Is this tilde correct ?

Webfoundry

Verified User
Joined
May 23, 2014
Messages
51
Location
Leuven, Belgium
I'm trying to examine why mails to some external boxes never arrive.
So a few years ago I followed instructions in https://help.directadmin.com/item.php?id=207

Now my DNS records look like this, but I was wondering ... is the domainkey "o=~" correct (as in the next line my SPF record says - instead of ~).

Is this why mails get blocked ? Do I need to remove this line ?
Or is there something I'm missing ???




ftpA178.79.130.161
mailA178.79.130.161
popA178.79.130.161
smtpA178.79.130.161
webfoundry.be.A178.79.130.161
wwwA178.79.130.161
webfoundry.be.NSns1.webfoundry-hosting.be.
webfoundry.be.NSns2.webfoundry-hosting.be.
webfoundry.be.MX10 mail
_dmarcTXT"v=DMARC1; p=none; sp=none; rua=mailto:[email protected]"
_domainkeyTXT"o=~"
webfoundry.be.TXT"v=spf1 a mx ip4:178.79.130.161 -all"
x._domainkeyTXT"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApinp1yhQmhgfM0kUXIneWRtwFTDhhNZ4hvM2bWz1/yW1zIbN8PAVnYzpQF1XvWpD/rVqCGygRXryr/bu9DWZDFX5n2DoGt7sG4X63ifma+7j2uprb8ZgTBgMyLA9epXkbFLlCLpWXyFwJBypZRV5wDwXxxFQOkGnrwhog19zr7ayKdeRTKc7c70kE+3GYNUJbvVQFeqrOCsNQoBRLZEQhAGMPO2FMIGQXxtfVPXTy8w/5qONNFBmWPJQTcw6ffP8SWuFYixvZbDhMRKrrpTZzMbANFJwK8l8wmcVc1t9LgF8LI5eRR+4lWkQp8wZzRpmI7XiO1sXCYGdSzYmrCH7XQIDAQAB"
 
domainkey "o=~" correct
Yes this is correct, no need to remove this, it's made by Directadmin.

I checked your DKIM and DMARC records but they are all ok, they should not give any problems.
It also looks as if there is a correct reverse DNS for your mail server to your server's host name.

At least.... I presume you also checked if your Exim is able to send DKIM records?
https://help.directadmin.com/item.php?id=569

I'm trying to examine why mails to some external boxes never arrive.
Since SPF/DKIM/DMARC looks allright, the best way to investigate is checking mail logs why the mails are refused, including maybe comments in the refused mails from the remote mailservers.

I presume your server only works on ipv4 and does not use ipv6? Because if it's using ipv6 some configuration is needed to prevent mails from being refused.

You can also use this to test:
https://www.mail-tester.com/
and see in the results if something goes wrong.
 
Last edited:
Dear Richard,

Thanks for taking your time to check out my records.
I tried mail-tester.com earlier today, and all turned out ok.

I checked mail logs, and it looks like the mail has arrived, even though this person really never got the mail. I resent through my gmail account to see if that would work, and this person DID receive my message from gmail, and NOT from my own server.


2018-05-28 20:05:15 1fNMWA-0001aZ-Fl <= [email protected] H=d51a4847c.access.telenet.be ([192.168.1.102]) [81.164.132.124] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=plain:[email protected] S=971986 [email protected] T="cv's" from <[email protected]> for [email protected]
2018-05-28 20:05:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fNMWA-0001aZ-Fl
2018-05-28 20:05:17 1fNMWA-0001aZ-Fl => [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp S=986208 H=integratieinburgering-be02e.mail.protection.outlook.com [213.199.180.138] X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes C="250 2.6.0 <[email protected]> [InternalId=17398912516176, Hostname=AM3PR06MB516.eurprd06.prod.outlook.com] 994752 bytes in 0.994, 977.246 KB/sec Queued mail for delivery"
2018-05-28 20:05:17 1fNMWA-0001aZ-Fl Completed



I guess my exim isn't that reliable :) even though it puzzles me as my server is not blacklisted and all looks ok.
BTW : another user told me that all of his emails to hotmail accounts got rejected.

I guess I just gotta live with it.

Again ... thanks for your time and kind help Richard.
 
Hello Webfoundry.

You're welcome. I like to help, that's what forums are about correct? Next to that, you're my southern neighbour, I'm from the Netherlands. ;)

It seems like you have the same problem I had in the near past, a couple of months ago.
Your exim is reliable, I don't see any reason why it should not be. The notice you are getting that the mail is queued for delivery is coming from the remote mailserver and is correct.
In other words, your Exim has done the job in a correct way.

