Form mail is being received as spam by Google

[ericovk]

I am experiencing trouble with a php form that I wrote for my customer. The problem is that the fields of "Return-Path", "Received-SPF", "Authentication-Results" and "envelope-from" are being set with [email protected] in stead of [email protected]. (see mail header below)

Google is treating those mails as spam. SPF records seem okay. I checked at mxtoolbox.com:

v=spf1 a mx include:anotherserver.eu include:spf.protection.outlook.com ~all

MXtoolbox results:

• SPF Record Published Record found
• SPF Syntax Check The record is valid
• SPF Multiple Records Less than two records found
• SPF Record Deprecated No deprecated records found
• SPF Included Lookups Number of included lookups is OK

The ip address of where the php script is, is the same as the website, and so being set in the A-record (right??)

But the mail headers are telling me Google doesn't like my setup:

Delivered-To: [email protected]
Received: by 10.xx.xx.71 with SMTP id b68csp21147wla;
        Tue, 24 Nov 2015 07:12:47 -0800 (PST)
X-Received: by 10.xx.xx.133 with SMTP id q5mr13281060l86.14487967607;
        Tue, 24 Nov 2015 07:12:47 -0800 (PST)
Return-Path: <[email protected]>
Received: from myserverurl.com ([95.xx.xx.82])
        by mx.google.com with ESMTPS id d129si1xxxx1lfe.84.2015.11.24.07.12.47
        for <[email protected]>
        (version=TLS1 cipher=AES128-SHA bits=128/128);
        Tue, 24 Nov 2015 07:12:47 -0800 (PST)
Received-SPF: temperror (google.com: error in processing during lookup of [email protected]: DNS error) client-ip=95.xx.xx.82;
Authentication-Results: mx.google.com;
       spf=temperror (google.com: error in processing during lookup of [email protected]: DNS error) [email protected]
Received: from directadminaccountname by myserverurl.com with local (Exim 4.76)
    (envelope-from <[email protected]>)
    id 1a1FGw-0003Al-Tm
    for [email protected]; Tue, 24 Nov 2015 16:12:46 +0100
To: [email protected]
Subject: Subject set in php mail script
X-PHP-Originating-Script: 534:send.php
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
From: My customers company name <[email protected]>
Message-Id: <[email protected]>
Sender:  <[email protected]>
Date: Tue, 24 Nov 2015 16:12:46 +0100

I tried to change sendmail_path variable in DA (source), but it looks like it isn't working.
In DA admin > Custom HTTPD Configurations > my customer's account
I set:

|[email protected]|

Restarted httpd after change of this setting.

It feels like I am really close to the solution, but I cannot find it. Hope someone can help my find my last piece of the puzzle.

Check answer #7 for the solution

 

[ericovk]

Anyone maybe?

 

[SeLLeRoNe]

Hi,

why dont you use SMTP authentication instead? This will solve all your current and possible future problems

Regards

 

[ericovk]

Well, we don't manage our customer's email. And we really also like to host properly configurated email

 

[SeLLeRoNe]

Well you may ask to your customer to create an ad-hoc account like noreply@domain and use that, or use one of your internal email address, or either create thei domain locally and ask them to add SPF record for your server in order to be allowed to send email with their domain name...

There are so many ways to do that using an SMTP connection (more secure) than sendmail (less secure, dislike from many servers9

Regards

 

[Arieh]

Well somehow the SPF records fails indeed so either way you could gain something there.

You could also add ip4:your.server.ip.here in the spf record, I believe that that is what DA is doing by default as well.

 

[ericovk]

I already tried had SPF records set with the right settings.

I solved this problem by configuring DKIM on the server. For people who are having the same problem. The solution is simple, but I had to figure this out as it isn't described anywere in a normal manual.

Check this out:
1) Check if DKIM actually is the problem by sending an email from that account to: http://www.mail-tester.com/ (great tool by the way). Your score should be 10/10.
1) Check if DKIM is active and being used by DA (if not, go through all steps): http://help.directadmin.com/item.php?id=569
2) Go to DA > log in to the specific account > DNS Management
3) Copy the x._domainkey to a text editor. What you copy should look something like this:

"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/llWPBB5CKZ6j8rgc7kXEzO4/5H2x3gW7uFnRh9Og79IXHsdp/QLHfKZNSlXo1BahCRy9Q5vEQHB5bMBMUKr9t
KjG2u99M8E0h+bJFX7jWk+C7XhTqVr/joUv4EhkbI2FcsS6ENeq6gckREkCuw5KCebKsfOgvYwk+/NzHV0qvoF8cQF10MYVweEWIzeZLgKwYTE6zdfwcrYBZ7runaPu+dN+dsomqYzb2w6Sx6vEAn4m
PXb9Z+EKWUizy4vziAmAHkKkxyuCjTpuKJEZ3SqB0EqJZZ9I177SxkH92x7Yfo/OKjSjFe9QN5zdDUjlH7ZQ0elXvRneKlXtnIc5gIZxwIDAQAB"

5) Remove all spaces (note: there are 2 spaces inside the encrypted key) and quotes so the key looks like this:

v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/llWPBB5CKZ6j8rgc7kXEzO4/5H2x3gW7uFnRh9Og79IXHsdp/QLHfKZNSlXo1BahCRy9Q5vEQHB5bMBMUKr9tKjG2u99M8E0h+bJFX7jWk+C7XhTqVr/joUv4EhkbI2FcsS6ENeq6gckREkCuw5KCebKsfOgvYwk+/NzHV0qvoF8cQF10MYVweEWIzeZLgKwYTE6zdfwcrYBZ7runaPu+dN+dsomqYzb2w6Sx6vEAn4mPXb9Z+EKWUizy4vziAmAHkKkxyuCjTpuKJEZ3SqB0EqJZZ9I177SxkH92x7Yfo/OKjSjFe9QN5zdDUjlH7ZQ0elXvRneKlXtnIc5gIZxwIDAQAB

6) Open your DNS management (if you host this at a third party)
7) Fill in the key as a TXT record. It should then like similar like this:

x._domainkey TXT v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/llWPBB5CKZ6j8rgc7kXEzO4/5H2x3gW7uFnRh9Og79IXHsdp/QLHfKZNSlXo1BahCRy9Q5vEQHB5bMBMUKr9tKjG2u99M8E0h+bJFX7jWk+C7XhTqVr/joUv4EhkbI2FcsS6ENeq6gckREkCuw5KCebKsfOgvYwk+/NzHV0qvoF8cQF10MYVweEWIzeZLgKwYTE6zdfwcrYBZ7runaPu+dN+dsomqYzb2w6Sx6vEAn4m
PXb9Z+EKWUizy4vziAmAHkKkxyuCjTpuKJEZ3SqB0EqJZZ9I177SxkH92x7Yfo/OKjSjFe9QN5zdDUjlH7ZQ0elXvRneKlXtnIc5gIZxwIDAQAB

or some hosting parties want you to add the actual domain to the key:

x._domainkey.mydomainname.com TXT v=DKIM....etc...

8) Wait an hour or so and the score of the DKIM checker should be 10/10 or 9/10. In most cases your score should be 10/10 after 24 hours (if you also filled in the right SPF record(s)).

DKIM keys are now a regular thing to have. I haven't checked DMARC, but I think it's the next thing to have if you don't want some of your clients emails to arrive at spam/junk folders.

 

[SeLLeRoNe]

Well, if DNS are managed by DirectAdmin it will handle the DNS creation by itself, honestly wasn't clear that you was using an external DNS Server/Service and that's probably why no one came up with a solution for you.

Regards

 

[ericovk]

Thanks, but DKIM keys aren't generated automatically if they aren't enabled. In my opinion it's a good call to everyone who doesn't have this configured.

 

[SeLLeRoNe]

If DKIM is not enabled exim dont "notify" toher server has DKIM Signed emails.

If DKIM is enabled DA generate the keys and DNS entry and exim send e-mail notifing the remote server that there is a DKIM signature, and the other server can verify it with DNS lookup.
If DKIM is no enabled, exim shouldnt notify the remote server about DKIM signature.

The whole point was an external DNS server, cause if your customer was using internal DA DNS they was already configured for DKIM, otherwise you had no the keys in DNS aswell So exim was sending email telling to the remote server that there was a DKIM Signature, but when the remote server was going for a DNS lookup to find the key, he wasnt able to find it cause actually there wasnt, that's because DA is not managing the exetrnal DNS server.

I hope i made it clear... cause so far it sound kind of confusing what i wrote.. but is Friday and i'm tired xD

Best regards

 

[ericovk]

Haha, your message isn't too confusing. My servers didn't generate DKIM keys by default. In my DA config file I didn't have DKIM=0, and on some servers the DKIM setting wasn't even there.

Have a good weekend.