No DKIM alignment vacation message

N

Nova Septem

Verified User
Joined
Jul 29, 2019
Messages
6
Good afternoon, I new to this forum.
Looking forward for some help.

I have this question and I cannot find the answer in the forum.

DirectAdmin is up to date.

When I create a vacation auto reply the mails are send without any DKIM alignment.
So, due to our DMARC policy mails are rejected at Gmail and are send to the anti spamfolder in for example hotmail.
I don't want to adjust the DMARC policy.

How can we fix this, I cannot find this at the forum.

Like to hear.
 
ikkeben said:
Can't help but please post more info.

Same emailadress / User from field for that message.

SMTP header info's and so on.

MX is on these host? AND DKIM for domain or hostname / mailserver ?

Results for domain and mailhost for this?
https://en.internet.nl/test-mail/
Click to expand...

Server: VPS

Headers:
Received: from VE1EUR03HT213.eop-EUR03.prod.protection.outlook.com
(2603:10a6:209:88::25) by AM5PR0801MB1698.eurprd08.prod.outlook.com with
HTTPS via AM6P193CA0084.EURP193.PROD.OUTLOOK.COM; Fri, 26 Jul 2019 09:24:20
+0000
Received: from VE1EUR03FT008.eop-EUR03.prod.protection.outlook.com
(10.152.18.58) by VE1EUR03HT213.eop-EUR03.prod.protection.outlook.com
(10.152.18.212) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2052.18; Fri, 26 Jul
2019 09:24:20 +0000
Authentication-Results: spf=none (sender IP is 149.210.228.30)
smtp.helo=vpsalt.novaseptem.nl; hotmail.com; dkim=none (message not signed)
header.d=none;hotmail.com; dmarc=fail action=oreject
header.from=domainname.nl;
Received-SPF: None (protection.outlook.com: vpsalt.novaseptem.nl does not
designate permitted sender hosts)
Received: from vpsalt.novaseptem.nl (149.210.228.30) by
VE1EUR03FT008.mail.protection.outlook.com (10.152.18.75) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.2052.18 via Frontend Transport; Fri, 26 Jul 2019 09:24:20 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:F4929EBEF7C3D3CD17679B632A4BECF99E22CD301149BEE48083E045EED84171;UpperCasedChecksum:F75140E2CB726026F8BE2117881967BCC14576BA5C66CC980C813F41F7940C30;SizeAsReceived:654;Count:11
Received: from mail by vps.novaseptem.nl with local (Exim 4.92)
id 1hqwSZ-0008GB-OQ
for [email protected]; Fri, 26 Jul 2019 11:24:19 +0200
From: <[email protected]>
To: <[email protected]>
Subject: Autoreply: "Dit is een test voor de auto reply"
In-Reply-To: <AM5PR0801MB1698EDCC332915162AEE847C95C00@AM5PR0801MB1698.eurprd08.prod.outlook.com>
References: <AM5PR0801MB1698EDCC332915162AEE847C95C00@AM5PR0801MB1698.eurprd08.prod.outlook.com>
Auto-Submitted: auto-replied
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <[email protected]>
Date: Fri, 26 Jul 2019 11:24:19 +0200

DNS DMARC:
_dmarc.domainname.nl TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; rf=afrf; sp=reject; fo=d:s; pct=100; adkim=s; aspf=s"
 
You got the dmarc reports then on rua=mailto:[email protected]; saying about dkim ...?

For that domain you are using as mx mailserver the DA box and not spamexperts.... ?

The emailtest for dkim dmarc spf for that domain on internet.nl is then "Authenticity marks against email phishing (DMARC, DKIM and SPF) " ?

Looks like the hostname doesn't have dkim and spf "vpsalt.novaseptem.nl " or "vps.novaseptem.nl" is that the mx mailserver for that domain?

https://dkimvalidator.com/ results?
 
Last edited:
ikkeben said:
You got the dmarc reports then on rua=mailto:[email protected]; saying about dkim ...?

For that domain you are using as mx mailserver the DA box and not spamexperts.... ?

The emailtest for dkim dmarc spf for that domain on internet.nl is then "Authenticity marks against email phishing (DMARC, DKIM and SPF) " ?