But indeed... there you have the point, it's mails to hotmail.
You have a 99% chance that your mail is blocked by some hotmail blacklist. I had a very hard job to get my servers of the list, but I succeeded. However you can find some stories on this forum which tried the same and did not succeed. Microsoft is really difficult some times.

Before you do anything else:
Be sure that you have a working [email protected] or [email protected] e-mail address so you comply with the Microsoft rules.
Then sign up for SNDS and the Junkmail reporting program with Microsoft.
This way you will get a mail from hotmail staff if complaints are made.

Try to fill in this form:
https://support.microsoft.com/en-us...rt_1.0.0.0&wfname=capsub&productkey=edfsmsbl3

I think this is the same link but in Dutch text:
https://support.microsoft.com/nl-nl...rt_1.0.0.0&wfname=capsub&productkey=edfsmsbl3

You can state that you are a SNDS and JMRP member and you're not on any blacklist in addition to your request and evidence.

It's a big chance you get a reply that you "niet in aanmerking komt" for mitigation with the raeson that it's caused by a dynamic list, so when outlook users choose the option that your mail is spam. Which is an automated mail.
But experience learns that it's often cause by strange reasons or the conversion from the old to new style outlook.com or other reasons.

You could reply and ask friendly if they would take another look at it because there is no spam send to outlook users from your system.
Then a "live" employee will reply. He might say that he can't help you and then after a few days suddenly you can send mail again without getting in the spam folder.

It can also be that the issue will not be solved this way. It's a 50/50 situation, but if you won't try, it won't be fixed anyway.

I got lucky and the servers got delisted.

I will put my thumbs up for you.
 
Don't forget to have a working reverse pointer ipv4 and ipv6 ( wen some parts hostname have ipv6 this must be configured complete for the domains also)

And read some about your certs here
https://internet.nl/mail/webfoundry.be/114572/

You still could have problems with gmail hotmail and co while your sending ip ( your location) is not in the spf record, and if dynamic then often greylist
81.164.132.124
 
Last edited:
Beste Richard,
Dear ikkeben,

Heel vriendelijk bedankt voor jullie duidelijke en gedetailleerde uitleg. (thank you very much for your clear and detailed explanation).
Now at least I'm sure it's not all about my settings, but I will check things out as you both advised. It looks like internet.nl indeed tells me some things are not correct.

Werk aan de winkel :)

Kind regards from rainy Belgium.
 
Last edited:
Your welcome.
Keep in mind that internet.nl does some test which are not always needed like DNSSEC. ;)
If you encounter any other questions or issues, just let us now.

Werk ze! :)
 
DNSSEC info:

https://dnssec-name-and-shame.com/


While: in Nederland ook 30% met fouten te kampen heeft of heeft gehad enz
https://www.theregister.co.uk/2018/...y_dnssec_validation_errors_can_be_eliminated/

If you of one of your registrars / hosters update (your) BOXES it could hapen some DNSSEC are giving validation errors after that.
So take care and be very precise if using DNSSEC

Usefull hmm very very old technic is used for dnssec.

Better to have some more newer security for dns hijghjacking spoofing, as comming up. ( in my view)

https://ianix.com/pub/dnssec-outages/20171007-nasa.gov/

https://ianix.com/pub/dnssec-outages.html

Major DNSSEC Outages and Validation Failures

Updated: June 4, 2018

This page lists only DNSSEC failures that have the potential to cause downtime for a significant number of domains, users, or both. It does not list smaller outages such as dominos.com ($1.425 Billion in yearly revenue), the Government of California, or other such "small" organizations. They are too frequent to mention. Technical and media/content organizations are held to a higher standard.

Principal sources of information: DNSViz, Verisign's DNSSEC Debugger, Zonemaster, dnscheck.iis.se, dnscheck.labs.nic.cz, and Unbound logs. Discussions on technical mailing lists are also used as sources.

Note: DNSViz has lost a portion of its archives multiple times, turning many citations on this page into 404s. Currently, the dnssec-deployment.org mailing list archives have been down for over a year, and previously for around 5 months, producing more 404s. Constant DNSSEC outages desensitize people to downtime, making them think it's normal.

En verder

some info first read this
https://www.techworld.com/security/d...rried-3645538/

Read then this
https://nakedsecurity.sophos.com/201...isps-struggle/

Then also: https://nlnetlabs.nl/downloads/publi...reg-report.pdf
 
Last edited:
Thank you for the more uitgebreide explanation ikkeben.
That's exactly the reason that I don't use it and said it's not really needed.
Too much fuzz at this moment, while SPF, DMARC and DKIM combination is working perfectly.
 
Back
Top