk/
Go back and start looking at your DNS records.
You can post here what you have currently got set.
-
Que ????
Yup - something is amiss
Is this your domain?
thesecurityinstaller.co.uk
https://mxtoolbox.com/SuperTool.aspx?action=mx%3athesecurityinstaller.co.uk&run=toolpage
https://mxtoolbox.com/domain/thesecurityinstaller.co.uk/
Go back and start looking at your DNS records.
You can post here what you have currently got set.
Great Thanks I never know what shoudl and shouldnt be posted
-
I have just added
"v=DMARC1; p=none; sp=none; rua=mailto:james.wilson@thesecurityinstaller.co.uk; ruf=mailto:james.wilson@thesecurityinstaller.co.uk; rf=afrf; pct=100; ri=86400"
-
Not sure it is right to have 2 MX records like that. Check the mxtoolbox and you can see it isn't happy.
I *think* you should have
A comms.thesecurityinstaller.co.uk
MX comms.thesecurityinstaller.co.uk
I don't think you need the MX record for '@'
Have a look on mx toolbox using links above for my work domain impamark.co.uk to see the differences.
I have an A for mail and then an MX for mail.
I don't have MX @ because @ is not a single host / A record.
Note if you had MX backup you would add A records for each host, then a MX for each A with a priority.
-
Just on the DNS entry for DKIM ( i have followed wikias above ) but had to scratch around for the formatting of the dns entry :
this is what i found works :
Type : TXT
Host name : default_.domainkey.thesecurityinstaller.co.uk
Value : ""v=DKIM1\;p............;t=y"
where value is the dkim value you get from :
qpsmtpd-print-dns
You might have to exclude the "at begining and end " ( depends on how the DNS Provider - some strip it out )
-
Just on the DNS entry for DKIM ( i have followed wikias above ) but had to scratch around for the formatting of the dns entry :
this is what i found works :
Type : TXT
Host name : default_.domainkey.thesecurityinstaller.co.uk
Value : ""v=DKIM1\;p............;t=y"
where value is the dkim value you get from :
qpsmtpd-print-dns
You might have to exclude the "at begining and end " ( depends on how the DNS Provider - some strip it out )
I have added the attached to the 1and1 dns entry
but now get this on mail-tester.com
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.
The DKIM signature of your message is:
v=1;
a=rsa-sha256;
c=relaxed;
d=thesecurityinstaller.co.uk;
h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding;
s=default;
bh=iLwiFZNUfdJrkW/1bs6DSZAArywjUi3Vr9qKRmodS5o=;
b=aQxVMpJbPyY9frs0LKLMS7tgOQpVUSnd5JKpjrmKEKuqoPEqR/hqMR862lrQg2rlhDZMEOAdjOIVodqhFtJCxkZ444H9ObrD1917w4PW/HS2oDx+/+b19bmDzKdYrBPbheMAiytPQ+hl5+87vlX4Aeyd/W2yhzdSP8KSf+RLASg1YAEjL1zxwAjWlUx374LavnMyjzpSM47OFX5ajHFTPaPlsK0CZbokCuyT429h68isdKmmFtYLAPgFr4wPNZr0ayrXLVFZNps2T5ct08eqxJaLijd+e++hIYzZXbxC9UOt6Wi3IJf3Zs07UEQhC49Iu1iPM9mRpigNmfGLpYsSgA==
We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain thesecurityinstaller.co.uk using the selector default.
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours, it may take some time for the DNS to be propagated
-
Not sure it is right to have 2 MX records like that. Check the mxtoolbox and you can see it isn't happy.
I *think* you should have
A comms.thesecurityinstaller.co.uk
MX comms.thesecurityinstaller.co.uk
I don't think you need the MX record for '@'
Have a look on mx toolbox using links above for my work domain impamark.co.uk to see the differences.
I have an A for mail and then an MX for mail.
I don't have MX @ because @ is not a single host / A record.
Note if you had MX backup you would add A records for each host, then a MX for each A with a priority.
i have removed the comms entries as i dont know what they were for.
-
I have added the attached to the 1and1 dns entry
but now get this on mail-tester.com
The host name must be : default_.domainkey.thesecurityinstaller.co.uk
The value field must only contain : "v=DKIM1\;p............;t=y"
When finished it should look like below part :
Type HostName Value
TXT default_.domainkey.thesecurityinstaller.co.uk "v=DKIM1\;p............;t=y"
at the moment nslookup shows no record ( neither soes MXtoolbox) :
dig -t txt default_.domainkey.thesecurityinstaller.co.uk
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t txt default_.domainkey.thesecurityinstaller.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5689
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;default_.domainkey.thesecurityinstaller.co.uk. IN TXT
;; Query time: 2141 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Feb 20 17:31:19 2019
;; MSG SIZE rcvd: 63
Once you have the format correct you will get following from dig ( Use Reetp domain as example )
dig -t txt default._domainkey.impamark.co.uk
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t txt default._domainkey.impamark.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35998
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;default._domainkey.impamark.co.uk. IN TXT
;; ANSWER SECTION:
default._domainkey.impamark.co.uk. 3600 IN TXT "v=DKIM1\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpPAb1A/itvbbFdKbMywrSxP5myVnfiIHwdOdtCxt/jsJBQ5DlFD0VXQ3JWLZ4aaOc2QQFVhjoZWTnwTZ35m/DjATpydexaC9cvg8TzoZ3VHvQ4VEXBhWlwaRET7oK8NUQHoe56EZILGb60kRjV5tuDygka4i/J0C5ulqkO2JfQQIDAQAB\;"
;; Query time: 903 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Feb 20 17:50:43 2019
;; MSG SIZE rcvd: 291
-
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours
So you may need to wait for changes to propagate.
