Results 1 to 9 of 9

Thread: Is this tilde correct ?

  1. #1
    Join Date
    May 2014
    Location
    Leuven, Belgium
    Posts
    43

    Is this tilde correct ?

    I'm trying to examine why mails to some external boxes never arrive.
    So a few years ago I followed instructions in https://help.directadmin.com/item.php?id=207

    Now my DNS records look like this, but I was wondering ... is the domainkey "o=~" correct (as in the next line my SPF record says - instead of ~).

    Is this why mails get blocked ? Do I need to remove this line ?
    Or is there something I'm missing ???




    ftp A 178.79.130.161
    mail A 178.79.130.161
    pop A 178.79.130.161
    smtp A 178.79.130.161
    webfoundry.be. A 178.79.130.161
    www A 178.79.130.161
    webfoundry.be. NS ns1.webfoundry-hosting.be.
    webfoundry.be. NS ns2.webfoundry-hosting.be.
    webfoundry.be. MX 10 mail
    _dmarc TXT "v=DMARC1; p=none; sp=none; rua=mailto:info@webfoundry.be"
    _domainkey TXT "o=~"
    webfoundry.be. TXT "v=spf1 a mx ip4:178.79.130.161 -all"
    x._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApinp1yhQmhgfM0kUXIneWRtwFTDhhNZ4hvM2bWz1/yW1zIbN8PAVnYzpQF1XvWpD/rVqCGygRXryr/bu9DWZDFX5n2DoGt7sG4X63ifma+7j2uprb8ZgTBgMyLA9epXkbFLlCLpWXyFwJBypZRV5wDwXxxFQOkGnrwhog19zr7ayKdeRTKc7c70kE+3GYNUJbvVQFeqrOCsNQoBRLZEQhAGMPO2FMIGQXxtfVPXTy8w/5qONNFBmWPJQTcw6ffP8SWuFYixvZbDhMRKrrpTZzMbANFJwK8l8wmcVc1t9LgF8LI5eRR+4lWkQp8wZzRpmI7XiO1sXCYGdSzYmrCH7XQIDAQAB"

  2. #2
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    domainkey "o=~" correct
    Yes this is correct, no need to remove this, it's made by Directadmin.

    I checked your DKIM and DMARC records but they are all ok, they should not give any problems.
    It also looks as if there is a correct reverse DNS for your mail server to your server's host name.

    At least.... I presume you also checked if your Exim is able to send DKIM records?
    https://help.directadmin.com/item.php?id=569

    I'm trying to examine why mails to some external boxes never arrive.
    Since SPF/DKIM/DMARC looks allright, the best way to investigate is checking mail logs why the mails are refused, including maybe comments in the refused mails from the remote mailservers.

    I presume your server only works on ipv4 and does not use ipv6? Because if it's using ipv6 some configuration is needed to prevent mails from being refused.

    You can also use this to test:
    https://www.mail-tester.com/
    and see in the results if something goes wrong.
    Last edited by Richard G; 05-28-2018 at 02:57 PM. Reason: Added mail-tester tip
    Greetings, Richard.

  3. #3
    Join Date
    May 2014
    Location
    Leuven, Belgium
    Posts
    43
    Dear Richard,

    Thanks for taking your time to check out my records.
    I tried mail-tester.com earlier today, and all turned out ok.

    I checked mail logs, and it looks like the mail has arrived, even though this person really never got the mail. I resent through my gmail account to see if that would work, and this person DID receive my message from gmail, and NOT from my own server.


    2018-05-28 20:05:15 1fNMWA-0001aZ-Fl <= sixten@sektor21.be H=d51a4847c.access.telenet.be ([192.168.1.102]) [81.164.132.124] P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=plain:sixten@sektor21.be S=971986 id=604e40a8-23c2-85f3-f5a9-dcc50c6a152b@sektor21.be T="cv's" from <sixten@sektor21.be> for info@integratie-inburgering.be
    2018-05-28 20:05:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fNMWA-0001aZ-Fl
    2018-05-28 20:05:17 1fNMWA-0001aZ-Fl => info@integratie-inburgering.be <info@integratie-inburgering.be> F=<sixten@sektor21.be> R=lookuphost T=remote_smtp S=986208 H=integratieinburgering-be02e.mail.protection.outlook.com [213.199.180.138] X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes C="250 2.6.0 <604e40a8-23c2-85f3-f5a9-dcc50c6a152b@sektor21.be> [InternalId=17398912516176, Hostname=AM3PR06MB516.eurprd06.prod.outlook.com] 994752 bytes in 0.994, 977.246 KB/sec Queued mail for delivery"
    2018-05-28 20:05:17 1fNMWA-0001aZ-Fl Completed



    I guess my exim isn't that reliable even though it puzzles me as my server is not blacklisted and all looks ok.
    BTW : another user told me that all of his emails to hotmail accounts got rejected.

    I guess I just gotta live with it.

    Again ... thanks for your time and kind help Richard.

  4. #4
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    Hello Webfoundry.

    You're welcome. I like to help, that's what forums are about correct? Next to that, you're my southern neighbour, I'm from the Netherlands.

    It seems like you have the same problem I had in the near past, a couple of months ago.
    Your exim is reliable, I don't see any reason why it should not be. The notice you are getting that the mail is queued for delivery is coming from the remote mailserver and is correct.
    In other words, your Exim has done the job in a correct way.

