0

I set up a postfix/dovecot server. My ISP blocks outbound port 25, so I use an SMTP relay (mailjet).

When I send an email to gmail, it ends up in the "promotions" category which is effectively the spam folder. How can I fix this?

Closer inspection shows google reports "DKIM: 'FAIL' with domain example.com".

Throughout this post these replacements are applied:

  • IP is replaced with XX.YY.ZZ.AA,
  • domain is replaced with example.com,
  • long arbitrary strings are replaced with ...

The SMTP relay suggested setting up SPF and DKIM. They provided some strings to add to DNS TXT records which I have done. Mailjet recognizes that the SPF and DKIM records look good.

The strings look like this:

example.com                        TXT    v=spf1 include:spf.mailjet.com ?all
mailjet._domainkey.example.com     TXT    k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...

dig example.com txt shows

$ dig example.com
...
;; ANSWER SECTION
example.com.   21600    IN   TXT   "v=spf1 include:spf.mailjet.com ?all"

This is what I think are interesting parts of the email header

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@example.com header.s=mailjet header.b="mF/BgIdk";
       dkim=neutral (body hash did not verify) header.i=@bnc3.mailjet.com header.s=mailjet header.b=YabQjQKu;
       spf=pass (google.com: domain of ....@bnc3.mailjet.com designates XX.YY.ZZ.AA as permitted sender) smtp.mailfrom=...@bnc3.mailjet.com
Return-Path: <...@bnc3.mailjet.com>
Received: from o137.p9.mailjet.com (o137.p9.mailjet.com. [XX.YY.ZZ.AA])
Received-SPF: pass (google.com: domain of ...@bnc3.mailjet.com designates XX.YY.ZZ.AA as permitted sender) client-ip=XX.YY.ZZ.AA;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@example.com header.s=mailjet header.b="mF/BgIdk";
       dkim=neutral (body hash did not verify) header.i=@bnc3.mailjet.com header.s=mailjet header.b=YabQjQKu;
       spf=pass (google.com: domain of ...@bnc3.mailjet.com designates XX.YY.ZZ.AA as permitted sender) smtp.mailfrom=...@bnc3.mailjet.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=example.com; i=stew@example.com; s=mailjet;
  ...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
  d=bnc3.mailjet.com; s=mailjet;
  ...
Return-Path: <...@bnc3.mailjet.com>
From: Stewart <stew@example.com>

I've been following a fantastic setup guide. There is a section aboput creating DKIM/SPF records, but I have ignored that because I followed the suggestions by the SMTP relay. Should I follow this guide and include SPF/DKIM records for my domain plus my SMTP relay or should I only have records for my SMTP relay? i.e does it make sense to have default._domainkey.example.com and mailjet._domainkey.example.com records?

Stewart
  • 341
  • 1
  • 3
  • 12
  • You have to figure out what is breaking your signature - Google was unable to verify *either*. It is probably not obvious from your redacted sample, but may be obvious when comparing a mail you signed (and sent) with the same mail as it was received elsewhere. – anx Feb 03 '21 at 00:50

1 Answers1

1

Solved the problem. It wasn't anything to do with my SMTP relay, or my postfix server. I might be the only person in the world who will have the problem, but in the off chance I'm not I hope someone else can benefit from this answer.

My emails are signed with a PGP signature in my email client. Somehow attaching the PGP signature corrupted the way DKIM hashed the body. If I do not sign my emails in my email client, then the DKIM is valid.

I don't know if this is specific to my setup, but I've filed a bug report with the SMTP relay.

Stewart
  • 341
  • 1
  • 3
  • 12
  • 1
    Note that PGP programs messing up MIME structure has resulted in security issues before, so ensuring the mail structure is sane (at the very least, sane enough that the DKIM signer and verifier get the same result) is more of a priority than you may assume. – anx Feb 08 '21 at 19:54