MiaB + Amazon SES + Sendy


#1

Hi All,

I would really appreciate if somebody could help me with an issue I am facing with my MiaB setup. Basically I use it to receive and send regular email but also to send out marketing campaigns via another server. The problem is that all emails end up in spam as they are sent out from Sendy which in turn is configured to send emails via Amazon SES. I have used an email testing website and the only thing that it says is that my server fails DMARC verification. I have added the Amazon SES DMARC CNAME records to MiaB custom DNS settings but the problem is that the verification process fails. I know this is a bit more on advanced side but I am curious why does the Amazon SES fail to verify the DMARC records despite them being correct? Is there something that keeps it from verifying?


#2

Can you give us the host name that you set up the DMARC records under?


#3

Hi, basically I have not touched any DMARC and I think the only ones there are are those installed by MiaB by default. Where can I find the info you need?
I think the problem lies in the fact that I have a subdomain that has Sendy installed on it and I have authenticated it with Amazon SES to send emais on behalf of it but there I have verified only the root domain. I know this is a bit complicated, but I’m sure somebody understands it.


#4

You said you had linked to Amazon’s DMARC by setting a CNAME in your DNS? What’s the name of the domain you set that up for? And what’s the host name for the CNAME record?


#5

Basically there are 3 DNS records that I have copied from Amazon SES DKIM section. I have renamed the domain here but they are as follows:

zao4glpeguktqoefv2w2c3lotyhe5tay._domainkey.example.com
amc5h4kgpsrrkk4ceawwsaqsaihkj6gc._domainkey.example.com
2crahfca2qhlhk2v5zd3235mlw5f44jh._domainkey.example.com

Record type: CNAME

Value:

zao4glpeguktqoefv2w2c3lotyhe5tay.dkim.amazonses.com
amc5h4kgpsrrkk4ceawwsaqsaihkj6gc.dkim.amazonses.com
2crahfca2qhlhk2v5zd3235mlw5f44jh.dkim.amazonses.com

I have set it up for the domain example.com, but as I said there is Sendy on marketing.example.com.


#6

You should try to see whether your zao4glpeguktqoefv2w2c3lotyhe5tay._domainkey.example.com settings are visible to the entire internet. You can do that by running this on your mail-in-a-box server:

host zao4glpeguktqoefv2w2c3lotyhe5tay._domainkey.example.com 8.8.8.8
host -t TXT zao4glpeguktqoefv2w2c3lotyhe5tay._domainkey.example.com 8.8.8.8

I am not quite sure how the command handles a CNAME that it has to follow to get to the TXT record so I put both options up in my example.

This will query Google’s public DNS server for its opinion on your domain. If it doesn’t see the CNAME or the resulting TXT record, it means something in your DNS setup is wrong and that is why the validation is failing.

One more thing: Are your mails going to be sent from @example.com or @marketing.example.com?


#7

Did you added th last . (dot) to your custom CNAME(s)?


#8

just4t, I tried that, but the problem is that it then becomes zao4glpeguktqoefv2w2c3lotyhe5tay._domainkey.example.com.example.com
Would that count as a correctly set up DNS entries? I doubt that.


#9

hachre, many thanks for your advice - I will try what you have mentioned. I use Sendy which is installed on marketing.example.com and configured to run with Amazon SES. I would like to send emails from example.com though as this is where my MiaB is installed and I use it as a primary email server.


#10

Make sure that all the IP Address involved with sending email are not black listed.


#11

Hi murgero - IP address is not blacklisted, I checked it online on many websites. The only thing email tester says it fails is DMARC verification.


#12

And you know the funny thing is that these are all default settings and nothing has been changed. Furthermore, the domain itself verifies without any problem within a few minutes but that is TXT record and only for the domain verification. When I try to add either CNAME or TXT records for DKIM then it says on Amazon SES “Pending verification” and within few days an email comes to my mailbox saying that the verification failed.
I would like to continue to use MiaB as it is very straightforward but I just can’t figure this one out.


#13

I’m guessing your domain name you wish to add is:

zao4glpeguktqoefv2w2c3lotyhe5tay_domainkey.example.com

Then, what’s the value for this CNAME you need to add?

The last . (dot) must be added to the value entry not to the domain name one.

Just follow the tip shown when selecting CNAME as the new custom DNS entry:

Miab CNAME tip

Hope this helps.


#14

Hi just4t, I just did as you said. Now all 3 CNAME records are in the same format (of course all different values):

Name: zao4glpeguktqoefv2w2c3lotyhe5tay._domainkey.example.com
Record: CNAME
Value: zao4glpeguktqoefv2w2c3lotyhe5tay.dkim.amazonses.com.

It’s been about 10 minutes and on Amazon SES it shows:

DKIM: waiting on DKIM verification…
DKIM Verification Status: pending verification


#15

DKIM DNS’s propagation takes time (could be 3 hours or up to 24h). On other hand, use this web tool to validate the entry added.


#16

Thanks, tried that without results. It gives me “QUERY STATUS: Unable to extract public key data from DNS TXT record.” But DNS records are there both in CNAME and TXT formats.


#17

Like he said, it can take up to 24 hours for it to properly propagate…


#18

Still nothing, I would pay somebody to sort it out, but not sure if that is allowed here?


#19

I ran both commands and it seems that there are no errors and it can fetch the records. BUT I still can’t pass the verification:

Your message failed the DMARC verification
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.
You are not allowed to send a message with this address

DMARC DNS entry found for the domain _dmarc.example.com:

"v=DMARC1; p=quarantine"
Verification details:

mail-tester.com; dmarc=fail header.from=example.com
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=amazonses.com header.i=@amazonses.com header.b=GkymTUKm; dkim-atps=neutral
From Domain: example.com
DKIM Domain: amazonses.com


#20

as long as you do not want to reveal your domain names it will be hard to help you with that and everything will be just a suggestion what you can do or check.