DKIM signing on outbound mail?

Web hosting discussion, programming, and shared and dedicated servers.
9 posts Page 1 of 1
by cyclos » Fri Apr 08, 2016 1:35 pm
I have a domain hosted with Sonic and use Sonic's SMTP server for outgoing mail.

A few days ago, recipients of my mail on Gmail started telling me that my mail was showing up as "unauthenticated" which causes my profile picture to show up with a big question mark on their mail clients.

I am not an expert in this, but it looks like Google may do this for mail that has not been DKIM signed.

Looking around Sonic support, it appears Sonic does not do DKIM signing on outbound mail.

Have I analyzed this correctly?

If so, any chance of Sonic adding DKIM signing to outbound mail?

bg
by neilh » Wed Jul 27, 2016 8:26 am
I'm having a similar issue when I send email with multiple gmail addresses through TLS/mail.sonic.net
So far the multiple seems to be 3+ - actually its my wife doing reply all to email messages.
The return email address is a domain I manage - wLLw.net, which has a good SPF record of
wllw.net. 1800 IN TXT "v=spf1 ip4:198.199.94.20 exists:sonic.net -all"

Talking with support@sonic.net they referenced me to
http://www.openspf.org/

Similarly there is an email verification at
https://www.port25.com/authentication-checker/
and an email from my address at sonic.net is given a lower score than an email from my address at wllw.net

Another way of checking the email is
https://support.google.com/mail/answer/180707?hl=en

I would definitely be interested in having sonic.net provide a DKIM signature.

--------------
The mailer response about sending a message to google is

From: Mail Delivery Subsystem <MAILER-DAEMON@c.mail.sonic.net>
To: <me>


**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Mon, 25 Jul 2016 14:08:53 -0700
from 70-36-XX-XX.dsl.dynamic.fusionbroadband.com [70.36.XX.XX] (I've added XX)

----- Transcript of session follows -----
... while talking to gmail-smtp-in.l.google.com.:
>>> DATA
<<< 421-4.7.0 [64.142.111.80 15] The SPF record of the sending domain has one
<<< 421-4.7.0 or more suspicious entries. To protect our users from spam, mail sent
<<< 421-4.7.0 from your IP address has been temporarily rate limited. Please visit
<<< 421-4.7.0 https://support.google.com/mail/answer/ ... entication for more
<<< 421 4.7.0 information. g2si36242606pfa.278 - gsmtp
... while talking to alt1.gmail-smtp-in.l.google.com.:
by Guest » Wed Jul 27, 2016 8:52 am
I was completely unaware of SPF. Thanks for the tip.
by Guest » Wed Jul 27, 2016 6:15 pm
For your example you could include the sonic ip's with your 198.199.94.20 like this:
v=spf1 ip:198.199.94.20 ip4:64.142.111.80 ip4:64.142.111.50 ip4:184.23.168.64/28 -all

Not sure why you have the exists in there. It may not be doing what you intended and the reason google gave you the temporary rate limit. You can check the exists mechanism syntax at http://www.openspf.org/SPF_Record_Syntax which i pasted below.


The "exists" mechanism (edit)

exists:<domain>

Perform an A query on the provided domain. If a result is found, this constitutes a match. It doesn't matter what the lookup result is – it could be 127.0.0.2.

When you use macros with this mechanism, you can perform RBL-style reversed-IP lookups, or set up per-user exceptions.

Examples:

In the following example, the client IP is 1.2.3.4 and the current-domain is example.com.

"v=spf1 exists:example.com -all"
If example.com does not resolve, the result is fail. If it does resolve, this mechanism results in a match.
neilh wrote:I'm having a similar issue when I send email with multiple gmail addresses through TLS/mail.sonic.net
So far the multiple seems to be 3+ - actually its my wife doing reply all to email messages.
The return email address is a domain I manage - wLLw.net, which has a good SPF record of
wllw.net. 1800 IN TXT "v=spf1 ip4:198.199.94.20 exists:sonic.net -all"

Talking with support@sonic.net they referenced me to
http://www.openspf.org/

Similarly there is an email verification at
https://www.port25.com/authentication-checker/
and an email from my address at sonic.net is given a lower score than an email from my address at wllw.net

Another way of checking the email is
https://support.google.com/mail/answer/180707?hl=en

I would definitely be interested in having sonic.net provide a DKIM signature.

--------------
The mailer response about sending a message to google is

From: Mail Delivery Subsystem <MAILER-DAEMON@c.mail.sonic.net>
To: <me>


**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Mon, 25 Jul 2016 14:08:53 -0700
from 70-36-XX-XX.dsl.dynamic.fusionbroadband.com [70.36.XX.XX] (I've added XX)

----- Transcript of session follows -----
... while talking to gmail-smtp-in.l.google.com.:
>>> DATA
<<< 421-4.7.0 [64.142.111.80 15] The SPF record of the sending domain has one
<<< 421-4.7.0 or more suspicious entries. To protect our users from spam, mail sent
<<< 421-4.7.0 from your IP address has been temporarily rate limited. Please visit
<<< 421-4.7.0 https://support.google.com/mail/answer/ ... entication for more
<<< 421 4.7.0 information. g2si36242606pfa.278 - gsmtp
... while talking to alt1.gmail-smtp-in.l.google.com.:
by cyclos » Wed Jul 27, 2016 6:23 pm
I have been experimenting with SPF records this afternoon.

I ended up adding this:

TXT "v=spf1 a:c.mail.sonic.net a:d.mail.sonic.net ~all"

This seemed to put me in Google's good graces. However, if I add many recipients to an email, it still marks me as unauthenticated.
by Guest » Wed Jul 27, 2016 6:27 pm
Or try
"v=spf1 include:mail.sonic.net -all"
cyclos wrote:I have been experimenting with SPF records this afternoon.

I ended up adding this:

TXT "v=spf1 a:c.mail.sonic.net a:d.mail.sonic.net ~all"

This seemed to put me in Google's good graces. However, if I add many recipients to an email, it still marks me as unauthenticated.
by cyclos » Wed Jul 27, 2016 6:46 pm
Guest wrote:Or try
"v=spf1 include:mail.sonic.net -all"
That looks a lot more robust than mine. Thanks.
by neilh » Fri Dec 23, 2016 12:06 pm
support suggested that I use the following
txt "v=spf1 ip4:<email domain ip> include:mail.sonic.net include:spam-proxy.sonic.net ~all"
which seems to have worked for the last couple of months with no google rejections.
by neilh » Tue Mar 07, 2023 11:33 am
I've had google rejecting more emails with

<<< 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both
<<< 550-5.7.26 do not pass). SPF check for [wllw.net] does not pass with ip:
<<< 550-5.7.26 [64.142.111.50].To best protect our users from spam, the message has
<<< 550-5.7.26 been blocked. Please visit
<<< 550-5.7.26 https://support.google.com/mail/answer/ ... entication

This seems to work for me
"v=spf1 ip4:137.184.12.104 include:mail.sonic.net include:spam-proxy.sonic.net ip4:64.142.111.50 ip4:64.142.111.80 ~all"
9 posts Page 1 of 1

Who is online

In total there are 18 users online :: 0 registered, 0 hidden and 18 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 18 guests