How to set up the DNS TXT zone for SPF, DKIM, and DMARC and how to prevent business e-mail messages from being rejected by Gmail - Mail delivery failed

Administratorii de severe private email for business it often faces many problems and challenges. From the waves of SPAM which must be blocked by specific filters, correspondence security in the local e-mail server and remote servers, configuration si monitoring SMTP services, POP, IMAP, plus lots and lots of other details SPF, DKIM and DMARC configuration to follow best practices for secure e-mailing.

Many problems send e-mail messages or consignee to / from your providers, appear due to incorrect configuration of the area DNS, what about the e-mail service.

In order for emails to be sent from a domain name, it must be hosted on an email server Properly configured, and domain name to have DNS zones for SPF, MX, DMARC SI DKIM set correctly in the manager DNS TXT of the domain.

In today's article we will focus on a fairly common problem private business email servers. Unable to send email to Gmail, Yahoo! or iCloud.

Messages sent to @ Gmail.com are automatically rejected. “Mail delivery failed: returning message to sender”

I recently encountered a problem on an email domain of a company, from which e-mails are regularly sent to other companies and to individuals, some of whom have addresses @ Gmail.com. All messages sent to Gmail accounts immediately returned to the sender. "Mail delivery failed: returning message to sender".

Error message returned to the e-mail server on EXIM looks like this:

1nSeUV-0005zz-De ** reciver@gmail.com R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [142.x.x.27] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes: SMTP error from remote mail server after pipelined end of data: 550-5.7.26 This message does not have authentication information or fails to\n550-5.7.26 pass authentication checks. To best protect our users from spam, the\n550-5.7.26 message has been blocked. Please visit\n550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more\n550 5.7.26 information. d3-20020adff843000000b001f1d7bdaeb7si6107985wrq.510 - gsmtp

In this scenario it is not something very serious, such as include the sending domain name or sending IP in a SPAM list global or o major configuration error of e-mail services on sevrer (EXIM).
Even though many people see this message immediately when they think of SPAM or an SMTP configuration error, the problem is generated by the area. DNS TXT of the domain. Most of the time, DKIM is not configured in the DNS zone or is not passed correctly in the DNS manager of the domain. This problem is often encountered by those who use it CloudFlare as DNS Manager and forget to pass DNS TXT: mail._domainkey (DKIM), DMARC si SPF.

As Gmail's rejection message tells us, the authenticity and authentication of the sender domain has failed. “This message does not have authentication information or fails to \ n550-5.7.26 pass authentication checks. ” This means that the domain does not have DNS TXT configured to ensure credibility for the recipient's e-mail server. Gmail, in our script.

When we add a web domain with an active e-mail service on cPanel or VestaCP, the files in the DNS zone of that domain are automatically created. DNS zone that includes e-mail service configuration: MX, SPF, DKIM, DMARC.
In the situation where we choose the domain to be the manager DNS CloudFlare, the DNS area of ​​the domain's hosting account must be copied to CloudFlare in order for the email domain to work properly. That was the problem in the above scenario. In a third-party DNS manager, DKIM registration does not exist, although it exists on the DNS manager of the local server.

What is DKIM and why are emails rejected if we don't have this feature on an email domain?

DomainKeys Identified Mail (DKIM) is a standard e-mail domain authentication solution that adds a digital signature each message sent. The destination servers can check through DKIM whether the message comes from the sender's domain of law and not from another domain that uses the sender's identity as a mask. By all accounts, if you have the domain a B C Dqwerty.com without DKIM, emails may be sent from other servers using your domain name. It is if you want an identity theft, which in technical terms is called email spoofing.
A common technique when sending e-mail messages Phishing si spam.

It can also be ensured through DKIM that, the content of the message was not changed after it was sent by the sender.

Having DKIM set correctly on the severe host of the e-mail system and in the DNS area eliminates much of the possibility that your messages may reach SPAM to the recipient or not reach at all.

An example of a DKIM is:

mail._domainkey: "v=DKIM1; k=rsa; p=MIGfMA0GCSqGfdSIb3DQEBAQUAA4GN ... ocqWffd4cwIDAQAB"

Of course, the DKIM value obtained by RSA encryption algorithm is unique for each domain name and can be regenerated from the host's e-mail server.

Having DKIM installed and set correctly in DNS TXT manager, it is very possible to resolve the issue of messages returned to Gmail accounts. At least for "Mail delivery failed" error:

“SMTP error from remote mail server after pipelined end of data: 550-5.7.26 This message does not have authentication information or fails to \ n550-5.7.26 pass authentication checks. To best protect our users from spam, the \ n550-5.7.26 message has been blocked. ”

As a brief recap, DKIM adds a digital signature to each message sent, which allows the destination servers to verify the authenticity of the sender. If the message came from your company and the third-party address was not used in order to use your identity.

gmail (Google) maybe automatically rejects all messages coming from domains that do not have such a DKIM digital semantics.

What is SPF and why is it important for secure email sending?

Just like DKIM, and SPF aims to prevent phishing messages si email spoofing. This way, the sent messages will no longer be marked as spam.

Sender Policy Framework (SPF) is a standard method of authenticating the domain from which messages are sent. SPF entries are set to TXT DNS manager of your domain, and this entry will specify the domain name, IP, or domains that are allowed to send e-mail messages using your or your organization's domain name.

An SPF-free domain can allow spammers to send emails from other servers. using your domain name as a mask. In this way they can spread false information or sensitive data may be requested on behalf of your organization

Of course, messages can still be sent on your behalf from other servers, but they will be marked as spam or rejected if that server or domain name is not specified in your domain's SPF TXT entry.

