Inconsistent DMARC?

edvanleeuwen

edvanleeuwen

Verified User
Joined
Nov 18, 2013
Messages
148
When the server sends a reply (.e.g for quota) to a user with @home.nl extension, it fails on DMARC:
2022-03-19 11:11:30 1nVW3Q-00H50w-DA ** [email protected] F=<> R=lookuphost T=remote_smtp H=mx.tb.mail.iss.as9143.net [212.54.42.8] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 554 5.2.0 MXIN603 DMARC validation failed. ;id=VW3QnWKB6UM0dVW3QnGY6r;sid=VW3QnWKB6UM0d;mta=mx5.tb;dt=2022-03-19T11:11:29+01:00;ipsrc=myip;
2022-03-19 11:11:30 1nVW3Q-00H50w-DA Frozen (delivery error message)
Click to expand...

When I send it via a mail programme and the same email server, it does not:
2022-03-19 14:29:53 1nVZ9U-00HEbG-NU => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=8451 H=mx.tb.mail.iss.as9143.net [212.54.42.8] X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 2.0.0 MXIN650 mail accepted for delivery ;id=VZ9Un1DWNr0jaVZ9Un42py;sid=VZ9Un1DWNr0ja;mta=mx2.tb;dt=2022-03-19T14:29:53+01:00;ipsrc=myip;"
2022-03-19 14:29:53 1nVZ9U-00HEbG-NU Completed
Click to expand...

What is the difference and can I solve this?
 
Ok, I now see that my main domain has a proper setup (checked with appmaildev and internet.nl), but the server uses the hostname (s1.mydomain.nl), which does not have the SPF,DKIM,DMarc records. What is the best way to solve this?
 
You don't need DMARC for your hostname. SPF should be enough.
Just create your hostname as seperate domain, which should be good for SPF.

As for DKIM for the hostname, try:
./dkim_create.sh server.hostname.com
from the DA's scripts directory.
 
bdacus01 said:
Like this

Reducing sending spamscore | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com
Click to expand...
Yes but that should be for the domain je sent mail for.
For mailserver / hostname as mx record you need the spf have to be right , that dmarc then on the domain you use for the mail, so every domain their own dmarc and reports. If dkim and spf for mailserver / his hostname are ok ( and yes if he use that as we dos, mx in the domains then also the dkim for hostname as richard write needed in the dns for the domains. ( so dkim hostname should be in dns for domains if using hostname as mailserver and in mx record)

So spf and dmarc for all in dns needed mostlys separate and different for domains , and hostname , ( spf could be alsmost the same depending on or you want internet provider ip in it you use for ...) dmarc you better have per domains own report i find that , and dkim depend on settings in DA and DNS, same for hostname and domains or diferent.
 
Thanks for all the help. I added SPF,DKIM and DMarc as DNS records for the specific hostname. Now everything is fine.
 
Well again... normally for a hostname no dmarc record is used, hardly any hostname does this.
SPF is the most. DKIM only works with specific custom changes when tested. There are some topics about it here.

edvanleeuwen said:
I added a dmarc for the subdomain as well.
Click to expand...
Well.... the hostname is already a subdomain (well not really, but namewise), so if you created a subdomain with the same name, that is asking for trouble.
 
At least remove the subdomain you made. If you have a DMARC record for the hostname it should be enough.
Also check that the hostname like server1 is is not in domain,com but is setup as a seperate domain, might make a difference too.

However, I almost don't know any hostname with a DMARC record.

The hostname you can create like a real domain.

Dus de hostnaam aanmaken net als je een domeinnaam aan maakt, als het goed is bestaat het al zo.

Then only use SPF and DKIM for the hostname and an SSL certificate for the hostname. That should be sufficient.

However auto reply's.. hmmz... I'm not sure on how to test it, however maybe it makes a difference if you leave out the content of the mail. It's often also abused for spam. To only send the notice and not the content again, you can create a file:
/etc/exim.variables.conf.custom
and add in there:
bounce_return_message = false

Rebuild exim and exim.conf and see if it happens again. There are so many hosts out there, others must also be sending out over quota messages and as said... only very few have dmarc on their hostname.
 
This post helped me with vacation/auto replies being aligned for DMARC:

Solved - Mail generated from sieve filters are not DKIM signed

When adding a sieve filter for out-of-office, the automatic email is sent without being DKIM signed. Example: Sieve filter: require ["date","relational","vacation"]; # rule:[Out of Office] if allof (currentdate :zone "+0200" :value "ge" "iso8601" "2021-07-01T16:30:00+02:00", currentdate :zone...
forum.directadmin.com forum.directadmin.com

Follow up, because I still had issues after the above change, but I finally got it resolved thanks to this post:
https://forum.directadmin.com/threa...-domain-com-email-addresses.59809/post-337769
 
Last edited:
You must log in or register to reply here.
Back
Top