Looks like the hostname doesn't have dkim and spf "vpsalt.novaseptem.nl " or "vps.novaseptem.nl" is that the mx mailserver for that domain?

https://dkimvalidator.com/ results?
Click to expand...

. Thats correct. The domain which sends auto reply messages is one of the many domains we host. We collect DMARC messages at [email protected] (xxxx => don't want every mail adres at forums), every DMARC policy refers to novaseptem.nl to prevent spam at this adres.

. We do not send mail via SpamExperts servers only via DA

. I don't get what you mean. But for that domain DKIM and SPF are both correct. (MXToolBox)

. "vpsalt.novaseptem.nl " or "vps.novaseptem.nl" are both mx for that domain. At this moment we use "vpsalt.novaseptem.nl".

. Results DKIM validator
DKIM information: Public Key DNS Lookup

Building DNS Query for x._domainkey.domain.nl
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBgk-XXXXXXXXXXXXX-AQAB
Validating Signature

result = pass
Details:

SPF Information:
Using this information that I obtained from the headers

Helo Address = vpsalt.novaseptem.nl
From Address = [email protected]
From IP = 149.210.228.30
SPF Record Lookup

Looking up TXT SPF record for domain.nl
Found the following namesevers for domain.nl: ns3.openprovider.eu ns2.openprovider.be ns1.openprovider.nl
Retrieved this SPF Record: zone updated 20190730 (TTL = 394)
using authoritative server (ns3.openprovider.eu) directly for SPF Check
Result: pass (Mechanism 'a:vpsalt.novaseptem.nl' matched)

Result code: pass
Local Explanation: domain.nl: 149.210.228.30 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'a:vpsalt.novaseptem.nl' matched)
spf_header = Received-SPF: pass (domain.nl: 149.210.228.30 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'a:vpsalt.novaseptem.nl' matched)) receiver=dkimvalidator.com; identity=mailfrom; envelope-from="[email protected]"; helo=vpsalt.novaseptem.nl; client-ip=149.210.228.30

=> To be sure you understand. No DKIM & SPF alignment is only the fact when this domain sends an auto reply message at an incoming E-mail message and is set at domain level in DirectAdmin. All send E-mail messages throughout whatever E-mail source, even webmail (Roundcube) has DKIM & SPF aligment. <=
 
Missing DKIM & SPF alignment auto-reply

ikkeben said:
You got the dmarc reports then on rua=mailto:[email protected]; saying about dkim ...?

For that domain you are using as mx mailserver the DA box and not spamexperts.... ?

The emailtest for dkim dmarc spf for that domain on internet.nl is then "Authenticity marks against email phishing (DMARC, DKIM and SPF) " ?

Looks like the hostname doesn't have dkim and spf "vpsalt.novaseptem.nl " or "vps.novaseptem.nl" is that the mx mailserver for that domain?

https://dkimvalidator.com/ results?
Click to expand...

. The DMARC report are send to [email protected] (don't want to have all mail adres just in the open at forums XXXXX). We set up a DMARC refer to the DNS at novaseptem.nl. This works nice.
. For this domain we use MX DA mailserver to send mail and not SpamExperts.
. I don't exact get what you mean, but when we send mail throughout what ever e-mail client, there is matching DKIM & SPF alignment, but when we send and auto-reply message set at domain level via DA, there is no DKIM & SPF alignment.
. This domain sends e-mail messages via smtp at "vpsalt.novaseptem.nl"

. Public Key DNS Lookup

Building DNS Query for x._domainkey.domain.nl
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIIBIjANBXXXXXXXXXXXXXXXXXXXXeQIDAQAB
Validating Signature

result = pass
Details:

. SPF Information:

Helo Address = vpsalt.novaseptem.nl
From Address = [email protected]
From IP = 149.210.228.30
SPF Record Lookup

Looking up TXT SPF record for domain.nl
Found the following namesevers for domain.nl: ns3.openprovider.eu ns2.openprovider.be ns1.openprovider.nl
Retrieved this SPF Record: zone updated 20190730 (TTL = 394)
using authoritative server (ns3.openprovider.eu) directly for SPF Check
Result: pass (Mechanism 'a:vpsalt.novaseptem.nl' matched)

