Solved Getting odd Gmail dkim reports

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,563
Location
Maastricht
I'm always getting reports, now for some time I'm getting some odd reports.
On the servers, root and system emails go to my company's email address for example [email protected] so it's only send to me, not in behalve of my company.
I got failes on Gmail reports, so I added the ip of that server in my SPF record like:
Code:
 "v=spf1 a mx ip4:95.xxx.xxx.xxx/32 ip4:144.xxx.xxx.xxx/32 -all
The 144 is that server I'm talking about.
I also have DKIM and DMARC present on my domain, but only this server I get these reports, from, not from any other server.

Now firstly, it's odd that I get reports from Google, since the mail is not send to gmail. Mail to my company is send to my company which has it's own domain and also does not have a forward to gmail.

Have a look at this
Code:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>4173566153660xxxxx</report_id>
    <date_range>
      <begin>1591315200</begin>
      <end>1591401599</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>mycompany.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>144.xxx.xxx.xxx</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mycompany.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>server.serverdomain.com</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Can anyone explain to my as tho:
a.) Why I'm getting this report from Google while there is no mail send to Google?
b.) Why the SPF results to "none" even when I included that domain to be allowed to send mail from my company?

What is happening here and how can I fix this? Where/how to look? Can't find any "from" mycompany.com messages in the exim log.
 
It could be a real spam mail someone else trying to use yourdomainname for mail so the fails. ( we have those to sometimes, that is why dkim spf and dmarc is good to use to prevent such mail ariving in inboxes from receivers pretending they are you)

I don't know the source ip is then from the dns records or from the mailsender?

You can have a look in the mail log files if send to and from.

( if the source ip is from the mailsender but also your ip then check things)
 
It could be a real spam mail someone else trying to use yourdomainname for mail so the fails.
I doubt it, because the source ip used is from the correct server. As far as I know the source ip is always taken from the header from the mail by the mail receiver like Google, Microsoft or xs4all. At least from those 3 I regularly get these reports, most from Google.
And 99,9% are good. Only this one server sometimes has this.

I do have my alias from root set to my company email, as is like done in other servers. Only difference is that this is a Centos 8 server. But still root mail is send from [email protected] to [email protected] so not "from" [email protected].

It's very odd. Pity there is no time or anything else on this, because it's hard to find what is happening exactly.
 
I doubt it, because the source ip used is from the correct server. As far as I know the source ip is always taken from the header from the mail by the mail receiver like Google, Microsoft or xs4all. At least from those 3 I regularly get these reports, most from Google.
And 99,9% are good. Only this one server sometimes has this.

I do have my alias from root set to my company email, as is like done in other servers. Only difference is that this is a Centos 8 server. But still root mail is send from [email protected] to [email protected] so not "from" [email protected].

It's very odd. Pity there is no time or anything else on this, because it's hard to find what is happening exactly.

Could it be you have on that server for another domain used same spam-reports adres in dns dmarc?

Sorry only trying to guess some.

If you get more try to change first that spam-reports mailadres in dns , and keep watching in log files exim / mail for gmail and that emailadres.
 
Last edited:
My spam reports mail adres is different as the address I'm using for root, so that should not be an issue.
There are no DMARC domains present on that server.

Based on the report, some mail should be send from my domains email address. And I can't find that anywhere.
 
IS there a mailform script on that server / domain.?

Or a application ( subscription) running where for example a webshop/ wp admin / user has a gmailadres.
 
No, maldet is running too and a script would not be sending mail from my domain name. There is wordpress present but not mine. So why should I get a dmarc report then?
Also this still does not explain why it's not whitelisted but fails because I have that ip in my spf record.
 
It gives a date range though, Fri Jun 05 02:00:00 2020 - Sat Jun 06 01:59:59 2020. You could look into the exim log in this date range and search for "gmail".
 
Thank you @Arieh, I'll have a look in the logs. But how do you converted this to a normal time?
Code:
<begin>1591315200</begin>
      <end>1591401599</end>

Anyway, this is a small VPS with only little mail flow on them, because it's really for streaming radio. In this period, only 2 mails to gmail went out. The second one was a notification to some user that somebody had downloaded his Wetransfer files.

