Domain creation mails go to gMail spam because of DMARC

[Richard G]

Maybe due to gMail changes but anyway, system mails, like new account creation mails are going to the spam folder of gMail.

I just checked a header and also discovered why. It's send from my domain ofcourse, which has SPF (strict), DKIM and DMARC (quarantaine).
However, the system mail itself is logically send from the hostname.

And then this happens in gMail:

dkim=pass [email protected]

so DKIM pass for hostname.

spf=pass (google.com: domain of [email protected] designates 2a01:4xx:xx:xx:xx:xx as permitted sender) [email protected];

so SPF is also correct.

But it goes wrong on DMARC:

dmarc=fail (p=QUARANTINE sp=REJECT dis=QUARANTINE) header.from=mydomain.nl;

and this put's it in gMails spamfolder because the header.from says mydomain.nl ofcourse.
I'm already happy I didn't use REJECT in my DMARC record.

Since all account creation mails are send from [email protected] (the hostname) how can this issue be fixed so it won't fail on DMARC anymore?
NB: This is reseller account not admin account, so changing admin email won't change anything and is already set to a normal e-mail address.

 

[zEitEr]

Hello Richard,

The same case as explained here: https://forum.directadmin.com/threads/dovecot-exim-sieve-dmarc-policy-error.80066/#post-394368

For DMARC to pass the following conditions should match:

1. valid DKIM
2. valid SPF
3. domain in FROM matches a hostname from which an email is sent

So DirectAdmin should start using SMTP for sending emails, and/or rewrite headers in Exim to make the match

 

[Richard G]

So DirectAdmin should start using SMTP for sending emails, and/or rewrite headers in Exim to make the match

Ah oke because I don't use Sieve I thought it might be different.

But in my case I can't change anything then? So I guess either there are only 2 options for me now?
1.) Wait until Directadmin makes a fix for this (like start using SMTP) and accept those mails can get into spam folder of the receipient
2.) Temporarily remove the DMARC record or change it do to nothing.

Is that a correct assumption?

 

[zEitEr]

But in my case I can't change anything then? So I guess either there are only 2 options for me now?

change the sending domain to match the hostname

 

[Richard G]

change the sending domain to match the hostname

I don't know how. And this would be an issue for all admins and resellers.
I've seen your screenshot, but I don't have sieve installed and we don't use sieve. So where exactly is that page where this can be changed?

 

[zEitEr]

Sieve has nothing to do here (it is just a specific use-case which demonstrates the issue). Your issue can be solved by changing admin's contact email in DirectAdmin, it is the address used in FROM. If you don't like it, you can use a billing system or another script to create accounts in directadmin and send emails.

 

[Richard G]

Your issue can be solved by changing admin's contact email in DirectAdmin,

I do like it, but it seems not to work for some reason.
And I verified with your manual too. The contact address of the main admin in admin's user data is even a complete different mail address like [email protected] while the server still uses [email protected] on new account creation.
The admin does have hostnamedomain.com as admin domain. So in his case it's no problem.

But for resellers it's an issue, because they don't use hostnamedomain.com as main domain.

I'll send you a pm if you don't mind so I can use real examples.

 

[zEitEr]

OK, I see what you mean. I got:

Received: from diradmin by server.example.net with local (Exim 4.98.2)
 (envelope-from <[email protected]>) id 1v6wB3-0000000GmSq-122J for
 [email protected]; Fri, 10 Oct 2025 02:19:49 +0700
To: [email protected]
From: server.example.net <[email protected]>
Sender: server.example.net <[email protected]>
Reply-To: server.example.net <[email protected]>

and results:

Received-SPF: pass (google.com: domain of [email protected]
 designates 188.yyy.xxx.33 as permitted sender) client-ip=188.yyy.xxx.33;
Authentication-Results: mx.google.com; dkim=pass [email protected]
 header.s=x header.b=HWL4fi+W; spf=pass (google.com: domain of
 [email protected] designates 188.yyy.xxx.33 as permitted sender)
 [email protected]; dmarc=pass (p=REJECT sp=REJECT
 dis=NONE) header.from=server.example.net

in my case:

1. [email protected]
2. header.from=server.example.net
3. sender=[email protected]

domains match, so I get dkim=pass and spf=pass

I tested sending of a new welcome message in DirectAdmin as an admin. I did not test it on a reseller level, as well as I did not go through a new account creation process. Probably DirectAdmin will try and use either admin's or reseller's contact email address as a FROM address, and it of course will break DMARC policy.

Anyway the requirements for successful passing of SPF/DKIM/DMARC are already posted in my first reply. I can only suggest two things:

1. Contact directadmin developers on the matter (probably they will add an option to use SMTP)
2. Use additional software for sending welcome messages

 

[Richard G]

Probably DirectAdmin will try and use either admin's or reseller's contact email address as a FROM address,

Thanks for looking and testing.

Must be reseller indeed. I checked some older threads and found something in the docs pointing out that for others first their own domain would be used and if something would fail or not filled in, there would be a fallback to the system default if I tell it correct. Here is the link.

Message System | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

I will try to contact DA or see if I can use additional software.

Thanks for looking at it! Alex.
Appreciate it!