DMARC: DA notification emails fail

LawsHosting

LawsHosting

Verified User
Joined
Sep 13, 2008
Messages
2,405
Location
London UK
So, as I still have my business domain as hostname, I thought I would change from p=none to p=fail.....

FYI, I use Cloudflare DNS

Anyway, after I changed it, I failed to receive DA's notification emails........... Going through the exim's mainlog and found they were failing DMARC...

Not sure what is wrong, DKIM & SPF pass.

Has anyone else run into this issue before?

TIA
 
LawsHosting said:
business domain as hostname
Click to expand...
Exactly how do you mean this.
Like mydomain.com = also hostname mydomain.com? -> Expect problems
Like mydomain.com = server.mydomain.com as hostname -> Did you use the exim adjustment for dkim via hostname stated somewhere on this forum?
 
I use the last method....... I thought I set up DKIM for it ages ago, however, just checked named/bind - an SPF record was there but no DKIM. Just created DKIM for it, and now I see it.

I checked old emails and it states spf=none in the headers........

I have just resent a welcome email to a GSuite (or whatever it is now) email, and :
Code: 
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) [email protected] header.s=x header.b="U/Xl8qhy";
       spf=pass (google.com: domain of accounts[@]laws-hosting.co.uk designates 51.89.139.208 as permitted sender) smtp.mailfrom=accounts[@]laws-hosting.co.uk;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=laws-hosting.co.uk

Bit dubious about the DKIM temperror
 
LawsHosting said:
Bit dubious about the DKIM temperror
Click to expand...
I presume you copied your DKIM key to your Cloudflare and not proxied it, right?
Maybe it's just a sync time issue. Lets's wait and see.

Just to be sure... at this moment I don't see any SPF or DKIM for your hostname. I would at least provide an SPF record for the hostname.
But I do find a DMARC record for the hostname. So it's either synchronisation issue or configuration error.
 
cflare.jpg

I do not understand why there's no SPF & DKIM for the hostname - I mean, I thought adding them just for the main domain would cover any "sub-domains"?
 
LawsHosting said:
I mean, I thought adding them just for the main domain would cover any "sub-domains"?
Click to expand...
By the hostname I mean servervps.laws-hosting.co.uk, that is a hostname, that does not have subdomains.
This does have a DMARC record, which won't work as DMARC should check SPF and DKIM, which both are not present.

What you show me in your screenshots is your domain name, not your host name.
 
So, I've added all the required records for the hostname (servervps.) in Cloudflare and local named,I hope...

What I did find is 2 DKIM records locally (🤷🏻‍♂️) for my main domain - both didn't match my Cloudflare record - so I removed both records, removed dkim keys in /etc/virtual/, then regenerated them.

However, still getting temperror for DKIM when sending a welcome email....
Code: 
dkim=temperror (no key for signature) [email protected]
SPF & DMARC pass.

I guess I'll need to wait until I get a system email from DA to see if my hostname records are fine....
 
Richard G said:
Welcome e-mails are send from the hostname, right? Or from admin email, I'm not sure anymore.
Click to expand...
Admin & Reseller email addresses......

Only DA's Message & Ticket systems use the hostname (eg. root@hostname).

Maybe if we could configure the From address of the system emails, it would help?

Then again, if DA would implement a 'Send via SMTP' option, it would, sort of, solve this?....... This got asked years ago, so, doubt it.
 
Last edited:
LawsHosting said:
Admin & Reseller email addresses......
Click to expand...
Oke so that would mean the temperror is on your main domain's DKIM.

LawsHosting said:
What I did find is 2 DKIM records locally (🤷🏻‍♂️) for my main domain - both didn't match my Cloudflare record - so I removed both records, removed dkim keys in /etc/virtual/, then regenerated them.
Click to expand...
Well that's something you only can check yourself. I can only check what Cloudflare is presenting.

I hope you copied the regenerated dkim key to Cloudflare .:)
 
Well, all that was a waste of time..... Giving up......

Backup notification:
Code: 
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) [email protected] header.s=x header.b=HgNRi0Gw;
       spf=pass (google.com: domain of root[@]servervps.laws-hosting.co.uk designates 51.89.139.208 as permitted sender) [email protected];
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=laws-hosting.co.uk
I'm perplexed.....
 
LawsHosting said:
[email protected]
Click to expand...
There you go... dkim temperror from the hostname.

Let me check.
Hmmz... odd, SPF and DKIM is also good.

Ah wait...
LawsHosting said:
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=laws-hosting.co.uk
Click to expand...
This is an issue. Seems SPF and DKIM is taken from the hostname, but DMARC is taken from the domain name instead of hostname.
Which is normal but will cause this problem. As that DMARC will check the SPF and DKIM from the domain, not from the hostname if I'm correct.

That is why I never use DMARC on my hostname record and the domain used for the hostname, to prevent this issue.

However, this still does not explain the temperror as both hostname and domain has a key present. Provided you have copied them correctly to Cloudflare.

Goes too far for me and I don't use Cloudflare. Maybe @mxroute as one of the mail specialist has an idea about this cause if he has time.
 
Ok, noticed something.......

The system emails (tickets, messages) have the Return-Path: as<root@hostame>and the sender address as the domain name (as configured for admin/reseller).....

while...

The welcome emails have the Return-Path: as<domainname>and the sender address as the domain name (as configured for admin/reseller).....

This has to be why DKIM/DMARC fails for system emails, right? Then again, SPF pass with both.
 
You must log in or register to reply here.
Back
Top