• 0

[DKIM] Subdomain Mail Server


Question

SpeedyTheSnail

Hello again, hopefully somebody here can help. I have been trying to set up this mail server for 2 weeks now but cannot send emails to hotmail/live email addresses. Google can receive my mail.

 

I have just set up my SPF1 TXT record and my reverse lookup on my DNS for digital ocean, however I can't get my DKIM to work.

 

I have 2 servers, a mail server with domain mail.domain.com and then a web server with a domain of *.domain.com. My DKIM key is for domain.com and not mail.domain.com, despite coming from my mail server.

 

Do I need to correct my mail server to generate a DKIM key for the domain mail.dishonestpolitics.com? Also, the DKIM record does not show at all when I query it, maybe it has not propagated yet.

 

At this point I may just pay $20 a month for 4 domain emails from Google or Microsoft, but I'd much rather manage it on my own so I can add users for cheaper as my site grows.

 

Thanks all, I've asked a few questions here that nobody's had the answer for but hopefully somebody here can help with this one!

 

Cheers!

Link to post
Share on other sites

Recommended Posts

  • 0
sc302

It would help to have the ndr messages you get or perhaps they are going to junk mail on the hotmail side. You will either get a ndr if it really has been denied/not delivered or it is sitting in the junk mail because there is not enough history with the site or the site isn't 100% yet.


Sent from my iPhone using Tapatalk

Link to post
Share on other sites
  • 0
SpeedyTheSnail

Never have received a non-delivery report, nor does the message go into spam. Here is a copy of a delivery receipt I requested:

Quote

Message actionsReply to sender Reply to list or to sender and all recipients Forward the message   Open in new window
Subject: Successful Mail Delivery Report
Contact photo
From    MAILER-DAEMON@mail.my.domain.comAdd contact    Date    Today 15:33
Attachments
Delivery report (~477 B)
Show options
Message Body
This is the mail system at host mail.my.domain.com.

Your message was successfully delivered to the destination(s)
listed below. If the message was delivered to mailbox you will
receive no further notifications. Otherwise you may still receive
notifications of mail delivery errors from other systems.

                   The mail system

<emailaddresshere@live.com>: delivery via mx1.hotmail.com[65.54.188.126]:25: 250
    <091ed1f205cd0034b3ba17fff91a219c@my.domain.com> Queued mail for
    delivery
Reporting-MTA: dns; mail.my.domain.com
X-Postfix-Queue-ID: 3D63741969
X-Postfix-Sender: rfc822; postmaster@my.domain.com
Arrival-Date: Sat, 14 Jan 2017 20:33:50 +0000 (UTC)

Final-Recipient: rfc822; emailaddresshere@live.com
Original-Recipient: rfc822;emailaddresshere@live.com
Action: relayed
Status: 2.0.0
Remote-MTA: dns; mx1.hotmail.com
Diagnostic-Code: smtp; 250
    <091ed1f205cd0034b3ba17fff91a219c@my.domain.com> Queued mail for
    delivery
Return-Path: <postmaster@my.domain.com>
Received: from mail.my.domain.com (DHP-MAIL-01 [127.0.0.1])
    by mail.my.domain.com (Postfix) with ESMTP id 3D63741969
    for <emailaddresshere@live.com>; Sat, 14 Jan 2017 20:33:50 +0000 (UTC)
Authentication-Results: mail.my.domain.com (amavisd-new); dkim=pass
    reason="pass (just generated, assumed good)"
    header.d=my.domain.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
    my.domain.com; h=user-agent:message-id:subject:subject
    :to:from:from:date:date:content-transfer-encoding:content-type
    :content-type:mime-version; s=dkim; t=1484426029; x=1485290030;
     bh=34tKkuLKFx3jY7i6C+NsFozk4Iv52R7X4DZEQJ4JAsw=; b=uKNknDpcsp89
    q2aGuDP/qjPtImTCajrV366X9G3Dt3RUSqe7+1nz4JIQVW6zqV6jLqU3eixtvZ24
    0L7molcpEhZMOARm6dwUkNWbZQdwIFYa3giNG1M0jFnp/zze0CckwuA/6bSXz1YI
    dznz3WPku7Pdibpmp0MdIItI56S+5mE=
X-Virus-Scanned: amavisd-new at mail.my.domain.com
Received: from mail.my.domain.com ([127.0.0.1])
    by mail.my.domain.com (mail.my.domain.com [127.0.0.1]) (amavisd-new, port 10026)
    with ESMTP id W6ZdKQLhWIfi for <emailaddresshere@live.com>;
    Sat, 14 Jan 2017 20:33:49 +0000 (UTC)
Received: from _ (DHP-MAIL-01 [127.0.0.1])
    by mail.my.domain.com (Postfix) with ESMTPSA id AF92C3F2DC
    for <emailaddresshere@live.com>; Sat, 14 Jan 2017 20:33:49 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Sat, 14 Jan 2017 15:33:49 -0500
From: postmaster@my.domain.com
To: emailaddresshere@live.com
Subject: test 4
X-Priority: 1 (Highest)
Return-Receipt-To: postmaster@my.domain.com
Disposition-Notification-To: postmaster@my.domain.com
Message-ID: <091ed1f205cd0034b3ba17fff91a219c@my.domain.com>
X-Sender: postmaster@my.domain.com
User-Agent: Roundcube Webmail
 