But I do see something odd hapening here on the first one, since it's on the same seconds going on. It looks like a notification of Softaculous to use customer, but I don't get why my company is in there:
Code:
2020-06-05 11:28:25 cwd=/root 3 args: /usr/sbin/sendmail -t -i
2020-06-05 11:28:25 1jh8eH-0000SY-7k <= [email protected] U=root P=local S=950 T="Script Updates Available" from <[email protected]> for [email protected]
2020-06-05 11:28:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1jh8eH-0000SY-7k
2020-06-05 11:28:25 1jh8eH-0000ST-4f [95.xxx.xxx.xxx] SSL verify error: certificate name mismatch: DN="/CN=server23.otherserverdomain.nl" H="mail.mycompany.com"
2020-06-05 11:28:26 1jh8eH-0000SY-7k => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1009 H=gmail-smtp-in.l.google.com [172.217.218.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK  1591349306 oi20si3365691ejb.571 - gsmtp"
2020-06-05 11:28:26 1jh8eH-0000SY-7k Completed
2020-06-05 11:28:26 1jh8eH-0000ST-4f => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=21952 H=mail.mycompany.com
[95.xxx.xxx.xxx] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=1jh8eH-00053B-MX"
2020-06-05 11:28:26 1jh8eH-0000ST-4f Completed

Now server23 is the server where my company domain is residing. What I don't get is why this is called at the same time the notification is send to the customers gmail account. Unless it's just coincedence that an email is send from root to my email address at the same time.

I'm going to dive into this again, but if you have another idea ArieH it's sure welcome.
 
Seems it's just send at the same time to me. In the receiving server I have this:
Code:
2020-06-05 11:28:26 1jh8eH-00053B-MX <= [email protected] H=server.serverdomain.nl [144.xxx.xxx.xxx] P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=22529 [email protected] T="Software Updates (server.serverdomain.nl)" from <[email protected]> for [email protected]

So no explanation as to why gmail complaints in the exim log.
 
Aargh... stupid me!! 🙄😴🤭 I think I've found it.

Due to you finding the date/time ArieH, I had another look at softaculuos.
Seems on the other servers, just as this one, I used my company email address. However, the "from" email address was also set to something else at the other servers, but not in that new one. So on the new one, Softaculous was sending notifications to users from my email address.

This went via php mail (not smtp) so that might be the reason it was not found in the Exim mainlog.

Still... this still makes me wonder because it looks like SPF is not working correctly in this case, because that ip was allowed to send mail from my domain.

So if this is indeed the fix. I still don't understand why the SPF failed. Is it wrong? The last ip4 is from this new vps:
Code:
"v=spf1 a mx ip4:95.xxx.xxx.xxx/32 ip4:95.xxx.xxx.xxx/32 ip4:144.xxx.xxx.xxx/32 a:mail.otherprovider.com -all"

And please tell me how this date/time conversion is done.
 
I see it mails from server.serverdomain.nl, it could be that that server subdomain requires a separate SPF record.
 
It's a hostname, not really a subdomain. Root mails are normally always send from the hostname. This resolves to the included ip. Also seen it like this in examples. You can either use hostname or ip, mostly ip is used. Otherwise everybody would have to put the hostname in there.
 
But if it's actually mailing from server.domain, which it really looks like it does according to that log rule, it would require a SPF record for the subdomain.


Also in your original DMARC report, it says under auth_results the server subdomain.
 
But if it's actually mailing from server.domain,
Not really, but it's getting confusing to me.
Root is sending, not my domain. The log also reads from [email protected] not from [email protected] so that would be odd.

That was old openspf info (from the cached page on web archive:
So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.
Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT "v=spf1 -all"
You often see @ A records for domains, but I've never seen * in SPF records for domains either.

But to me this has a different meaning, like this:
So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.
This ment for my domain. If I would send from [email protected] or [email protected] I would need those in SPF too. Because they have my A or MX records. The other servers have A or MX records from somebody else.

However, the auth_results indeed show something else, so it's very confusing because also the wizards and generators tell something else. And everybody is using ip adresses, not hostnames, in SPF records.
So this makes it very confusing to me.
Docs also said to use either the ip from the helo/ehlo or include the hostname. You don't need both ip and hostname.

Since Softaculous is sending via php mail and not smtp, I'm going to look for a log file which logs php mails.
But then I see this:
Code:
-rw-rw----  1 admin apache    0 2020-06-08 00:10 php-mail.log
-rw-rw----  1 admin apache    0 2020-06-07 00:10 php-mail.log.1
-rw-rw----  1 admin apache    0 2020-06-06 00:10 php-mail.log.2
-rw-rw----  1 admin apache    0 2020-06-05 00:10 php-mail.log.3
-rw-rw----  1 admin apache    0 2020-06-04 00:10 php-mail.log.4
All empty.

