DKIM issue

[Pens]

Hi, I have successfully set up a domain that can send and receive emails from a number of email accounts via Thunderbird without any problems, the domain is the primary domain on the server.

I have set up another domain, in (I'm sure) the same way (both on DirectAdmin and Thunderbird) but when I try to send an email to [email protected] it's bounced with :

host gmail-smtp-in.l.google.com [74.125.71.27]
SMTP error from remote mail server after end of data:
550-5.7.26 This mail has been blocked because the sender is unauthenticated.
550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
550-5.7.26
550-5.7.26 Authentication results:
550-5.7.26 DKIM = did not pass
550-5.7.26 SPF {domain} with ip: {my ip} = did not pass

DKIM is enabled for that account and shows in the DNS management list.

Anyone any ideas what I have done wrong.

Thanks in advance

 

[Richard G]

Hello.
Without the real domain name it's hard to say.
Normally Directadmin will put the SPF record in there by deault. I hope that is the case so your new domain has SPF and DKIM both.

However, if you setup a new domain, it can take some time before it's synchronised between DNS servers, do it can take time that the DNS records are known over the world. Normally several hours but can take up to 24 hours.

I could have a look for you, but for that I need to know the real domain name, you can place it here or send it to me by pm.

Also important... do you use youw own nameservers or external nameservers? If you use external nameservers you have to copy the SPF and DKIM records to the external DNS too.
You say you're sure, but we're looking in the dark here without domain name so can only guess what could be wrong.

 

[Pens]

Thank you very much for the quick reply.

The domain that works is artisan-pens.com



The domain that doesn't work is kristina.me.uk


I use the server providers (vultr) name servers.

 

[Richard G]

Your rDNS/PTR record is not correct. It points to 107.191.46.74.artisan-pens.com while it should point to server-107-191-46-74.da.direct if you keep your current hostname.
You are using the hostname delivered by DA. That can lead to issues with mail later on anyway because the da.direct domain is not yours.
My advise would be to use your own decent FQDN domain name for your server, like server.artisan-pens.com or something like that.
I have a manual for you if you want want to set things up that way.

So I wonder that one even works and does not deliver your mail to the spamfolder because for the wrong rDNS/PTR record.

Also... your MX records in DA point to mail.kristina.me.uk (same for your other domain) but the MX records in the vultr nameservers only have the domain name, like kristina.me.uk instead of mail.kristina.me.uk (same for the other domain).

Seems you did not copy your SPF and DKIM record for the kristina.me.uk domain to vultr as I can't get any SPF or DKIM record for that domain.
And strangely enough I can't get any SPF or DKIM record for artisan-pens.com either. So very odd that Gmail has seen this as valid.
Or you was lucky.

Be sure to copy your SPF and DKIM records for both domains to the Vultr DNS system, they seem to be missing for both domains.

 

[Pens]

Thank you very much.

I have copied the SPF and DKIM data to the domains on vultr dns, I guess I need to wait for that to propagate.

I'll have a go at setting the reverse DNS in the morning.

Thanks again and good night from France.

 

[Richard G]

You're welcome.

But you put your SPF record in correctly but not your DKIM record. You have to copy it -exactly- as displayed in directadmin, so also the domain part or what else is in there.

The SPF record you have correct, like:
kristina.me.uk. 3600 TXT v=spf1 etc.

but your DKIM record is like the same and that is wrong it should be like in DA so not
kristina.me.uk. 3600 TXT etc.
but
_dmarc.kristina.me.uk. 3600 TXT etc.
x._domainkey.kristina.me.uk 3600 TXT etc.

You forgot the _dmarc part in front of the domain and that is crucial. Check how it is in DA and copy exactly the same.

Good night from the Netherlands.

 

[Richard G]

Sorry I made a mistake but I corrected it in my previous post.
However, the instructions were correct, copy what the DNS in Directadmin says.

 

[Pens]

Again, many thanks,

I can send to gmail and Orange. fr now, so think I'm all set.

