The administrators of Severe Private Email for Business It often faces a lot of problems and challenges. From the waves of SPAM to be blocked by specific filters, the security of correspondence In the local email server and remote servers, Configuring and Monitoring of SMTP services, POP, IMAP, plus many and many other details of Configuration SPF, DKIM and DMARC to comply with the good practices of secure email shipping.
content
Many problems of Shipment E-mail messages or consignee to / from ATI providers, occur due to incorrect configuration of the area DNS, what about the e-mail service.
So that from a domain name the emails can be sent, it must be Hostat on an email server configured properly, again Domain name to have DNS areas for SPF, MX, DMARC AND DKIM set correctly in the manager DNS TXT of the domain.
In today's article we will stop at a fairly common problem on Private e-mail servers for business. Impossibility to send e-mail messages to gmail accounts, yahoo! or icloud.
The messages shipped to @gmail.com are automatically rejected. “Mail delivery failed: returning message to sender”
I recently met a problem on an e-mail area of a company, from which e-mail messages to other companies and individuals are sent regularly, some of them having addresses @gmail.com. All messages shipped to gmail accounts immediately returned to the sender. “Mail delivery failed: returning message to sender”.
Error message returned to the email server on EXIM looks as follows:
1nSeUV-0005zz-De ** [email protected] R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [142.x.x.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after pipelined end of data: 550-5.7.26 This message does not have authentication information or fails to\n550-5.7.26 pass authentication checks. To best protect our users from spam, the\n550-5.7.26 message has been blocked. Please visit\n550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more\n550 5.7.26 information. d3-20020adff843000000b001f1d7bdaeb7si6107985wrq.510 - gsmtpIn this scenario there is not something very serious, such as Including the Domain Name of Shipping or IP sender in a spam list global or o Major configuration error of e-mail services on Sevrer (EXIM).
Even if many when I see this message go with the thought immediately to SPAM or a SMTP configuration error, the problem is generated by the area DNS TXT of the domain. Most of the time, DKIM does not exist configured in the DNS area or is not correctly passed in the DNS manager. Often encountered this problem to those who use CloudFlare as DNS manager and forget to pass DNS TXT: mail._domainkey (DKIM), DMARC and SPF.
As he tells us in the rejection message from Gmail, the authenticity and authentication of the sender, failed. “This message does not have authentication information or fails ton550-5.7.26 pass authentication checks.”. This means that the domain does not have DNS TXT configured to ensure credibility for the recipient e-mail server. Gmail, in our scenario.
When adding a web domain with active e-mail service on CPanel or Vestacp, the files in the DNS area of the respective domain are also automatically created. DNS area that contains including the E-mail Service Configuration: MX, SPF, DKIM, DMARC.
In the situation where we choose the domain to be on the manager DNS CloudFlare, the DNS area of the hosting account of the respective domain, must be copied in the cloud, so that the e-mail area works correctly. That was the problem in the above scenario. In a DNS tert manager, there is no DKIM registration, although she exists on the DNS manager of the local server.
What is DKIM and why are the e-mail rejection if we do not have this feature on an e-mail?
DomainKeys Identified Mail (DKIM) It is a standard solution for authentication of an e-mail domain, which adds an digital signature to each message shipped. Destination servers can check through DKIM if the message comes from the sender's law and not from another area that uses the sender's identity as a mask. On the meaning of all, if you have the domain abcdqwerty.com Without DKIM, e-mail messages from other servers can be shipped using your domain name. It is if you want an identity theft, which in technical terms is called email spoofing.
A common technique when e-mail messages of e-mail are shipped phishing and spam.
Also through Dkim can be ensured that, Message content was not changed after being sent by the sender.
Having DKIM set correctly on the host severis of the e-mail system and in the DNS area, the possibility of your messages will reach the recipient or do not arrive at all.
An example of Dkim is:
mail._domainkey: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGfdSIb3DQEBAQUAA4GN ... ocqWffd4cwIDAQAB"Of course the DKIM value obtained by Cripatre RSA algorithm It is unique for each domain name and can be regenerated from the host server of the e-mail service.
Having DKIM installed and set correctly in DNS TXT Manager, it is very possible to solve the problem of the messages returned to the Gmail accounts. At least for the error “Mail delivery failed”:
“SMTP error from remote mail server after pipelined end of data: 550-5.7.26 This message does not have authentication information or fails ton550-5.7.26 pass authentication checks. To best protect our users from spam, then550-5.7.26 message has been blocked.”
Like a brief recapitulation, Dkim adds a digital signature to each message sent, which allows the destination servers to verify authenticity to the sender. If the message came from your company and the address by a third party has not been used, in order to use your identity.
Gmail (Google) can automatically rejects all messages which come from fields that do not have such a DKIM digital semant.
What is SPF and why is it important for safe shipment of email messages?
Just like Dkim, and SPF has the purpose of preventing mesajele phishing and email spoofing. In this way the dispatched messages will no longer be marked as spam.
Sender Policy Framework (SPF)It is a standard method of authentication of the domain from which the messages are sent. SPF inputs are set in managerul DNS TXT of your domain and in this entrance will be specified the domain name, the IP or areas that have the right to send messages in e-mail using your domain name or organization.
A domain without SPF can allow spammers to send e-mail messages from other servers, Using as your mask your domain name. In this way they can spread False information or Sensitive data may be requested On behalf of your organization
Of course, messages can be sent on your behalf on other servers, but they will be marked as spam or rejected, if that server or domain name is not specified in the SPF TXT input of your domain.
