Spf / dkim / dmarc


#1

Hello. I am running a MIAB on Linode VPS. I have a domain at Wix. Wix hosts my website and hence the nameservers are wix’s nameservers. I have changed my MX at Wix to point to my MIAB, so that my mail in a box deals with all my email.

I can receive mail at my MIAB without any problem, however if I send any mail from my MIAB, it goes into the Spam folder of the recipient. I have looked at the source code of the received email (below) and it seems to be SPF / DMARC that is causing this. I have tried inputting an SPF record at wix, also a custom TXT record on my MIAB. I understand the principals of SPF but I am confused as to where I should update the SPF record…and the exact syntax… Should I update the SPF at wix or at my MIAB or even on my Linode server…dose it matter where it is updated, can I update it in multiple locations. The message source code is below. I am sending from jon@simplydrivers.co.uk to akajonnygee@gmail.com. Any help much appreciated

Delivered-To: akajonnygee@gmail.com
Received: by 2002:a50:b706:0:0:0:0:0 with SMTP id g6csp11068558ede;
Mon, 31 Dec 2018 07:05:10 -0800 (PST)
X-Google-Smtp-Source: ALg8bN66z6vB/VW8h86Br8Euv5S0CJWXrp3HD+mbjbtfKr2gclG8dYuqnj2O/XEwZWK4QQsKaUSx
X-Received: by 2002:a17:902:a98c:: with SMTP id bh12mr37734894plb.31.1546268710169;
Mon, 31 Dec 2018 07:05:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546268710; cv=none;
d=google.com; s=arc-20160816;
b=Dm77LryUKFc/+p0Gia5J+v6xt8AlR02+JW00XQbIoxM9l1Y1dQq0p/SJJtIjj7EVcE
pcQIwPPE4IIh6ucXX5EWBKdgsOtAdRGGK4dMzfEphdVpe4qurN/N5YQRYy4vyKkFgvnL
UYfu4di9xKojCe7I03QH4n89zVmcr/2zS940InistmbL2hj2f8A9EpOn3uThXDML4xtr
kUMdiwo/hYm11K+8v50qc7yKA051PI66LnABcYBGA/MsFQOKPYA2OrL3xpo7++1awrRe
mNWmDZBQvzjMZ7t3tkJpHX4f37yJcnIfkUho6MyxvEsShrrJMxgXFXMZuOTqmT2UCyb8
7DSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-language:content-transfer-encoding:mime-version:date
:message-id:subject:from:to:dkim-signature;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=izRb8tRxY/HZoiEHsS4fzgRCWxt5Nf70xb9wimc8SlQaz95FBZppEOZzqvl8CjC8gB
hJWUJFJknAc5Qibxpaw4ReClRbx8M4/dGv+bOLk8Z5G+o9x1C4VojKpQdUpXFN68aNJg
M+hGQIBoy/UosiU65e4rZ389qpQ0tdWKYLp1NMtSwMlCC1I1BPvrIrwsfy5C67ZM5Nrc
c5irfPU5E6KWVs6TV+ULqh7MowcTvMlOU+cDSb5Fh7xYhpB06aYS8/fskEa2cAF+l4b3
cSQRIQjdGVfgZ3cLrI8QVoJjfC5vvg2Y/14bgCOCUKMyKrsD/Z8P7r2DtH7QIK6ptiWI
D8FQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=temperror (no key for signature) header.i=@simplydrivers.co.uk header.s=mail header.b=RgVFIiFT;
spf=neutral (google.com: 173.255.255.135 is neither permitted nor denied by best guess record for domain of jon@simplydrivers.co.uk) smtp.mailfrom=jon@simplydrivers.co.uk;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=simplydrivers.co.uk
Return-Path: jon@simplydrivers.co.uk
Received: from box.jmail.rocks (box.jmail.rocks. [173.255.255.135])
by mx.google.com with ESMTPS id q13si307879pgj.86.2018.12.31.07.05.09
for akajonnygee@gmail.com
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Mon, 31 Dec 2018 07:05:09 -0800 (PST)
Received-SPF: neutral (google.com: 173.255.255.135 is neither permitted nor denied by best guess record for domain of jon@simplydrivers.co.uk) client-ip=173.255.255.135;
Authentication-Results: mx.google.com;
dkim=temperror (no key for signature) header.i=@simplydrivers.co.uk header.s=mail header.b=RgVFIiFT;
spf=neutral (google.com: 173.255.255.135 is neither permitted nor denied by best guess record for domain of jon@simplydrivers.co.uk) smtp.mailfrom=jon@simplydrivers.co.uk;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=simplydrivers.co.uk
Received: from authenticated-user (box.jmail.rocks [173.255.255.135])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by box.jmail.rocks (Postfix) with ESMTPSA id A8C1343272
for akajonnygee@gmail.com; Mon, 31 Dec 2018 15:05:08 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=simplydrivers.co.uk;
s=mail; t=1546268709;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
h=To:From:Subject:Date:From;
b=RgVFIiFTM7ATpmxUTM5ICoLEM3+C7s0D4skrdSUmLZBdm6uRfE2T0FUiM2k9TA+i/
+BNmIGFFQCZlalNb+Eq9IRiEYsp7miQfttATPIv8Nx3/ffkTNGB5ga+HT5kroF//YV
26IkigMnkpe/xJYICuZgC3H1b15P+qnJP0xl++yZxwnjksPm6OFXl5UeQHxX21ucn7
0/2Q9SRh9/TUfN62jnYbBElsJ4CyOp/IYwsOZp7d3IJmmAvIBkghdkL57QkinthVnv
PSUvQ9e9J0pyvVnwnHzq8i+hico/2P4SF8cG4ZCFSYhxiR7MvRum7es48AnPgT9rLd
ANpFTH9WfLYKg==
To: akajonnygee@gmail.com
From: Jonathan Greenwood jon@simplydrivers.co.uk
Subject: 333
Message-ID: 4907b162-99de-3d64-591d-1d3f68f01815@simplydrivers.co.uk
Date: Mon, 31 Dec 2018 15:05:06 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US


