DNS records DKIM problem according to google

Dooku · June 20, 2023, 2:01pm

Hello,
So here is our configuration:
VPS1 - running mailing list software Dadamail
VPS2 - running MiAB

So VPS2 is doing the actual sending whereby Dadamail on VPS1 is connecting to VPS2 to the MiAB sending account.

The SPF record for the sending domain contains the IP and the hostname of VPS2 to make sure it is allowed to send emails for that domain.
The DKIM and DMARC records are setup correctly according to at least 4 online services where you can test these.

EXCEPT, google on their Admin Toolbox MX checker is claiming DKIM and MTA-STS record is not set up??? So this results in all emails sent to Gmail addresses on our mailing list bouncing with non-delivery errors caliming DKIM is not set up and IP6 PTR record is not set.

HOWEVER, we just migrated back from a new hoster to our old hoster as we noticed that network ip addresses are really bad and complete subnets are blacklisted several times a week due to bad actors in their client base.

So, the system check on MiAB is OK, then WHAT is causing this problem. Could this just be a DNS propogation issue, something silly as that, or WHAT else do we need to check???

NOTE: the old vps’s at our old domains were NOT yet deleted and were working OK for years, so we only reverted DNS back to them, no other changes made in any DNS records.

alento · June 20, 2023, 2:07pm

Please share the exact bounce message.

alento · June 20, 2023, 2:12pm

My initial thought is that MTA-STS is failing due to the MX change. Granted you didn’t change hostnames (or did you?) but you did change IP addresses and rDNS.

I do not know enough about MTA-STS to really give you an educated answer on this though.

What is the nature of your mailing lists? If not marketing related, my SMTP relay should be able to resolve all these issues for you.

Dooku · June 20, 2023, 2:17pm

Below is the bounce message (we actually receive 3 different errors):
I have removed some links from google etc…because new user accounts are only allowed 2 links in a post.

Error 1:
host gmail 142.250.102.27] said:
550-5.7.26 This mail is unauthenticated, which poses a security risk to the
550-5.7.26 sender and Gmail users, and has been blocked. The sender must
550-5.7.26 authenticate with at least one of SPF or DKIM. For this message,
550-5.7.26 DKIM checks did not pass and SPF check for [cdrbsoft did
not 550-5.7.26 pass with ip: [37.252.124.77]. The sender should visit
550-5.7.26 Prevent mail to Gmail users from being blocked or sent to spam - Gmail Help for
550 5.7.26 instructions on setting up authentication.
r1-20020a1709063d6100b0094f48329ed1si848836ejf.647 - gsmtp (in reply to end
of DATA command)

Error2:

host gmail-smtp-in.l.google.com[142.250.102.27]
said: 550-5.7.25 [37.252.124.77] The IP address sending this message does
not have a 550-5.7.25 PTR record setup, or the corresponding forward DNS
entry does not 550-5.7.25 point to the sending IP. As a policy, Gmail does
not accept messages 550-5.7.25 from IPs with missing PTR records. Please
visit 550-5.7.25 another link for google help and best practices…removed.
for more 550 5.7.25 information.
v13-20020a1709061dcd00b00988d4fb5eb9si811122ejh.567 - gsmtp (in reply to
end of DATA command)

alento · June 20, 2023, 2:19pm

PM me your MiaB hostname as well as current IP address, and the sending domain for the messages that are failing.

Looks like this may be a DNS issue, so let me take a look. It does not appear to be a MTA-STS issue based on the error messages Google is sending. Do you have the third one?

Dooku · June 20, 2023, 2:36pm

Hello,
We did not change the host names of the vps’s when moving to the new hoster, and moving back again to the old hoster. Only the IP addresses changed during the the 2 moves.

hostnames:
xxxxxxxxxx

Error3:
host
“some google link” [2a00:1450:4025:402::1a] said: 550-5.7.1
[2a02:2770:3:0:21a:4aff:fedf:5b34] Our system has detected that this
550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR
records 550-5.7.1 and authentication. Please review 550-5.7.1
“some google link removed” Error for more information 550
5.7.1 . g4-20020a170906198400b00986a60b8bd8si991236ejd.590 - gsmtp (in
reply to end of DATA command)

alento · June 20, 2023, 2:46pm

Can you send me a message via DadaMail? Please send it to testaccount(at)anydomain.email.

(I want to see the headers)

Or, if you have sent a test to mail-tester.com via Dadamail, the results link.

Alternatively, a screen capture of the unedited Error 1.

Dooku · June 20, 2023, 3:21pm

Hello,
Just did a test message with mailtest, result is a perfect score 10/10

The headers contain so many links, tried to edit them but just impossible due to the max 2 link allowed for new posters.

alento · June 20, 2023, 7:09pm

You can share just the part after https://mail-tester.com/ as I only really need the last part to find the results.

Dooku · June 20, 2023, 7:32pm

Hello Alento,
Thank you for your attention and effort to this matter, it is really appreciated.
However, as of now, the current mailing is working correctly and gmail users are receiving the emails also. No settings have been changed on the old vps we are using again.
So, this was definitely some DNS issue where google for some reason did not pick up the DNS propagation as fast as other email services. Because all other online dns record checking services were displaying correct dns records while google was not…but as usual they miss the boat on a lot of things like AI now also

system · June 27, 2023, 7:32pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.