It's getting late (03.07 am) so I'm going to search through this further tomorrow. Because you have a valid point about the auth result, hence my confusion.
 
The spf mx inclusion i always put the ip adresses ins stead off, you need ipv6 to if somewhere used.

;) Hihi Richard Softaculous is a "APP". sorry

Yup if comming frpm other server that server ip must be alowed to for sending, but if some forwarding somewhere i guess the error stay's often.

I have then dns records for that sub / maildomain/ hostname / server yup as Arieh say. ( and while this is used as mailserver for the domains , the spf records for all are the same sofar domains are using that mailserver, only differences for the ISP ip ranges user using to send mails)
You can handle them in admin then DNS.

If your mailsettings mx is from is mail.host.domain.com then for that to

Checker https://dmarcian.com/dmarc-tools/
 
Last edited:
It seems when root mails, it uses root@hostname -- which is server.serverdomain.nl.

This is what you showed earlier: [email protected] H=server.serverdomain.nl

And thus the receiving party will check SPF for server.serverdomain.nl.

So yes either check if you can modify this behavior on server side, or add the SPF record, I'd say.
 
@ikkeben it's not forwarding, it's the MX address and the IP for this mx address is present in my SPF record.
I did several SPF and DMARC checks, also the Dmarcian one and they say all is fine.

@Arieh I think you're right, but for another reason.
This is what you showed earlier: [email protected] H=server.serverdomain.nl
Correct. That is the notification send to the user and a notificat send TO me not from me.

And thus the receiving party will check SPF for server.serverdomain.nl.
Correct. So it will find the MX A record in the SPF record of serverdomain.nl as should be. All fine because [email protected] is allowed to send mail from serverdomain.nl by SPF.

Same thing. On another server, also mails about other things (server itself, like CSF mails) are send from [email protected] and I don't get dmarc reports about that either.

So the part that [email protected] on itself would not be an issue.

IMHO the issue is Softaculous sending via php mail. And I think I now also understand why.
PHP mail is not sending from [email protected] by default. And it seems Softaculous does not have the -f setting which for example some forums have.
So it sends from [email protected] but must be using [email protected] in the header of the mail (hence the reason I could not find a "from mycompany.nl" in the exim log), which triggeres SPF.
SPF is checking headers and then it finds my from email adres and that must be causing the fail and the reports.

The only thing I still don't understand is why SPF is not checking the ip in that case, because the IP is allowed in SPF.
And server.serverdomain.nl is resolving to the ip allowed.
Maybe it's because it's not send from [email protected] but from [email protected] that it checks the hostname and not the ip of the hostname.

And in all checks and wizard, this is the confusing line:
IP addresses in CIDR format that deliver or relay mail for this domain:
which makes you think that ip addresses would be sufficient.
 
Softaculous has the root maildres from the point of the installation in DA.
Even if you deinstall and install again if renamed hostname i had experience those mail still has adress old hostname root mail. ( in one place don't know old addres stays, even if it look like the normal mails from them are ok, i see them back in delivery errors)

I do check with spf survey from dmarcian or this has the spf record with those ip's , but also i kknow problems if some forwaring takes place here are some with the aliases normally for root could be an kind of forwarding problem i don't know, and yup the header.
server.serverdomain.nl

Don't know if it is possible to send mail from that box as root@ to mailcheckers?

And DA users are getting mails from the softaculous for some things as updates or so,

This is here:
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from vpshost.serverdomain.tld
by vpshost.serverdomain.tld with LMTP
id q
(envelope-from <[email protected]>)
for <[email protected]>; Fri, 05 Jun 2020 21:59:20 +0200
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Fri, 05 Jun 2020 21:59:20 +0200
Received: from root by vpshost.serverdomain.tld with local (Exim 4.93.0.4)
(envelope-from <[email protected]>)
id 1j
for [email protected]; Fri, 05 Jun 2020 21:59:20 +0200
To: [email protected]
Subject: =?UTF-8==?=
X-PHP-Originating-Script: 0:mail_functions.php
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
From: Softaculous <[email protected]>
Reply-To: [email protected]

So some user must have googlemail adres or some forward for those mails then?
 
Last edited:
Back
Top