#2

Hi,

Did you add the records that I advised you in your other thread to the DNS at Wix??? If you are only sending email from your MiaB server, then the ones listed in System>External DNS will be correct. If you are also sending email from the web server then the SPF record will need to be modified.

Also, have you signed up for Google Postmaster Tools? I see that you have moved your email to a different domain. A brand new registered domain. This will always be problematic with Google. IMHO, you were better off using the other domain for mail as it was older. Google especially will block email from newly registered domains.


#3

Hi Again, thanks for your reply. As you may of guessed I am new to MIAB and to DNS. I moved to a new mail server (Linode) to test MIAB on Ubuntu 18 and to have a box with a box.jmail.rocks name…so hopefully a more permanent email box. The website does have forms on it that generate emails, so I assume an SPF record will be required to be able to send from the 2 separate sources, although exactly what it will look like and where I enter it is still a mystery to me.

The reason for the email server is to avoid paying a per mailbox fee to Wix and also at the same time to learn as much as poss about email, DNS etc.

I have now entered the DMARC p=none (at Wix) and that has solved my problem, mail is now arriving in the Inbox of the recipient. However I am yet to understand the consequences of p=none! However I am still confused as to where I enter my DNS records…at Wix or at MIAB, or can it be either? I assume that for this setup (ie MX pointing to separate box) that DNS is still updated at Wix, whereas if the NS were pointed to MIAB I would use the custom DNS on MIAB to alter DNS the settings. Once again thanks for your help…and apologies if these are daft questions…hopefully when I am a bit more DNS savvy I can start to help others on here!


#4

There are two methods that I am aware of for sending email from a website … one is called phpmail (or something similar - I am not overly familiar with this) and the other is using a SMTP relay. If your website is a WordPress based site, I am certain that there is a plug in for this.
Now, in my opinion using the SMTP relayed method is the best. The reason is that the mail from your website will be sent via your MiaB. How it works is this, the SMTP plugin logs in to MiaB as one of the users on the box, so the email is sent as though it originates from the box. Hopefully, you can see why I feel that this is the best method.

This depends on WHICH DNS records. If you have not changed things since I helped you the other day, DNS entries pertaining to simplydriver.co.uk are entered into DNS at Wix. DNS entries for apuppydogstail.co.uk and jmail.rocks are handled by MiaB at box.jmail.rocks, so any custom entries for those domains need to be entered in the admin area under System>Custom DNS. Keep in mind that all DNS entries related to email for those two domains are already created there. The only custom entries that you should need to make would be if there is a website hosted elsewhere.

