-1

I have been following this tutorial from DigitalOcean. I have followed every detail but nothing seems to work as expected.

Assuming that my FQDN is the following: mydomain.com. Here are my details:

SPF (DNS):

~$ dig mydomain.com txt

OUTPUT:

;; ANSWER SECTION:
mydomain.com.       600 IN  TXT "v=spf1 -all"

TESTING:

~$ sudo echo "test email" | sendmail check-auth@verifier.port25.com

EMAIL RECEIVED OUTPUT:

==========================================================
Summary of Results
==========================================================
SPF check:          fail
"iprev" check:      pass
DKIM check:         permerror
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mail.mydomain.com
Source IP:      xxx.xxx.xxx.xxx
mail-from:      waiyl@mydomain.com

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         fail
ID(s) verified: smtp.mailfrom=waiyl@mydomain.com

DNS record(s):
   mydomain.com. 60 IN TXT "v=spf1 -all"

Notice: Using Postfix as MTA for my mail server

Waiyl Karim
  • 161
  • 3
  • 8

2 Answers2

2

Your SPF record of v=spf1 -all says "literally no server on the internet can send mail on this domain's behalf". All mail will fail. Your tutorial links to a separate tutorial on setting up an SPF record.

ceejayoz
  • 32,910
  • 7
  • 82
  • 106
  • Based on your experience what do you think is the best SPF value? – Waiyl Karim Oct 04 '18 at 16:28
  • It should be a comprehensive list of the servers you intend to send email with. If you send emails for that domain from Gmail, you'll need to include Gmail's recommended SPF records. If you send from your VPS, you'll want it's IP in there. – ceejayoz Oct 04 '18 at 16:41
  • I already have the Gmail MX in place. I only send from my server so I will set the IP address alone. Thanks – Waiyl Karim Oct 04 '18 at 16:50
  • 1
    If you're sending from Gmail for this domain (which you presumably are, given you're using their MX records), you [must include Gmail's SPF in your SPF record](https://support.google.com/a/answer/33786?hl=en). Having the MX does not remove this requirement. **You really do need to understand what you're doing here or your emails will go missing.** – ceejayoz Oct 04 '18 at 16:54
  • Seems like I still have more readings to do. Thanks buddy! I will Google this. – Waiyl Karim Oct 04 '18 at 16:58
0

There's two things wrong that I see.

First, as has already been pointed out, your SPF record is wrong. SPF records tell the world what IP address/es your outbound mail server sits on.

Lets consider a really simple case where outbound and inbound mail are dealt with by the same server.

v=spf1 mx -all

Looking at each part v=spf1 - The version number of the SPF record - currently only spf1 is defined. mx - use the IP addresses of servers found in my domains MX records -all All in this context means every address and the - before it means hard fail.

If setting an SPF record up is daunting - you could try one of the many SPF generators such as: https://mxtoolbox.com/SPFRecordGenerator.aspx

However you also have another problem:

DKIM check:         permerror

This suggests that your mail is being signed by the mail server but there's a problem with the DKIM record this could be anything such as No record in DNS Improper DKIM record in DNS

This may seem a little vague, but the first thing I'd do is to look at the DKIM signature on one of your outbound mails. Two things to note will be the d= and s= values

d= is the domain responsible for signing the mail. s= is called the DKIM selector.

If you look for a txt record under the following record: ._domainkey.

For example if I take a DKIM signature from Twitter

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=twitter.com;
    s=dkim-201406; t=1554045794;
    bh=JrX7TaDioaOnxGz+nN85Zv7ueFvbyTa36Avx+BeDPEI=;
    h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:
     Message-ID;
    b=CD/rqEhFqCH0gkh9zOoWsCynbem2PChQMiR0apSSXQg4IPigtJXfDNsZQg0/Q1V6K
     NimuwFUiIMRwyV7Q2Ck2HuWABt13yVTX2LZhHqCWPEzYYWXAii0fyPeNT6U/PbZfSQ
     0/ZL1zE11E/iVKgqCQalVR+om6au/dE4V2fqnw3DMTXrU+Up5dS7N+Xkrm0/FQQ6N4
     LIr06Nq9Neft8ScJvcxsf/9KL+NJY8uhpXZJ6grdE/as+73Qw9fv0MZZ7M33zhcIMs
     WgIy0HtvxPJ0Bha+z2aLTZDGxudmxfhMFjuQtnXhs9xCePX4izVYKx909+oilJ6Dgt
     ppww0Don384fQ==

We see that d=twitter.com s=dkim-201406

So if we do a DIG

C:\Users\timdu>dig txt dkim-201406._domainkey.twitter.com

; <<>> DiG 9.10.6-P1 <<>> txt dkim-201406._domainkey.twitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32288
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dkim-201406._domainkey.twitter.com. IN TXT

;; ANSWER SECTION:
dkim-201406._domainkey.twitter.com. 300 IN TXT  "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwe34ubzrMzM9sT0XVkcc3UXd7W+EHCyHoqn70l2AxXox52lAZzH/UnKwAoO+5qsuP7T9QOifIJ9ddNH9lEQ95Y/GdHBsPLGdgSJIs95mXNxscD6MSyejpenMGL9TPQAcxfqY5xPViZ+1wA1qcr" "yjdZKRqf1f4fpMY+x3b8k7H5Qyf/Smz0sv4xFsx1r+THNIz0rzk2LO3GvE0f1ybp6P+5eAelYU4mGeZQqsKw/eB20I3jHWEyGrXuvzB67nt6ddI+N2eD5K38wg/aSytOsb5O+bUSEe7P0zx9ebRRVknCD6uuqG3gSmQmttlD5OrMWSXzrPIXe8eTBaaPd+e/jfxwIDAQAB"

We find the DKIM record which has the public key used to verify the signature and body hashes of the email.

So you need to make sure that you've got an equivalent record set up correctly.

Ravenstar68
  • 31
  • 2