A SPF value in DNS Manager looks like form:
@ : "v=spf1 a mx ip4:x.x.x.x ?all"Where “IP4” represents IPV4 of your email server.
How do we set SPF for more areas?
If we want to authorize other fields to send email messages on behalf of our area, we will specify them with the value “include” in SPF TXT:
v=spf1 ip4:x.x.x.x include:example1.com include:example2.com ~allThis means that from our name the e-mail domain can be shipped e-mail messages from example1.com and example2.com.
It is a very useful record if we have an example a Magazine online on the address “example1.com“, but we want the messages from the online store to customers to leave from Company Domain Address, this being “example.com“. In SPF TXT for “example.com”, that we need to specify with IP and “include:example1.com”. So that messages can be shipped from the organization's name.
How do we set SPF for IPV4 and IPV6?
We have an email server both with IPV4 as well as with IPV6, it is very important that both IPs be specified in SPF TXT.
v=spf1 ip4:196.255.100.26 ip6:2001:db8:8:4::2 ~allNext, after “ip” Directive can be used “include” to add authorized fields for shipment.
What does this mean “~all“, “-all” and “+all” ale SPF?
As I said above, provider (ISP) can still receive e-mail messages on behalf of your organization. Even if they are sent from a domain or IP that is not specified in the SPF policy. Label “all” Tell the destination servers how to treat these messages from other areas that are not authorized and send messages on behalf of you or the organization.
~all : If the message is received from a domain that is not listed in SPF TXT, the messages will be accepted on the destination server, but they will be marked as SPAM or as suspicious. The anti-spam filters of good practices of the recipient will be subject to the anti-spam filters.
-all : Is the strictest tag added to a SPF input. If the domain is not listed, the message will be marked as unauthorized and will be rejected by the provider. It will not be delivered even in spam.
+all : Very rarely used and not recommended, this tag allows others to send e-mail messages on behalf of your or organization. Most Providers automatically reject all e-mail messages coming from areas with spf txt “+all“. Precisely because the sender's authentitude cannot be verified, except after a check of “email header”.
Summary: What does Sender Policy Framework (SPF) mean?
Authorizes through the DNS TXT / SPF area, IPs and domain names that can send email messages from your field or company. At the same time, it applies the consequences that are applied for the messages that are sent from unauthorized fields.
What does DMARC mean and why is it important for e-mail server?
DMARC (Domain-based Message Authentication Reporting and Conformance) is closely related to policy standards SPF and DKIM.
Dmarc este a validation system conceived to protect your e-mail domain name of your or company, of practices such as email spoofing and phishing scams.
Using SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) standards add a very important feature. reports.
When a domain owner publishes DMARC in the DNS TXT area, he will obtain information about who sends e-mail messages on behalf of or of the company that owns the domain protected with SPF and DKIM. At the same time, the recipients of the messages will know if and how these good practices are monitored by the owner of the sender.
A DMARC integration in DNS TXT can be of the form:
V=DMARC1; rua=mailto:[email protected]; ruf=mailto:[email protected]; p=none; sp=none; fo=0;In DMARC you can put several conditions for reporting incidents as well as the e-mail addresses on which to reach the analyzes and reports. It is advisable to use dedicated e-mail addresses for DMARC because the volume of messages received can be significant.
DMARC tags can be set according to the policy imposed by you or organization:
v – the version of the existing DMARC protocol. p – Apply this policy when you cannot check DMARC for email messages. May have the value: “none“, “quarantine” or “reject“. It is used “none” to obtain reports on the flow of messages and the source.rua – It is a list of URLs that ISPs can send feedback in XML format. If we add the email address here, the link will be of the form: “rua=mailto:[email protected]” .ruf – The list of URLs that ISPs can send reports on incidents and cyber offenses made on behalf of your organization. The address will be of the form: “ruf=mailto:[email protected]“. rf – The format for reporting cyber offenses. Can be of form “afrf” or “iodef“. pct – Indicates the Internet / ISP supplier to apply the DMARC policy only for a certain percentage of failed messages. For example, we can have: “pct=50%” or policies “quarantine” and “reject“. Will never be accepted “none“. adkim – Specific “Alignment Mode” for DKIM digital signatures. This means that the digital signature of a DKIM input with the domain is checked. adkim can have the values: r (Relaxed) or s (Strict). aspf – In the same way as in the case of adkim is specified “Alignment Mode” For SPF and support the same values. r (Relaxed) or s (Strict). sp – This policy applies to allow sub -domains derived from the field of organization, to use the value of the domain. This avoids the use of separate policies for each area. It's practically one “wildcard” for all sub -domains. ri – This value sets the interval at which XML reports will be received for DMARC. Most of the time, reporting is preferable to do daily. fo – Options for fraud reports. “Forensic options“. They can have the values “0” To report incidents when failing both SPF and DKIM, or value “1” For the scenario in which SPF or DKIM does not exist or do not check.
So, to be sure that your or company email messages arrive at Inbox recipients, you need to take into account these three standards of “Good Practice for Shipment E-mail Messages“. DKIM, SPF and DMARC. All these three standards are related to DNS TXT and can be managed by the DNS manager of the field.
1 thought on “How we configure the DNS TXT area for SPF, DKIM and DMARC and how we avoid the Business Email messages be rejected by Gmail – Mail delivery failed”