I still believe you would also be better off having a specific mail host and not relying on @ just the same as you have an A record for www
So like I said before, an A record for mail 'host' and a MX record for it as well. Eg:
A mail.thesecurityinstaller.co.uk
MX mail.thesecurityinstaller.co.uk
That way you can move your mail host as you require.
-
Your DNS Record is entered incorrectly :
this is how its showing :
dig -t txt thesecurityinstaller.co.uk
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t txt thesecurityinstaller.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62769
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;thesecurityinstaller.co.uk. IN TXT
;; ANSWER SECTION:
thesecurityinstaller.co.uk. 3600 IN TXT "v=spf1 include:_spf.perfora.net include:_spf.kundenserver.de ip4:81.143.33.108 ~all"
thesecurityinstaller.co.uk. 3600 IN TXT "v=DMARC1\; p=none\; sp=none\; rua=mailto:james.wilson@thesecurityinstaller.co.uk\; ruf=mailto:james.wilson@thesecurityinstaller.co.uk\; rf=afrf\; pct=100\; ri=86400"
thesecurityinstaller.co.uk. 3600 IN TXT "default._domainkey IN TXT v=DKIM1\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9vP9oXU3IcKu8yOu0cXeCuFK+ZqM/L4EIa9+9yByi7R0ErB/uFLeclmHn0CPsV2REJk97jogL5P2sfT+I7WcRApGVD2Xv4v5krT5YrjKBMgO2u2bBF3yLTqs3e1pgOleI4BuemMaaz702ymmQgVCaIaP4ytoZylKY6ueDr5/XcWD7V" "btk0HO8iebJraimGF9PDs3Q/5izd+g2qxrpxyRatfBtgZL5mPnO7HzCIbmkTcSlAEUuY2HxSj/TTKpMA/LYZJlnaq9VzPuu5XLbPCRCKW43AJ9r3pEvZ6YfAuh2fuEmDpsZnqHX3BBIWMZloFB6hCI37M2X68rAeD3FeOCQIDAQAB\;t=y @ IN SPF v=spf1 mx a -all @ IN TXT v=spf1 mx a -all _dmarc IN TXT v=DMARC1\; p" "=none\; adkim=s\; aspf=r\; rua=mailto:dmarc-feedback@thesecurityinstaller.co.uk\; pct=100"
It should look like :
default_.domainkey.thesecurityinstaller.co.uk. 3600 IN TXT " v=DKIM1\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9vP9oXU3IcKu8yOu0cXeCuFK+ZqM/L4EIa9+9yByi7R0ErB/uFLeclmHn0CPsV2REJk97jogL5P2sfT+I7WcRApGVD2Xv4v5krT5YrjKBMgO2u2bBF3yLTqs3e1pgOleI4BuemMaaz702ymmQgVCaIaP4ytoZylKY6ueDr5/XcWD7V" "btk0HO8iebJraimGF9PDs3Q/5izd+g2qxrpxyRatfBtgZL5mPnO7HzCIbmkTcSlAEUuY2HxSj/TTKpMA/LYZJlnaq9VzPuu5XLbPCRCKW43AJ9r3pEvZ6YfAuh2fuEmDpsZnqHX3BBIWMZloFB6hCI37M2X68rAeD3FeOCQIDAQAB\;t=y"
-
I have tried adding as both a txt entry and a subdomain
default_.domainkey.thesecurityinstaller.co.uk
but I get this error
The subdomain contains invalid characters.
Allowed: Letters from a-z, numerics from 0-9 and hyphens.
It seems I cant use _ in either?
Thanks
-
I have tried adding as both a txt entry and a subdomain
default_.domainkey.thesecurityinstaller.co.uk
but I get this error
The subdomain contains invalid characters.
Allowed: Letters from a-z, numerics from 0-9 and hyphens.
It seems I cant use _ in either?
Thanks
Never used 1&1....
check if this helps ( from 4:38 onwards ) https://www.youtube.com/watch?v=Bj1Xq-Hvh24 (https://www.youtube.com/watch?v=Bj1Xq-Hvh24)