1

I have this problem in my server:

  • A domain example.com for send email and i have a web site in php
  • The server server.example.com
  • The server example2.com.mx for send email through a system in php

The example.com and example2.com.mx are domains from server.example.com , when I send a email whit the account account@example.com to Gmail pass and show the DKIM signed, but when I try to send a email from php form in example2.com.mx with the email account@example.com the DKIM fall ans show that the account is login but not signed.

The system in example2.com.mx has php and Zend 1 framework and server.example.com has a WHM centos 6 and Cpanel in the domains example.com and example2.com

And Gmail return this for example in the email with php :

dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=example.com

I hope you can help me
Thanks :D

Jorge Omar
  • 13
  • 1
  • 6
  • 1
    This would be much easier for us on this end to remote diagnose if you are willing you give your actual domains (both the .com and the .com.mx) so we can lookup the DKIM, SPF, and DMARC settings from DNS (the way Google is doing it). But at first blush, it looks like you are sending with a from address of @example.com using the server example2.com.mx and you haven't setup the necessary DKIM (& SPF & DMARC) for the cross-domain sending. – Ruscal Jan 04 '18 at 22:18
  • Also, if you don't want to provide the domain names (which shouldn't be an issue, domain names are designed to be looked up by the unknown public, so I'd still recommend just editing the Q to include the real domains) can you at least include all of your SPF, DKIM, and DMARC records for each of the domains in question? We'll need that to see where the breakdown is. – Ruscal Jan 04 '18 at 22:56
  • In my server.example.com my SPF is :"v=spf1 a:example.com.mx +a +mx +ip4:for_four_ips_in_my_server +include:example.com.mx +include :example2.com.mx +include:_spf.google +include:spf.hotmail +include:spf.outlook +include:_spf.yahoo.com -all" – Jorge Omar Jan 05 '18 at 15:54
  • In my server.example.com my DMARC1: "v=DMARC1; sp=none;p=none; adkim=r; rua=mailto:account@example.com ; ruf=mailto:account@example.com ;" – Jorge Omar Jan 05 '18 at 15:55
  • In my *example2.com.mx* the **spf**: **"v=spf1 +a +mx a:server.example.com.mx +ip4:a_ip +ip4:a_ip +ip4:a_ip +include:example2.com.mx +include:server.example.com -all"** – Jorge Omar Jan 05 '18 at 16:00
  • In my server.example.com in the **DKIM1** : **"v=DKIM1; t=s; k=rsa; d=server.example.com.mx; p=my_domain_key** – Jorge Omar Jan 05 '18 at 16:03
  • In my example2.com **DMARC1**: **"v=DMARC1; p=none; sp=none; adkim=r; rua=mailto:account@example.com; ruf=mailto:account@example.com;"** – Jorge Omar Jan 05 '18 at 16:06
  • In my example2.com the *DKIM1* : **"v=DKIM1; d=example2.com.mx; k=rsa; p=my_server_key\;** – Jorge Omar Jan 05 '18 at 16:08
  • and in example.com It is the same configuration as in example2.com – Jorge Omar Jan 05 '18 at 16:11
  • Also in http://tools.wordtothewise.com/dmarc/check respond:This policy will be ignored, as server.example.com.mx is in the example.com.mx organizational domain is good this? – Jorge Omar Jan 06 '18 at 15:28
  • Are you using Outlook/Hotmail or Google or Yahoo as your mail hosting service for example.com and example2.com.mx? If so, then you're only using one, remove the others. If not, remove all of those includes, they aren't helping and could be hurting. Also, your SPF and DKIM records are for a domain, not for a host. So trip the server.example.com records down to just example.com. I'll go over the rest and see what I can see. – Ruscal Jan 08 '18 at 16:41
  • Oh, @Jorge-Omar are we talking about 2 separate mail systems and domains [at]example.com and [at]example2.com.mx or are we trying to have a single mail system that accepts mail from both domains? If a single mail system, which domain is the [primary] sending domain? – Ruscal Jan 08 '18 at 16:43

1 Answers1

1

Let's break this down, since you have a few different components working for you here.

If I am reading this right, all the emails have a from email address of @example.com (regardless of what server is sending them) so my items below are tuned for sending from @example.com

Also, your real problem looks to be with DKIM (since you are getting the email, just not seeing it as signed). I'm including other things to clean up that'll help you in the long run.

DKIM

Since you note that you sometimes get messages in Gmail that say they are DKIM signed, I am going to assume you have the selector portion correct and that the outbound mail server is properly adding DKIM signatures to your outbound messages. The problem sounds like you don't have your outbound mail server for the PHP web page setup to do DKIM signing. The easiest way would be to have your web server send the email out through the same mail server you mailboxes use; they've already proven they properly sign messages and that would consolidate your mailflow into a single route.

This is important, because DKIM is the only part of this setup that requires you to modify the mail flow. SPF and DMARC are DNS-based instructions to receiving servers that tell them how to check for and handle fake mail claiming to be from your domain. DKIM actually modifies the mail from your servers so that there is proof it is 100% from you. If there are not DKIM signature headers in the email you send, then you aren't properly signing outbound emails and DMARC will fail later on.