I have another email issue but I'll raise that as another question.

 

[Pens]

Sorry I made a mistake but I corrected it in my previous post.
However, the instructions were correct, copy what the DNS in Directadmin says.

Thanks, I think I may have written too soon.

I can send to Gmail and Orange. fr from Thunderbird on my desktop computer but I get a bounce from Orange when I send from my tablet (Gmail works OK)

The only difference I can see in my outgoing message settings is that Thunderbird has SSL/TLS for security and the table email program is either SSL or TLS (I've tried both)

I appreciate that Orange France are a law unto themselves but any idea what this error message is (google doesn't really give any information)

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

{my email address}@orange.fr
host smtp-in.orange.fr [80.12.26.32]
SMTP error from remote mail server after end of data:
550 5.2.0 L3tZr7uF0rPcv Mail rejete. Mail rejected. OFR_506 [506]

 

[Richard G]

550 5.2.0

This code normally is issued when the receiver address does not exist.
However... OFR_506 points out that the reason is "spam detected".

I don't know if there was any content in the tablet mail which might have been seen as suspicious.
Thunderbird normally has STARTTLS too if I'm not mistaken.

You could try this on the tablet by using specific ports:
SSL -> port 465
TLS -> port 587
SSL -> port 587

Either setting should work. It would be strange indeed that a mail from the tablet would be refused. I hope the tablet is up to date and using up to date TLS/SSL certificates.

This does not look like a DA issue as on a normal e-mail client it works correctly.

 

[Pens]

Thanks, I thought it might be some sort of certificate issue with DA.

I've tried the ports you mentioned with the same result.

The tablet is a 3 month old Samsung running Android 13.

I've green listed @{domain name} on the Orange mail site.

 

[Richard G]

Oh that new? That is odd. I hope since it's that new that the tablet still uses TLS 1.2 and not 1.3 as DA does not support that yet if I'm correct (I could be wrong).

However, just to be sure on the tablet everything is everything correct, you could visit mail-tester.com and send a mail from your tablet via the instructions there and see if anything could be improved. At least a 9/10 score should be present, normally 10/10.

 

[Pens]

Thanks, it was 5/10 -2 because of the mail content and -3 because the message failed the DMARK verification.

I'll set up the DMARK verification again.
Now 9.8/10 but Orange still bouncing the message.

 

[Richard G]

Oke 9.8/10 that is very good but normally with DMARC present it's 10/10.
Why is the -0.2 if I may ask? Is that content still?

Odd that this only happens on the tablet then and not with Thunderbird, because I presume in both cases you use the same smtp server.

 

[Pens]

Oke 9.8/10 that is very good but normally with DMARC present it's 10/10.
Why is the -0.2 if I may ask? Is that content still?

Thanks for your reply and help

It's the same result if the test email is sent from Thunderbird or the tablet.

I've also tried 3 other Android email apps, all with the same Orange bounce.

Odd that this only happens on the tablet then and not with Thunderbird, because I presume in both cases you use the same smtp server.

Yes, exactly the same SMTP server with the same settings.

Thanks again for your help, I think I'm going to just change the outgoing mail in the tablet (and phone) to Orange.

 

[indieben]

Hi Richard, question from me but hopefully useful to others:

You Say:

Also important... do you use youw own nameservers or external nameservers? If you use external nameservers you have to copy the SPF and DKIM records to the external DNS too.

Is that the case just for the server domain and perhaps the leading (first) website created by the admin or is this the case for every single DA account that is created in DA where the server admin is using external Nameservers?

Thanks

 

[Richard G]

External nameservers = external nameservers.
So this would be for any domain where external nameservers are used.
So anyway for every domain on the server when the server admin is using external nameservers, but also for any domain where the user does not use the local nameservers (if present), but uses external nameservers for his domain(s).

 

[Richard G]

Additionally: Ofcourse one could also use LEGO instead of copying manually.