Result code: pass
Local Explanation: domain.nl: 149.210.228.30 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'a:vpsalt.novaseptem.nl' matched)
spf_header = Received-SPF: pass (domain.nl: 149.210.228.30 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'a:vpsalt.novaseptem.nl' matched)) receiver=dkimvalidator.com; identity=mailfrom; envelope-from="[email protected]"; helo=vpsalt.novaseptem.nl; client-ip=149.210.228.30
 
isn't DMARC failing as your SPF record fails ?
Received-SPF: None (protection.outlook.com: vpsalt.novaseptem.nl does not
designate permitted sender hosts)
Click to expand...
 
iF MAILSERVER MX FOR DOMAIN IS THE HOSTNAME WHERE spf AND DMARC MISSING

YOU CAN TEST HEREWITH I SUPPOSE LIVE AND NOT AS MXTOOLBOX OUT OF THE DNS SETTINGS!

https://dkimvalidator.com/ results?

tHAT IS THE MEAN I TRY TO EXPLAIN , OR PM ME ON WORKDAY WITH PHONENR AND NAME
 
if you go to intodns.com .
put in novaseptem.nl

Looks like you have some general issues you might want fix first. Lots of providers will bounce emails for no reverse.

IPs Redacted..[TABLE="class: tabular, width: 99%"]
[TR="class: error"]
[TD]Reverse MX A records (PTR)[/TD]
[TD]ERROR: No reverse DNS (PTR) entries. The problem MX records are:
-> no reverse (PTR) detected
-> no reverse (PTR) detected
You should contact your ISP and ask him to add a PTR record for your ips[/TD]
[/TR]
[/TABLE]


also mx warnings[TABLE="class: tabular, width: 99%"]
[TR="class: warn"]
[TD]Different MX records at nameservers[/TD]
[TD]The MX records that are not the same at all your nameservers:
fallbackmx.spamexperts.eu with ip(s):
fallbackmx.spamexperts.eu with ip(s):
fallbackmx.spamexperts.eu with ip(s): [/TD]
[/TR]
[/TABLE]
 
My experience is that intodns.com is sometimes doing strange things lately, which do not have to be correct. I also had it displaying errors on a domain from a guy I helped, while there was nothing wrong and all other check systems, did not give any errors.

Strange, normally in .nl domains we use glue records. There are non for this domain.
There are some mailserver issues though, have a look at this test from dnsstuff:
https://tools.dnsstuff.com/#dnsReport|type=domain&&value=novaseptem.nl

1 mail server is not designated as permitted sender which can also cause an issue.

SPF is not correct:
Code: 
v=spf1 a mx a:vps.novaseptem.nl a:vpsalt.novaseptem.nl ip4:213.206.229.194 include:_spf.e-boekhouden.nl -all
Is having duplicate entry. MX alreaady points to vpsalt.novasepteml.nl so you should not include that one. Mxtoolsbox says it:
Void lookup limit of 2 exceeded (3)
Click to expand...
Rest looks fine.

So varioust test systems display different output... makes things confusing.

Advise: ikkeben offered you support. I would give him al call so he can help you.
 
A, found another one with the dkim checker. Would also explain issues:

e hebben de volgende problemen gevonden met je DKIM record.
Info : We hebben spaties gevonden in uw DKIM sleutel (p= deel), dit maakt uw record ongeldig. Verwijder deze spaties.
Click to expand...
You can't have spaces in your DKIM record.
 
Last edited:
No DKIM & SPF alignment auto reply message

zEitEr said:
You need to create DKIM and SPF records for vps.novaseptem.nl and vpsalt.novaseptem.nl. Auto-reply is sent from the hostname.

I guess you won't receive DMARC reports about your customers domains, unless you have special records in their dns zones allowing sending reports to your domain. See https://dmarc.org/2015/08/receiving-dmarc-reports-outside-your-domain/
Click to expand...

Hi Alex,

Thanks for you reply, makes sense. W'll have a look into that matter.

