Solved out of office messages failed because of DMARC restriction

[Active8]

Hi, I was playing with the out of office feature of Rouncube and I saw that the OOO messages get bounced (and are in the send mail que) because DMARC rules

2024-01-02 20:55:09 [email protected] F=<> R=lookuphost T=remote_smtp H=eur.olc.protection.outlook.com [104.47.11.225] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes: SMTP error from remote mail server after end of data: 550 5.7.509 Access denied, sending domain [DOMAIN.NL] does not pass DMARC verification and has a DMARC policy of reject. [PRAP251MB0515.EURP251.PROD.OUTLOOK.COM 2024-01-02T19:55:09.883Z 08DC09FD94DDEA01] [AM6PR0202CA0041.eurprd02.prod.outlook.com 2024-01-02T19:55:09.903Z 08DC0B374D7C9475] [AM0EUR02FT039.eop-EUR02.prod.protection.outlook.com 2024-01-02T19:55:09.898Z 08DC04072C75D7F2]
*** Frozen (message created with -f <>)

First:
1. DKIM / SPF / DMARC settings for the senders domain are fine and tested
2. Regular emails don't have any problems (outlook or webmail)
3. Send emails have perfect score at mailtester (10/10)

I assume something breaks the SPF/DKIM chain when sending through Roundcube but dont know where to look
Any help from my fellow forum users would be appreciated

 

[Richard G]

As you should know, these kind of things are almost not solvable without domain name.

However, if normally it's fine (I presume you checked with mail-tester.com too) and it only happens with roundcube, then it would look as if the SPF record was incomplete and not adding the hostname as allowed sender in the SPF policy.
That's the only thing I can think of when mail would work fine and Roundcube would not. So OOO messages as they most likely are server generated.

 

[Active8]

Hi Richard, the IP address of the server is already in SPF (ipv4 and apv6)
I have tried to add the server hostname in the spf and even add the dkim record of the servers hostname in DNS and still no go
I highly doubt that I am the only user of this feature right ?

For the record : I can perfect send mails with Roundcube , that is not the issue
For now i have changed my DMARC policy to "none" instead of "reject"that works but not really what I want

 

[Achterstraat]

Did you check de /var/log/maillog and/or /var/log/exim/mainlog for any errors triggered by roundcube?

 

[Active8]

Ok guys here it comes
Despite I had everything in place for regular mail exchange apparently my server hostname did not had an SPF record
Normally this was never an problem (I have forgot to add the hostname as TXT SPF record) but now with this test it came up!

So this is an wise lesson for me so other can benefit in the future, thanks all!

 

[johannes]

my server hostname did not had an SPF record
Normally this was never an problem

Same here, thanks for this info, I´ll add it too.

 

[Richard G]

my server hostname did not had an SPF record

Ha Lol so I was on the right track, SPF issue.

It's odd that you guys never use a hostname SPF record. I -always- use SPF and DKIM in my hostname, also to prevent for example customers with gmail account get their system mails rejected, you need SPF and DKIM for that in the hostname DNS record.
I thought this was a well known fact to you.

 

[Active8]

It's odd that you guys never use a hostname SPF record. I -always- use SPF and DKIM in my hostname

Standard we install it but with this particular server I had simple forgot to add SPF record for the server hostname, there was only an SPF record for the server domain name , DKIM for the server name was in place .

also to prevent for example customers with gmail account get their system mails rejected, you need SPF and DKIM for that in the hostname DNS record

Apparently not because customers on this server never had problems with delivering to GMAIL/HOTMAIL of other email providers, simply because they are using their own DKIM an SPF records (customers his own domain) and not one from the server hostname.

 

[Richard G]

had simple forgot to add SPF record for the server hostname

But how is this possible then? Because on every fresh install, when I create the hostname record (if not present) the SPF record for the hostname is created automatically by DA.
I only have to do the DKIM record for the servers domain name first, and then afterwards I create the DKIM record for the hostname which will then be in DNS automatically also.
How come DA does not create the SPF record automatically at your server?

simply because they are using their own DKIM an SPF records

For their domain yes. I was talking about system messages, so messages send from DA which are normally always send from the hostname.
But since you say normally you have and SPF record for the hostname on other servers, that is the reason it worked.

 

[maira]

Hi! We are new to directadmin, we've migrated 3 servers from cPanel in this few days. We are still figuring out stuff. We've noticed the vacation messages going to spam folder in gmail. Finally got spf and dkim to pass validation, but dmarc is failing. SFP and DKIM are validating against the hostname, but dmarc is trying to validate with the domain of the vacation account:

dkim=pass [email protected] header.s=x header.b=jaYXapxF;
spf=pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) smtp.helo=hera.ourhostname.net;
dmarc=fail (p=QUARANTINE sp=NONE dis=QUARANTINE) header.from=thedomain.net

what are we missing?

We have the domain ourhostname.net created as a domain and have added the spf, dkim and dmarc records for hera.ourhostname.net to the DNS records of ourhostname.net

Is it Ok, or if would be better to add hera.ourhostname.net as independent domain?

I would really appreciate your help!

 

[Active8]

But how is this possible then? Because on every fresh install, when I create the hostname record (if not present) the SPF record for the hostname is created automatically by DA.

Hi @Richard G , you are adding/creating hostname as domain (eg server.domaoin.com) right ? then yes it would be created automatically but this not the way we work:
I am adding hostname as A / AAA / DKIM / SPF record in DNS so I have to add it manual, this the wat I am setting up our server for years and never had problems, only now because I had forgotten the hostname SPF

 

[Active8]

We have the domain ourhostname.net created as a domain and have added the spf, dkim and dmarc records for hera.ourhostname.net to the DNS records of ourhostname.net

Is it Ok, or if would be better to add hera.ourhostname.net as independent domain?

This is the way I do but there are others who are creating an new domain, both should work

 

[maira]

Any idea why dmarc is failing?
dmarc=fail (p=QUARANTINE sp=NONE dis=QUARANTINE) header.from=thedomain.net

 

[Active8]

Any idea why dmarc is failing?

What is your DMARC policy ? reject or quarantine ?
Check you DKIM and SPF values are correct (https://easydmarc.com/tools)

Are the mails stuck at mail que ?

 

[Richard G]

but this not the way we work:

Ah oke then I understand. This is how DA always has worked before so I thought you were also using it this way.
So how do you do that with SPF exactly then? Just add an include for server.domain.com in your domain.com SPF record? Or create a separate SPF record in domain.com for server.domain.com? Just curious.

@maira The cause of your issue can be totally different, best is next time to create your own thread.

header.from=thedomain.net

You might be missing something here. Is thedomain.net and server.thedomain.net residing on the same server?

 

[Joriz]

That DMARC fails with bounce messages (which includes out of office messages) is by design following RFC 8098.
This is because the From (sender F=<>) is empty preventing additional bounces to avoid loops.

With empty Sender From DKIM/DMARC fails which is expected behaviour unfortunately to the 'great' way mail is designed.

I would not recommend to 'fix' this. As you run in to loops and reputation problems if you include a Sender From.

If you actually want reliable 'out of office' messages including valid Sender From it is better to send this via a smarter ticket system which doesn't reply to spam and bounce messages.