 

Link to post
Share on other sites
  • 0
sc302

The it is somewhere in hotmail.

TBH, I have never had a problem having outlook/hotmail receive my messages. Going into junk usually but never an issue with them receiving.

The mail server should be defined and not have a wild card ssl. What happens when you do a reverse lookup for your domain? What is the Ttl set at on the dns level? That is more for you receiving mail then them doing a domain check against you.

Link to post
Share on other sites
  • 0
SpeedyTheSnail
18 minutes ago, sc302 said:

The it is somewhere in hotmail.

TBH, I have never had a problem having outlook/hotmail receive my messages. Going into junk usually but never an issue with them receiving.

The mail server should be defined and not have a wild card ssl. What happens when you do a reverse lookup for your domain? What is the Ttl set at on the dns level? That is more for you receiving mail then them doing a domain check against you.

The TTL for the a record is 600 seconds, the larges ttl for the rest of my records is 3600 seconds. My SSL is provided via LetsEncrypt, valid for 90 days at a time, issued yesterday night. Of course the DKIM key was generated yesterday as well and apparently is unrelated to my domain certs from LetsEncrypt. I do know that the key sent via email is different than the keys shown by Amavisd.

Link to post
Share on other sites
  • 0
sc302

You may have to wait another day. 

Link to post
Share on other sites
  • 0
SpeedyTheSnail
14 minutes ago, sc302 said:

You may have to wait another day. 

I'll wait and let you know.

 

I really appreciate the help!

Link to post
Share on other sites
  • 0
SpeedyTheSnail

:blush: 

 

I realized my TXT entry was for domain.com and not dkim._domain_key, which for my host automatically adds the domain after that to the host. 

 

The DNS has updated and validated under one of my DKIM test, I shall still wait to see if I can send emails soon.

 

Link to post
Share on other sites
  • 0
SpeedyTheSnail

So I can now receive email from hotmail, still cannot send to it though.  Google emails do not send to my domain, but I can send out to Gmail.

 

My DKIM is for my domain, my spf1 is for my subdomain.

 

If my mail server is on mail.domain.com and my dkim is for domain.com, but my spf1 is for mail.domain.com, is this the source of my issue? Should I have a dkim for mail.domain.com or should I have an spf1 for domain.com?

Link to post
Share on other sites
  • 0
sc302

Dns still propagating it sounds like.   1/2 communications up in different mail hosts. 

 

24 to 48 hours any time you screw with internet dns settings. 

 

Use mxtoolbox.com to verify your settings. 

Link to post
Share on other sites
  • 0
SpeedyTheSnail

The records have propagated completely, however I am wondering if the issue I have is the way my setup is.

 

Web server - domain.com xxx.xxx.xxx.1

TXT record: dkim._domainkey.domain.com
value:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdSjG7GX/d+zLn7T+xyLrY/5tHzbV+zeRNA1D+Ox/9HvGEPq52dFrQxoWJ0CXmuxMIG4DI1LAhFmis5HvtkcH0ixVpW7SAijTXApEfPkvxlyGz+rdeP/gCU1ofPqepxU3S7DDIYKjOdIOBdKSkw7qBGnvvI4NIgbuEjRixeigXWQIDAQAB

Mail server - mail.domain.com xxx.xxx.xxx.2 

TXT Record: mail.domain.com

value:
"v=spf1 mx a a:mail.domain.com ~all"

the mail server host a domain and host name of mail.domain.com, however it is sending emails from @domain.com rather than @mail.domain.com.

 

Should my DKIM be for the mail subdomain?

Link to post
Share on other sites
  • 0
sc302

Get incoming and outgoing lines up the same way. You have two different things there and could be causing issues.  