Yes, but … the determination is not made by the fact that the MX is pointing to a separate box, but rather by the fact that there are issues when dealing with Wix that you encountered originally - namely the inability to change name servers because the website is a Wix hosted page. That is purely a Wix limitation.


#5

Once again, thanks for your reply. I have been gradually changing DNS settings at Wix…but only one at a time…so as to allow propagation and hence identify any problems and understand whats happening.

RE the website emails: I am not sure about the method of sending emails - I will look into it, but yes I understand the principals here

RE DNS / MX: So if I understand you correctly a more ‘normal’ setup would be to change the name servers at Wix to point to MIAB (box.jmail.rocks) and then use custom DNS on MIAB to point a website back to Wix (or elsewhere)…but this is not possible as Wix wont allow editing of NS’s?


#6

Ok, because I have never dealt with Wix directly and have no idea how they work when you buy a domain directly through them … (I believe that you had stated this in the other thread … but maybe I am wrong) I cannot really be specific to this situation BUT in general … replace the first instance of ‘Wix’ in what you said with the term ‘the domain registrar’ and you have it.

And to be even more specific …" a more ‘normal’ setup would be to change the name servers at the domain registrar to point to MIAB (ns1.box.jmail.rocks & ns2.box.jmail.rocks) "


#7

You really need to get your DNS records sorted prior to setting your DMARC policy to quarantine. You also need to understand why your mail is being sent to spam.

Most website hosts (including Wix ask that you point your domains NS records to their name servers in order to make whe web hosting itself relatively painless. You’ve correctly done that so any records for your domain need adding at Wix. The records you need for the simplydrivers.co.uk domain can be found by going to your box admin page and choosing the external DNS dropdown.

Because the MIAB server is signing your mail with DKIM - YOU MUST make sure that you’ve at least published the DKIM record using the Wix control panel.

This is because without this the mail server cannot determine if the signature is valid. Because the mail is signed and no DKIM record is published the Gmail server reports a DKIM temperror. This is actually shown in the headers you’ve posted.

dkim=temperror (no key for signature) header.i=@simplydrivers.co.uk header.s=mail header.b=RgVFIiFT;

This isn’t the first time I’ve seen a DMARC fail caused by this. I did look for the your DKIM record manually.

C:\Users\timdu>dig txt mail._domainkey.simplydrivers.co.uk

; <<>> DiG 9.10.6-P1 <<>> txt mail._domainkey.simplydrivers.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12580
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mail._domainkey.simplydrivers.co.uk. IN        TXT

;; AUTHORITY SECTION:
simplydrivers.co.uk.    1799    IN      SOA     ns14.wixdns.net. support.wix.com. 2018080741 10800 3600 604800 3600

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 31 22:59:45 GMT Standard Time 2018
;; MSG SIZE  rcvd: 130

The NXDOMAIN means that no record was found, The DIG command does return the SOA records indicating your authoritative DNS is hosted on Wix’s system.

Take out the A record for simplydrivers.co.uk that points to your MIAB IP. It’s not needed and in fact will cause problems for visitors to your site, as the web browsers will sometimes pick that up instead of the Wix IP address.

Changing DNS records one at a time can be fine, but make sure that key records like your DKIM record have been published.


#8

Hi Again, Thanks for you answers, and I have a much clearer understanding of the whole situation now. I am gradually entering the DNS from MIAB to wix and then leaving it a while to propagate and then testing. However I am now struggling to enter the DKIM record into wix. According to MIAB I put in something along the lines of
v=DKIM1; h=sha256; k=rsa; s=email; p=*************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
However when I copy and paste into wix it will only let me enter approx half of the text…and I cannot even type anymore - the field I am entering this into (on wix) has a character limit on it - the p=code is more characters than this limit…am I missing something?


#9

You may need to ask Wix to add the DKIM record for you.