Your current DKIM records in DNS are a little much, in fact, it looks like you are including some elements that are meant for the mail headers and not for DNS; and you have a bad value for testing flag with "t=s". For the purpose of most anything you need DKIM for, the DNS record is super-simple; as in, just 2 or 3 elements, the DKIM version and the public key (and, maybe, the testing flag). Also, the testing flag is set with "t=y" otherwise you'll encounter issues.

Since we are still testing this, I'll include the test flag, but make sure to remove that once everything is working for you.

For testing

com.example._domainkey.selector TXT "v=DKIM1; t=y; p=[public DKIM sign key]"

For production (remove the testing flag)

com.example._domainkey.selector TXT "v=DKIM1; p=[public DKIM sign key]"

Everything else is unnecessary, so lets clean that up a bit. All the DNS entry is doing is giving the whole world a copy of your private key so they can check the signature for themselves. (and listing that this domain is still testing DKIM, so don't reject a message just because it fails the DKIM check)

DKIM records are about the domain in the From-line of an email. So if your mail is coming FROM @example.com then that is the DKIM that will be used.

SPF

Sender Policy Framework is about identifying what servers are allowed to send emails that claim to originate from your domain. You have several elements listed in your SPF record that wouldn't normally be used in a strong setup. There is also a general syntax error, you're using too many "+" symbols. You don't need a "+" before each of the elements. In fact, given your records, you don't need a "+" anywhere in your SPF records, get rid of those.

  • mx : This signifies that any of the servers that can receive mail for the domain (the Mail eXchangers) are also allowed to send mail outbound from your domain. This element is fairly common, especially in smaller mail systems.
  • a : This one bothers me a bit. This element says that "anything with an A-record in my domain is allowed to send email from my domain." That is normally overly-permissive and can let too many things send (literally any host in your DNS). I'd consider removing this element unless you absolutely must have it.
  • ip4 : This one is straight-forward. Allow this IP address to send email for this domain. If you have static IP addresses that shouldn't ever change, then this is a decent way to go. If you list the IP addresses of all the authorized sending services, then you don't need the a or mx elements as they'd be redundant.
  • include : This element means that you want to use the SPF record located at the address attached to the include element. This is only used when you have a good SPF setup somewhere else and you need to add it to additional locations. Most commonly, this is seen when you use a 3rd party email provider (O365/Outlook/Hotmail, Google Apps, Yahoo for Biz, etc) and are setting up your domain to allow their servers to send on behalf of your doamin. It is also useful if you use a email marketing company to send mass-mailing on your behalf. I find it extremely unlikely that you have need for includes from 4 different mail hosts, you should probably remove most if not all of these. (if you use one of these hosts, make sure to use the EXACT include they give in their instructions).
  • -all : This is an important record. It is the special "all" wildcard modified with a "-". That means that anything which doesn't match one of the previous entries should be rejected and blocked. This is a hard-fail indicator and is a good thing to use once you have everything working the way you want. *If you already use this domain for email and you're just now setting up SPF (or DMARC) then you might want to temporarily use the "~" soft-fail indicator. That will get emails delivered (though they may be marked as suspicious, or undergo additional spam detection because of the soft-fail). Once everything is setup and working like you want, go back to the "-" hard fail.*

Not knowing your domains, I can't test your a and mx records via DNS. But since you do have a good number of IPv4 items listed, I'd simplify the SPF records down to something like this.

For testing

com.example. TXT "v=spf1 ip4:[IP of server that is sending emails] ip4:[IP address of server.example2.com.mx] ~all"

For production (rejecting messages not from your servers)

com.example. TXT "v=spf1 ip4:[IP of server that is sending emails] ip4:[IP address of server.example2.com.mx] -all"

You can have multiple ip4: elements if you need additional IP addresses (more servers, or added interfaces on a server).

The important part here is that the TXT record for the SPF is created in DNS for the domain that the mail is from. And the ip4: elements of the SPF indicate the IP of the servers that will be allowed to send mail. They don't have to be servers for the same domain, but they do have to be all the IPs that are allowed to send email for that domain.

DMARC

DMARC is special in that it doesn't do any checking of the validity of an email, it simply tells other server how to handle emails if they fail SPF or DKIM checks.

It looks like your DMARC record is telling servers to never reject or quarantine messages, even the failures (the "p=none; sp=none") part of the command. That's good for testing as long as you remember to turn it up a notch when you're finished testing.

Also, the DKIM and SPF identifier alignment elements of the record default to "relaxed" (the recommended setting) so you can leave those out to simplify it a bit. Otherwise, this one looks pretty good.

For testing

com.example._dmarc TXT "v=DMARC1; p=none; sp=none; pct=100;"

For production (with hard rejects of failures"

com.example._dmarc TXT "v=DMARC1; p=reject; sp=reject; pct=100;"

Ruscal
  • 1,223
  • 6
  • 13
  • Something else you could try is 1) going to https://www.mail-tester.com/ and copying the email address on the screen. Then 2) have your PHP server send an email from [at]example.com to the email address you copied in (1). And, 3) wait 1-2 minutes then click "Then Check Your Score" to see a full break down of the message you sent. You'll care less about content rating and more about the 3rd section (authentication) which will show SPF, DKIM, and DMARC informaton. – Ruscal Jan 08 '18 at 18:06