 

You domt need dkim or spf at all. It is recommended but not needed. Hell I didn't have any of that on my stuff until earlier this year.  It was never set and was working for years prior. You have a misconfig get everything on the same name. 

 

Mail.domain.com

Link to post
Share on other sites
  • 0
TheReaperMan

are you sure you have setup the mx records correctly for the domain?

Link to post
Share on other sites
  • 0
SpeedyTheSnail
11 minutes ago, TheReaperMan said:

are you sure you have setup the mx records correctly for the domain?

My MX record for the domain is:

 

MX mail.domain.com mail.domain.com.,

 

I'm fairly certain I probably did that wrong.

Link to post
Share on other sites
  • 0
SpeedyTheSnail

I reconfigured the MX record to be *domain.com, mail.domain.com and now everything works.

 

Appreciate the info all! Thank you!

Link to post
Share on other sites
  • 0
sc302

*.domain.com should not be there.  Only mail hosts. 

Link to post
Share on other sites
  • 0
SpeedyTheSnail
2 hours ago, sc302 said:

*.domain.com should not be there.  Only mail hosts. 

when I had mail.domain.com mail.domain.com, I could not receive or send consistently. Upon changing it to * (or @ rather).domain.com mail.domain.com, it appears my request are being properly routed to my mail server, mail.domain.com

 

Still though, my spf record is failing checks:

 

SPF Information:

Using this information that I obtained from the headers


Helo Address = mail.domain.com
From Address = postmaster@domain.com
From IP      = MAIL IP
SPF Record Lookup


Looking up TXT SPF record for domain.com
Found the following namesevers for domain.com: ns1.digitalocean.com ns2.digitalocean.com ns3.digitalocean.com
Retrieved this SPF Record: zone updated 20170116 (TTL = 79313)
using authoritative server (ns1.digitalocean.com) directly for SPF Check
Result: fail (Mechanism '-all' matched)


Result code: fail 
Local Explanation: domain.com: Sender is not authorized by default to use 'postmaster@domain.com' in 'mfrom' identity (mechanism '-all' matched)
Authority Explanation: Please see http://www.openspf.org/Why?s=mfrom;id=postmaster%domain.com;ip=104.236.79.4;r=ip-172-31-3-128.us-west-1.compute.internal
spf_header = Received-SPF: fail (domain.com: Sender is not authorized by default to use 'postmaster@domain.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=ip-172-31-3-128.us-west-1.compute.internal; identity=mailfrom; envelope-from="postmaster@domain.com"; helo=mail.domain.com; client-ip=104.236.79.4

 

Link to post
Share on other sites
  • 0
sc302

Well good that it works, however it still is a misconfiguration. I guess as long as it works.


Sent from my iPhone using Tapatalk

Link to post
Share on other sites
  • 0
SpeedyTheSnail
3 minutes ago, sc302 said:

Well good that it works, however it still is a misconfiguration. I guess as long as it works.


Sent from my iPhone using Tapatalk

I modified the above post though, I still get SPF record check fails.

 

SPF Information:

Using this information that I obtained from the headers


Helo Address = mail.domain.com
From Address = postmaster@domain.com
From IP      = MAIL IP
SPF Record Lookup


Looking up TXT SPF record for domain.com
Found the following namesevers for domain.com: ns1.digitalocean.com ns2.digitalocean.com ns3.digitalocean.com
Retrieved this SPF Record: zone updated 20170116 (TTL = 79313)
using authoritative server (ns1.digitalocean.com) directly for SPF Check
Result: fail (Mechanism '-all' matched)


Result code: fail 
Local Explanation: domain.com: Sender is not authorized by default to use 'postmaster@domain.com' in 'mfrom' identity (mechanism '-all' matched)
Authority Explanation: Please see http://www.openspf.org/Why?s=mfrom;id=postmaster%domain.com;ip=104.236.79.4;r=ip-172-31-3-128.us-west-1.compute.internal
spf_header = Received-SPF: fail (domain.com: Sender is not authorized by default to use 'postmaster@domain.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=ip-172-31-3-128.us-west-1.compute.internal; identity=mailfrom; envelope-from="postmaster@domain.com"; helo=mail.domain.com; client-ip=104.236.79.4

Emails still send though :).

Link to post
Share on other sites
  • 0
TheReaperMan

change to the spf to

 

v=spf1 mx ~all

 

then try it again

 

Link to post
Share on other sites
  • 0
SpeedyTheSnail
10 hours ago, TheReaperMan said:

change to the spf to

 

v=spf1 mx ~all

 

then try it again

 

 

4 hours ago, sc302 said:

Just changed it to "v=spf1 mx -all" (instead of ~all). I'll let you know how this goes in a few hours or longer. Thanks all! I wish I could buy you an eBeer.