DNS records have a limit of 255 characters. A good system should split larger records into chunks of 255 characters or less. For example here’s mine. (The key is a public key so I don’t need to hide it).

mail._domainkey.timothydutton.co.uk. 1799 IN TXT "v=DKIM1; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3G//NCKj1VgQ8ntGyR5mOJHJ4k1XTEPAPOUCuBgAECu0Ty+pdKIUXMrOdAZC7v/f+VRKIuUiFHzQ69dvXmnB6whk82CdCE1HTWVxLFdCCg/wG2p/l1jxJt49prlYC8rcW2RbHz9nCmbvOqL9yuBhB1By7hIILS+Ahx0K3JIKZl6feZAC2WugHKKz" "5EhglOtp8hoppXaSzKGflYH35FQgW1WQYTsMxHIgpGyOi1anpNqm0GB1KPWW4f4nU/QE0XZ+ZVG4OTn5uM+flIJo7hZfTrvQwnz9OxBE/4BuJZPslEgSWiWRmo/RFSSJeRwGU/T9Y3B/faMHgopY3u9op+rPbwIDAQAB"
Note that the record is broken up into two strings which are stitched together to produce one long string.

Have a look at this page here which sums up Wix’s current position, unless they can add the record manually you’re going to struggle.

It might be possible to generate and use a 1024 bit dkim key instead (which would mean your record would be less then 255 characters) However I’m not sure how easy that would be.

Tim


#10

MiaB creates 2048 bit dkim keys … I do not know if there is a way around this. There has been other discussion of this in the past … /me searches … and is successful. However, the solution is an unsupported modification so I would not propose it to the OP of this thread, but here it is anyways:

The instructions in the linked thread make no sense though. What is the point of running a script with the 1024 commented out? I think that should be just a bit differently worded, no? Another old thread offers this:


#11

@JonnyG thanks to @ravenstar68 posting the link to Wix Support, I was able to find something buried there that you may be interested in:

It is possible to not have to use Wix’s DNS servers, however it may not be quite so simple as I believe you mentioned that the domain was purchased from Wix?

And here we go … instructions on how to transfer a domain away from Wix to another domain registrar.

Now, I have to be completely honest here. It is always recommended to NEVER have domain registration and hosting from the same company … I think perhaps you can see some of the reason why based upon what we have been dealing with here. I presonally recommend that you transfer your domain to a different registrar. The decision is, of course, yours. :slight_smile: (But if you transfer your domain to a different registrar, you will be able to have MiaB control all of your DNS as you originally wanted. Hosting with WIX simply will not allow you to do what you want.)


#12

Great, thanks to you all for your answers. It would seem the easiest (and best) solution is to transfer away from wix and point the nameservers to my MIAB. Just before I do that can you tell me how I then use the MIAB custom dns to point website requests for www.simplydrivers.co.uk back to Wix…as I want my website to remain in place, ie hosted by Wix servers…thanks again


#13

This link addresses the question … however the specific information is provided within your WIX account, so you will have to follow those instructions to get the A record or CNAME record that will be required. (I would guess that it would be a CNAME record)

Once you know the specific value you would enter it into the admin area within your box at jmail.rocks on the Custom DNS page. Please also remember that you will need to change the nameservers with the new domain registrar to ns1.jmail.rocks and ns2.jmail.rocks.

Unfortunately, due to the way WIX is structured - you are likely to experience a small amount of down time, unless the new registrar allows you to set the nameservers before the transfer (some do, some don’t).


#14

Hi, alento, yes I was just looking at that the cname entry at wix is this

So I assume I just create a cname at MIAB and point www.simplydrivers.co.uk back to www23.wixdns.net

Thanks again


#15

Again, WIX is a strange animal to me … I would not be surprised if that information did not change as you have to remove your domain from WIX’s control panel to transfer it, then add it back in some convoluted manoeuvrings.


#16

@alento It doesn’t really matter who the registrar is, the problem is that if he’s hosting his website with a particular web host, them they typically request that you point the domain’s nameservers to their DNS (I am guessing but I suspect it avoids having to answer awkward questions about how to set up their DNS records to point to the hosts IP address, if you are using the hosts DNS then they set the relevant DNS entries up automatically).

So as long as he is hosting on Wix’s system he’ll be in the same boat no matter who his registrar is.

A better solution would be to move web host rather than registrar.


#17

This is exactly the thing – also WIX has set it up that if they are the registrar you CANNOT use outside name servers. Really limiting.

This is not true in this case as he can use outside name servers as long as the domain is NOT registered by WIX. Again, really limiting.

I absolutely agree. However, it is not for me to comment on someone’s choice of hosting.

Being that it is the holiday and things are really slow, I have extensively reviewed the WIX documentation and my answers to the OP are based on that review.