0

I am using Plesk (Onyx) in combination with external DNS. I configured mail and everything seems to be ok, but I am not sure if my mail configuration is correct, because sometimes a DMARC-report states, that a SPF / DKIM verification did not pass.

My configs:

DNS-Records for domain - mydomain.com AND mail.mydomain.com (created the same dns entries twice, for mydomain.com and subdomain mail.mydomain.com, except MX-entry, which is only configured for mydomain.com):

  • Reverse DNS: 123.456.1.1 -> mail.mydomain.com

  • MX: mail.mydomain.com

  • SPF: v=spf1 +a +mx -all

  • _dmarc: v=DMARC1; p=none; pct=100; rua=mailto:mailerror@mydomain.com; ruf=mailto:mailerror@mydomain.com; fo=1; adkim=s; aspf=r

  • domainkey: o=-

  • default._domainkey: v=DKIM1; p=SIGNATUREHERE;

PLESK/Server related:

  • Hostname: zeus.mydomain.com
  • Mailname: mail.mydomain.com

Mail-headers of test mail:

Delivered-To: test-email@gmail.com
Received: by 10.31.48.86 with SMTP id w83csp1454833vkw;
        Fri, 6 Oct 2017 01:39:44 -0700 (PDT)
X-Google-Smtp-Source: AOwi7QAKFeawe3fGhxawUkAdVvaqjrBGMTZvJ466CoQNxwFGRk6xInOapHBRt14rI+zpCQmcl4z4
X-Received: by 10.223.184.246 with SMTP id c51mr1352887wrg.250.1507279184077;
        Fri, 06 Oct 2017 01:39:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1507279184; cv=none;
        d=google.com; s=arc-20160816;
        b=SignatureHERE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:subject:to:from:date
         :dkim-signature:message-id:arc-authentication-results;
        bh=4lLj3bndoJBX1fsz99dGcUZLZyWwVlQLXwB3uGl3sKs=;
        b=SignatureHERE
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mydomain.com header.s=default header.b=RUVEDlBN;
       spf=pass (google.com: domain of info@mydomain.com designates 123.456.1.1 as permitted sender) smtp.mailfrom=info@mydomain.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mydomain.com
Return-Path: <info@mydomain.com>
Received: from mail.mydomain.com (mail.mydomain.com. [123.456.1.1])
        by mx.google.com with ESMTPS id k10si874730wrg.550.2017.10.06.01.39.43
        for <test-email@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 06 Oct 2017 01:39:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of info@mydomain.com designates 123.456.1.1 as permitted sender) client-ip=123.456.1.1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mydomain.com header.s=default header.b=RUVEDlBN;
       spf=pass (google.com: domain of info@mydomain.com designates 123.456.1.1 as permitted sender) smtp.mailfrom=info@mydomain.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mydomain.com
Message-Id: <59d74150.0ac7df0a.a9cd2.2856SMTPIN_ADDED_MISSING@mx.google.com>
Received: from mydomain.com (unknown [188.93.221.133]) by mail.mydomain.com (Postfix) with ESMTPSA id 6821B3C00CF for <test-email@gmail.com>; Fri,
  6 Oct 2017 10:39:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; s=default; t=1507279183; bh=4lLj3bndoJBX1fsz99dGcUZLZyWwVlQLXwB3uGl3sKs=; l=26539; h=From:To:Subject; b=RUVEDlBNkO7PgHEEmuAlCSgG+batl5Ple/8O94GKLu7StZJLLa01k4rbjlnKX+3R9
     mWt8+kOAPthM6lro4Z23B7LMk2ueWDpkFJZX3zRnOUC9E7LiIIQXNz83s8N640T6e7
     7a4nFVAWgS9bIu/+TyyInPHOsnbe0/IKZKAyJw9k=
Authentication-Results: zeus.mydomain.com;
        spf=pass (sender IP is 188.93.221.133) smtp.mailfrom=info@mydomain.com smtp.helo=mydomain.com
Received-SPF: pass (zeus.mydomain.com: connection is authenticated)
Date: Fri, 06 Oct 2017 10:39:43 +0200
From: MyDomain <info@mydomain.com>
To: test-email@gmail.com
Subject: mydomain.com: Test Subject
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

What do I have to change, if I want to use f. e. "info@mydomain.com" as from-address/sender address? Do I need to change the mailname to"mydomain.com"? Can I safely delete DNS entries for mail.mydomain.com, if I change mailname to "mydomain.com"? Is there a way to configure the mailname in PLESK/make sure PLESK does not overwrite it, if a new update/upgrade is made?

EDIT: Test of unlocktheinbox: https://www.unlocktheinbox.com/mail-tester/9YBYhi8wpqo=/

koseduhemak
  • 523
  • 2
  • 4
  • 19

2 Answers2

1

@mfuesslin,

You should run your email through this email tester, it's recognized as the #1 email authentication and configuration testing platform. All you have to do is send an email to mailtest@unlocktheinbox.com and it will auto-respond in minutes.

Once you get the results and if you need help fixing any of the items it points you, everyone will be able to help you more because it's more specific.

Henry
  • 2,953
  • 2
  • 21
  • 34
0

mydomain.com is the from domain you're using, right? You should make sure to have SPF, DKIM, and perhaps DMARC with domain alignment with the envelope from.

As a side note, is this all that's in your SPF record? What services do you want to be able to send email out on your behalf? Why not get more specific? v=spf1 +a +mx -all

Neil Anuskiewicz
  • 478
  • 2
  • 12
  • Thank you for your answer. I added the test results for my domain. Just replace "mydomain.com" with "lotsearch.de". – koseduhemak Jan 11 '18 at 11:26
  • I don't think that's a good SPF record. It may technically validate but an SPF record should include specific IP addresses and/or hosts of services you've given permission to send outgoing email through. Do you see what i mean like `ip4:` for an IP address and/or `include:` for a host What's the DKIM record for this as well? If you indicate the hostname it'd be easier to look it up. – Neil Anuskiewicz Jan 12 '18 at 17:10
  • Yes I looked into that and changed my spf accordingly. Thank you. With `domain alignment` you mean that everything should be the same domain ("mydomain.com")? So I need to change the hostname from "zeus.mydomain.com" to "mydomain.com" and the mailname / mail server config to use "mydomain.com" over "mail.mydomain.com"? – koseduhemak Jan 16 '18 at 10:42
  • Yes, alignment means that the domain you establish use as the from, the domain you set up SPF and DKIM all need to be the same domain name. For DKIM it would be the `d=`. It can be example.com or some subdomain such as newsletter.example.com or whatever as long as the email authentication "aligns." DMARC can be confusing so it's worth reading blog posts or articles from some real esperts. Check out the posts about email authentication in Word to the Wise: https://wordtothewise.com/2014/04/brief-dmarc-primer/ – Neil Anuskiewicz Jan 18 '18 at 03:46