Link to post
Share on other sites
  • 0
SpeedyTheSnail

So after a few days I still have the error: 

SPF Information:

Using this information that I obtained from the headers


Helo Address = mail.domain.com
From Address = postmaster@domain.com
From IP      = 104.236.79.4
SPF Record Lookup


Looking up TXT SPF record for domain.com
Found the following namesevers for domain.com: ns3.digitalocean.com ns1.digitalocean.com ns2.digitalocean.com
Retrieved this SPF Record: zone updated 20170119 (TTL = 79882)
using authoritative server (ns3.digitalocean.com) directly for SPF Check
Result: fail (Mechanism '-all' matched)


Result code: fail
Local Explanation: domain.com: Sender is not authorized by default to use 'postmaster@domain.com' in 'mfrom' identity (mechanism '-all' matched)
Authority Explanation: Please see http://www.openspf.org/Why?s=mfrom;id=postmaster%40domain.com;ip=104.236.79.4;r=ip-172-31-3-128.us-west-1.compute.internal
spf_header = Received-SPF: fail (domain.com: Sender is not authorized by default to use 'postmaster@domain.com' in 'mfrom' identity (mechanism '-all' matched)) receiver=ip-172-31-3-128.us-west-1.compute.internal; identity=mailfrom; envelope-from="postmaster@domain.com"; helo=mail.domain.com; client-ip=104.236.79.4

On the page it says to go to for an explanation, it says:

Quote

What is SPF?

SPF is an extension to Internet e-mail. It prevents unauthorized people from forging your e-mail address (see the introduction). But for it to work, your own or your e-mail service provider's setup may need to be adjusted. Otherwise, the system may mistake you for an unauthorized sender.

 

Note that there is no central institution that enforces SPF. If a message of yours gets blocked due to SPF, this is because (1) your domain has declared an SPF policy that forbids you to send through the mail server through which you sent the message, and (2) the recipient's mail server detected this and blocked the message.

 

ip-172-31-3-128.us-west-1.compute.internal rejected a message that claimed an envelope sender address of postmaster@domain.com.

ip-172-31-3-128.us-west-1.compute.internal received a message from mail.domain.com (104.236.79.4) that claimed an envelope sender address of postmaster@domain.com.

 

However, the domain domain.com has declared using SPF that it does not send mail through mail.domain.com (104.236.79.4). That is why the message was rejected.

 

If you are postmaster@domain.com:

domain.com should have given you a way to send mail through an authorized server.

If you are using a mail program as opposed to web-mail, you may need to update the "SMTP server" configuration setting according to your ISP's instructions. You may also need to turn on authentication, and enter your username and password in your mail program's options. Please contact your ISP for assistance.

 

If you run your own MTA, you may have to set a "smarthost" or "relayhost". If you are mailing from outside your ISP's network, you may also have to make your MTA use authenticated SMTP. Ideally your server should listen on port 587 as well as port 25.

If your mail was correctly sent, but was rejected because it passed through a forwarding service, as an interim solution you can mail the final destination address directly (it should be shown in the bounce message). See the forwarding best practices (or refer the recipient there) for the discussion of a proper solution.

 

If you need further help, see our support section for free support and professional consulting services.

If you are confident that your message did go through an authorized server:

 

The administrator of the domain domain.com may have incorrectly configured its SPF record. This is a common cause of mistakes.

Here's what you can do: Contact the domain.com postmaster and tell them that they need to change domain.com's SPF record so that it authorizes mail.domain.com. For example, they could change the record to something like

v=spf1 a:mail.domain.com -all

My SPF record as of now:

TXT domain.com "v=spf1 -all"

I have already tried what it recommends, when I set up the SPF record to have a:mail.domain.com it still fails as it says there is no DNS record for mail.domain.com. I have an A record of course for mail.domain.com that points to the IP of my server.

 

:angry:

Link to post
Share on other sites
  • 0
sc302

Use an spf generator like the one I gave you before then copy and paste that into your zone txt file. 

Link to post
Share on other sites
  • 0
SpeedyTheSnail
18 minutes ago, sc302 said:

Use an spf generator like the one I gave you before then copy and paste that into your zone txt file. 

I did, I used the one you gave me and still I get these darn errors. I'm about to give up and make it Softfail instead of FAIL because this is getting ridiculous.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.