Why is my email failing Gmail's DKIM test?

Question

I have a message that was rejected by Gmail, I don't know why. It passes SPF. We aren't using DKIM. Do I need to set up DKIM?

I am in control of "example.com". Our mail server is "server.example.com" (hosted at bluehost)

Our SPF record is

v=spf1 +a +mx ?include:bluehost.com -all

However Gmail rejected a message with:

550-5.7.1 Unauthenticated email from example.com is not accepted due to 550-5.7.1 domain's DMARC policy. Please contact administrator of example.com ...

The message headers:

Return-path: <sabrina@example.com>
Received: from [99.127.228.246] (port=61813 helo=[192.168.1.66])
    by server.example.com with esmtpsa (TLSv1:AES128-SHA:128)
    (Exim 4.80.1)
    (envelope-from <sabrina@example.com>)
    id 1VMLM8-0007ok-5c; Wed, 18 Sep 2013 17:16:03 +0000
From: Sabrina <sabrina@example.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2FE0763D-B160-49C4-8202-B8258851AFAD"
Subject: positive self thoughts/talk 
Date: Wed, 18 Sep 2013 10:15:24 -0700
Message-Id: <D85DC2BA-0E8A-4AF6-9C54-203C52E996F2@example.com>
To: Tanja Schulte-Irwin <tanjaschulte@gmail.com>,
Zachary Bloom <zbloom@sffriendsschool.org>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)

Falcon Momot · Accepted Answer · 2013-09-19T01:35:59.373

13

Your SPF record isn't affecting this.

By the looks of it, you have a DMARC record set up, and you are not signing outgoing mail with DKIM. To remedy the problem, either sign the outgoing mail, or remove the DMARC policy.

The DMARC record is a TXT record like the SPF record, but it is at _dmarc.example.net where example.net is your domain. If you don't think you have one or you don't want to remove it, change it to v=DMARC1; p=none to null it out.

Alternatively, since you are using SPF, I see you may not want to do this. In this case, leave your _dmarc record as it is, but you will have to get rid of or change your _domainkeys record.

DKIM specifies that for a domain example.net, the DKIM record will be queried IN TXT _domainkeys.example.net. You must find this record and either remove it, or add the t=y flag to specify that (as you are ostensibly testing DKIM) the results of DKIM verification should be ignored. Also, ensure your _dmarc record does not contain the adkim tag, and particularly not adkim=s.

edited Sep 19 '13 at 01:35

answered Sep 18 '13 at 20:14

Falcon Momot

24,975
13
61
92

To clarify--DMARC requires DKIM? I turned on DMARC because I wanted SPF rejects to be dropped not returned to me. – nielsbot Sep 18 '13 at 21:57
1

I don't think DMARC does require DKIM, but if you have DMARC and DKIM they can certainly interact. You might be able to set up DKIM and then not use it by specifying the testing mode, though really, just set up DKIM. It would be cool if you posted the _dmarc and _domainkeys records in your domain to the question as well. – Falcon Momot Sep 19 '13 at 01:37
Thanks. If DMARC doesn't require DKIM why would my message be rejected? It passes SPF. Don't I have to modify my mail server configuration? Not sure if I can with bluehost VPS. I will post DMARC record when I get home. – nielsbot Sep 19 '13 at 03:56
3

The DMARC policy is what tells it to reject or spambin the messages. The DKIM validation is separate. – Falcon Momot Sep 19 '13 at 04:06

BillThor · Answer 2 · 2017-09-26T00:18:46.150

6

Your data is obfuscated which makes helping you difficult. I see a number of problems:

If you haven't obfuscated your IP address, your DNS passes rDNS validation but looks very much like a spambot. Try getting server.example.com setup as the PTR for your address and add server.example.com to your DNS. Getting the PTR record setup requires support of your IP address provider (usually your ISP). You need a fixed IP address for this.
Your server doesn't seem to know who it is. It should give server.example.com as its name in the HELO or ELHO request.
You mail isn't DKIM signed. DMARC does not require DKIM, but your policy must match your practice.

Try sending an email to mailercheck-auth@port25.com (reported no longer in service) to see how well your server is configured. Other options are listed in my article on Detecting Email Server Forgery.

edited Sep 26 '17 at 00:18

answered Sep 19 '13 at 00:13

BillThor

27,354
3
35
69

Haha I should have changed the IPs too :) – nielsbot Sep 19 '13 at 03:58
1

No, you shouldn't have. It makes it much harder to troubleshoot (and accomplishes absolutely nothing). – gparent Sep 19 '13 at 04:00
mailercheck-auth@port25.com does not seem to work anymore unfortunatly. (just a note to future visitors) – Delphinator Sep 25 '17 at 20:15

score 3 · Answer 3 · answered Sep 18 '13 at 19:46

If your domain does not have DKIM set, you definitely do not need DKIM set up. Its absence would not cause GMail to throw your e-mail to SPAM. Its presence might increase its SPAM rating so it would not be rejected.

To check your SPF, you need to tell us your domain and IP addresses of your SMTP server. Or, you can use online check tools on http://www.openspf.org/.

To understand DMARC, check this: http://support.google.com/a/bin/answer.py?hl=en&answer=2466580.

Why is my email failing Gmail's DKIM test?

3 Answers3