An SPF value in DNS manager looks like this:

@ : "v=spf1 a mx ip4:x.x.x.x ?all"

Where "ip4" is IPv4 on your email server.

How do I set SPF for multiple domains?

If we want to authorize other domains to send e-mail messages on behalf of our domain, we will specify them with the value "include”In SPF TXT:

v=spf1 ip4:x.x.x.x include:example1.com include:example2.com ~all

This means that e-mail messages can also be sent from our domain name to example1.com and example2.com.
It is a very useful record if we have for example one shop On the adress "example1.com", But we want the messages from the online store to customers to leave company domain address, this being "example.com". In SPF TXT for "example.com", as needed to specify along with IP and "include: example1.com". So that messages can be sent on behalf of the organization.

How do I set SPF for IPv4 and IPv6?

We have a mail server with both IPv4 and with IPv6, it is very important that both IPs are specified in the SPF TXT.

v=spf1 ip4:196.255.100.26 ip6:2001:db8:8:4::2 ~all

Next, after the "ip" the directive "include”To add domains authorized for shipping.

What does it mean "~all","-all"And"+allOf the SPF?

As stated above, providers (ISPs) can still receive emails on behalf of your organization even if they are sent from a domain or IP that is not specified in the SPF policy. The "all" tag tells destination servers how to handle these messages from other unauthorized domains and send messages on behalf of you or your organization.

~all : If the message is received from a domain that is not listed in the SPT TXT, the messages will be accepted on the destination server, but they will be marked as spam or suspicious. They will be subject to the best practices of the recipient provider's anti-spam filters.

-all : This is the strictest tag added to an SPF entry. If the domain is not listed, the message will be marked as unauthorized and will be rejected by the provider. It will not be delivered either macin spam.

+all : Very rarely used and not recommended at all, this tag allows others to send e-mails on behalf of you or your organization. Most providers automatically reject all e-mail messages that come from domains with SPF TXT. "+all“. Precisely because the authenticity of the sender cannot be verified, except after an "email header" check.

Summary: What does Sender Policy Framework (SPF) mean?

Authorizes through the TXT / SPF DNS zone, IPs and domain names that can send e-mail messages from your domain or company. It also applies the consequences that apply to messages that are sent from unauthorized domains.

What does DMARC mean and why is it important for your email server?

DMARC (Domain-based Message Authentication Reporting and Conformance) is closely linked to policy standards SPF si DKIM.
DMARC is a validation system designed to protect your or your company's email domain name, practices such as email spoofing and phishing scams.

Using Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) control standards, DMARC adds a very important feature. reports.

When a domain owner publishes DMARC in the DNS TXT area, he or she will obtain information about who sends e-mail messages on behalf of him or her or the company that owns the domain protected by SPF and DKIM. At the same time, the recipients of the messages will know if and how these good practice policies are monitored by the owner of the sending domain.

A DMARC record in DNS TXT can be:

V=DMARC1; rua=mailto:report-id@rep.example.com; ruf=mailto:account-email@for.example.com; p=none; sp=none; fo=0;

In DMARC you can put more conditions for reporting incidents and e-mail addresses for analysis and reports. It is advisable to use dedicated e-mail addresses for DMARC as the volume of messages received may be significant.

DMARC tags can be set according to the policy imposed by you or your organization:

v - version of the existing DMARC protocol.
p - apply this policy when DMARC cannot be verified for e-mail messages. It can have the value: “none","quarantine"Or"reject“. Is used "none”To get reports on the flow of messages and their status.
rua - It is a list of URLs on which ISPs can send feedback in XML format. If we add the e-mail address here, the link will be:rua=mailto:feedback@example.com".
ruf - The list of URLs on which ISPs can send reports of cyber incidents and crimes committed on behalf of your organization. The address will be:ruf=mailto:account-email@for.example.com".
rf - Cybercrime reporting format. It can be shaped "afrf"Or"iodef".
pct - Instructs the ISP to apply the DMARC policy only for a certain percentage of failed messages. For example, we might have:pct=50%"Or policies"quarantine"And"reject“. It will never be accepted. "none".
adkim - Specifies “Alignment Mode” for DKIM digital signatures. This means that the matching of the digital signature of a DKIM entry with the domain is checked. adkim can have the values: r (Relaxed) or s (Strict).
aspf - In the same way as in the case adkim "Alignment Mode" is specified for SPF and supports the same values. r (Relaxed) or s (Strict).
sp - This policy applies to allow subdomains derived from the organization domain to use the DMARC value of the domain. This avoids the use of separate policies for each area. It is practically a "wildcard" for all subdomains.
ri - This value sets the interval at which XML reports will be received for DMARC. Most of the time, reporting is preferable on a daily basis.
fo - Options for fraud reports. “Forensic options“. They may have values ​​of "0" to report incidents when both the SPF and DKIM verification fail, or the value "1" for the scenario where the SPF or DKIM does not exist or does not pass the verification.

Therefore, to ensure that your or your company's e-mails reach your inbox, you need to consider these three standards. "best practices for sending emails". DKIM, SPF si DMARC. All three of these standards are DNS TXT and can be adminfrom the domain's DNS manager.

Passionate about technology, I like to test and write tutorials about operating systems macOS, Linux, Windows, about WordPress, WooCommerce and configure LEMP web servers (Linux, NGINX, MySQL and PHP). I write on StealthSettings.com since 2006, and a few years later I started writing on iHowTo.Tips tutorials and news about devices in the ecosystem Apple: iPhone, iPad, Apple Watch, HomePod, iMac, MacBook, AirPods and accessories.

Leave a Comment