DMARC mention, thanks. This is already set up the right way.
 
Nova Septem said:
Hi Alex,

Thanks for you reply, makes sense. W'll have a look into that matter.

DMARC mention, thanks. This is already set up the right way.
Click to expand...


But you can have/read the dns in DA admin and onlin test for those subdomains, oyea if hiddenmaster that isn't working everytime with all dutch hosters, sometimes you have to give it a push to have those working, maybe that is happened, with 1 of our boxes this is to. ( delay and caching and some errors if the name was before on other ip/box)

If you have had the domain before on other ip then sometimes also the latest soa and updates are there wrong to, we have to cvall / mail them to sett those manually correct at hoster ( if hiddenmaster) , sometimes changing ttl on da server and hit ok give the right push for updating again and then working.
 
Last edited:
UH grgg some tests doing for the subdomains while mx record and other dns then test only for novaseptem.nl not the vps. and vpsalt.

And therefore not the vpsalt. and vps. check those dns records also. While they are responsible for having no dkim in autoreply

The https://dkimvalidator.com/ for those subdomains /server you can check if emailaddress on it.

and here https://www.dmarcanalyzer.com/dkim/dkim-check/ https://www.dmarcanalyzer.com/spf/checker/

fill in there in the vpsalt.novaseptem.nl and vps.novaseptem.nl

You can as written here above check them in your dns to.

is what we trying to explain all to you!



We have and can her only look with a "crystal ball"

EdIT made a typo still wrong on hostname:
https://en.internet.nl/mail/vpsalt.novaseptem.nl/247396/

was in post 4:

ikkeben said:
You got the dmarc reports then on rua=mailto:[email protected]; saying about dkim ...?

For that domain you are using as mx mailserver the DA box and not spamexperts.... ?

The emailtest for dkim dmarc spf for that domain on internet.nl is then "Authenticity marks against email phishing (DMARC, DKIM and SPF) " ?

Looks like the hostname doesn't have dkim and spf "vpsalt.novaseptem.nl " or "vps.novaseptem.nl" is that the mx mailserver for that domain?

https://dkimvalidator.com/ results?
Click to expand...
 
Last edited:
Missing DKIM and SPf alignment at auto-reply messages

zEitEr said:
You need to create DKIM and SPF records for vps.novaseptem.nl and vpsalt.novaseptem.nl. Auto-reply is sent from the hostname.

I guess you won't receive DMARC reports about your customers domains, unless you have special records in their dns zones allowing sending reports to your domain. See https://dmarc.org/2015/08/receiving-dmarc-reports-outside-your-domain/
Click to expand...

Hi Richard,

Problem solved!!
At our server we created DKIM key for vps.novaseptem.nl.
We inserted DKIM and spf for vps.novaseptem.nl and vpsalt.novaseptem.nl in our DNS settings.

A lot of providers already accepted the new settings and accept the reply mails according the DMARC policy.

Thanks a lot, pointing us in the right direction!

Kind regards,

Nova Septem
 
Thank you.
But it was Alex (zEitEr) who pointed you in the right direction for creating the DKIM and SPF records for both. I don't want to take credit from somebody else's work ;)
 
Nova Septem said:
Good afternoon, I new to this forum.
Looking forward for some help.

I have this question and I cannot find the answer in the forum.

DirectAdmin is up to date.

When I create a vacation auto reply the mails are send without any DKIM alignment.
So, due to our DMARC policy mails are rejected at Gmail and are send to the anti spamfolder in for example hotmail.
I don't want to adjust the DMARC policy.

How can we fix this, I cannot find this at the forum sms auto response.

Like to hear.
Click to expand...
Hi,

We use PMG as a relay for outgoing mail. I noticed that out-of-office auto replies end up in spam folders and when looking at the headers, no DKIM signing is being done. Regular mails do have the DKIM headers. The sender domain is the same as the one configured in the Mail Proxy configuration. The only difference I can observe is in the Message-ID header, which has the fully qualified name of the e-mail server instead of the domain.

What could be the reason the out-of-office auto replies do not get treated for DKIM?

Thanks,
 
You must log in or register to reply here.
Back
Top