    But indeed... there you have the point, it's mails to hotmail.
    You have a 99% chance that your mail is blocked by some hotmail blacklist. I had a very hard job to get my servers of the list, but I succeeded. However you can find some stories on this forum which tried the same and did not succeed. Microsoft is really difficult some times.

    Before you do anything else:
    Be sure that you have a working abuse@domain.com or postmaster@domain.com e-mail address so you comply with the Microsoft rules.
    Then sign up for SNDS and the Junkmail reporting program with Microsoft.
    This way you will get a mail from hotmail staff if complaints are made.

    Try to fill in this form:
    https://support.microsoft.com/en-us/...tkey=edfsmsbl3

    I think this is the same link but in Dutch text:
    https://support.microsoft.com/nl-nl/...tkey=edfsmsbl3

    You can state that you are a SNDS and JMRP member and you're not on any blacklist in addition to your request and evidence.

    It's a big chance you get a reply that you "niet in aanmerking komt" for mitigation with the raeson that it's caused by a dynamic list, so when outlook users choose the option that your mail is spam. Which is an automated mail.
    But experience learns that it's often cause by strange reasons or the conversion from the old to new style outlook.com or other reasons.

    You could reply and ask friendly if they would take another look at it because there is no spam send to outlook users from your system.
    Then a "live" employee will reply. He might say that he can't help you and then after a few days suddenly you can send mail again without getting in the spam folder.

    It can also be that the issue will not be solved this way. It's a 50/50 situation, but if you won't try, it won't be fixed anyway.

    I got lucky and the servers got delisted.

    I will put my thumbs up for you.
    Greetings, Richard.

  5. #5
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    345
    Don't forget to have a working reverse pointer ipv4 and ipv6 ( wen some parts hostname have ipv6 this must be configured complete for the domains also)

    And read some about your certs here
    https://internet.nl/mail/webfoundry.be/114572/

    You still could have problems with gmail hotmail and co while your sending ip ( your location) is not in the spf record, and if dynamic then often greylist
    81.164.132.124
    Last edited by ikkeben; 05-28-2018 at 11:03 PM.
    DUTCH GERMAN, GERMAN DUTCH

  6. #6
    Join Date
    May 2014
    Location
    Leuven, Belgium
    Posts
    43
    Beste Richard,
    Dear ikkeben,

    Heel vriendelijk bedankt voor jullie duidelijke en gedetailleerde uitleg. (thank you very much for your clear and detailed explanation).
    Now at least I'm sure it's not all about my settings, but I will check things out as you both advised. It looks like internet.nl indeed tells me some things are not correct.

    Werk aan de winkel

    Kind regards from rainy Belgium.
    Last edited by Webfoundry; 06-07-2018 at 10:10 AM.

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    Your welcome.
    Keep in mind that internet.nl does some test which are not always needed like DNSSEC.
    If you encounter any other questions or issues, just let us now.

    Werk ze!
    Greetings, Richard.

  8. #8
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    345
    DNSSEC info:

    https://dnssec-name-and-shame.com/


    While: in Nederland ook 30% met fouten te kampen heeft of heeft gehad enz
    https://www.theregister.co.uk/2018/0...be_eliminated/

    If you of one of your registrars / hosters update (your) BOXES it could hapen some DNSSEC are giving validation errors after that.
    So take care and be very precise if using DNSSEC

    Usefull hmm very very old technic is used for dnssec.

    Better to have some more newer security for dns hijghjacking spoofing, as comming up. ( in my view)

    https://ianix.com/pub/dnssec-outages/20171007-nasa.gov/

    https://ianix.com/pub/dnssec-outages.html

    Major DNSSEC Outages and Validation Failures

    Updated: June 4, 2018

    This page lists only DNSSEC failures that have the potential to cause downtime for a significant number of domains, users, or both. It does not list smaller outages such as dominos.com ($1.425 Billion in yearly revenue), the Government of California, or other such "small" organizations. They are too frequent to mention. Technical and media/content organizations are held to a higher standard.

    Principal sources of information: DNSViz, Verisign's DNSSEC Debugger, Zonemaster, dnscheck.iis.se, dnscheck.labs.nic.cz, and Unbound logs. Discussions on technical mailing lists are also used as sources.

    Note: DNSViz has lost a portion of its archives multiple times, turning many citations on this page into 404s. Currently, the dnssec-deployment.org mailing list archives have been down for over a year, and previously for around 5 months, producing more 404s. Constant DNSSEC outages desensitize people to downtime, making them think it's normal.
    En verder

    some info first read this
    https://www.techworld.com/security/d...rried-3645538/

    Read then this
    https://nakedsecurity.sophos.com/201...isps-struggle/

    Then also: https://nlnetlabs.nl/downloads/publi...reg-report.pdf
    Last edited by ikkeben; 06-08-2018 at 02:27 AM.
    DUTCH GERMAN, GERMAN DUTCH

  9. #9
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,291
    Thank you for the more uitgebreide explanation ikkeben.
    That's exactly the reason that I don't use it and said it's not really needed.
    Too much fuzz at this moment, while SPF, DMARC and DKIM combination is working perfectly.
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •