Spf & DKIM best setup

Hi, ok here i am in isolation due to having covid 19, feeling ok very mild symptoms so far.

As such i have some time on my hands to work on server config, specifically email server setup.

Recently i had issue sending mail, seems i blocked myself with csf, but under lying this was the fact that i was on 3 blacklists, 2 were related to mail server trust, the other was with:

urbl.hostedemail.com; Your IP has been manually blacklisted"

The first 2 was easy ro request removal, but as automated trust test I need to ensure mail server setup well.

urbl.hostedemail.com is another kettle of fish and not the first time i have issues with this one, hard to find method for removal but in past did get IP removed, only to be manually blacklisted again, this time I went via hover.com mail support as i have an account there and i believe they are owned by opensrs who own hostedemail.com. Also successfully removed.

So after trying all the mail server testing sites i came with the following needing attention.

spf
DKIM/DMARC
Helo response

First some background on my setup

cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
176.9.39.21 server.lislehost.com server

This was the domain used when setting server up.

the domain lislehost.com was added to the admin account and nameservers setup as:

ns1.lislehost.com
ns2.lislehost.com

When adding an email the mail server hostname is shown as

mail.domain.tld (the domain email is for ie mail.lislehost.com

All good so far.

a MX check at mxtoolbox.com for mail.lislehost.com showed

DNS Record Published DNS Record not found
DMARC Policy Not Enabled DMARC Quarantine/Reject policy not enabled
DMARC Record Published DMARC Record found

I have both spf and DKIM enabled for mail.lislehost.com

dns entries

“v=spf1 a mx ip4:176.9.39.21 ~all”
“v=DMARC1; p=none”

After some checking i edited DNS entry _dmarc to:

“v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; rf=afrf”

reran text

Policy not found issue now cured, still left with issue.

DNS Record Published DNS Record not found

checking dns i have both:

@ MX 10 60 mail.lislehost.com.
mail A 60 176.9.39.21

So i did a test at dkimvalidator.com

report contained

Received: from server.lislehost.com (mail.lislehost.com [176.9.39.21])

SPF

Helo Address = server.lislehost.com
From Address = [email protected]
From IP = 176.9.39.21

I was also getting high spamAssassin Score usually around 1 and for some domains up to 1.5

Looking at this i thought the Helo address should be mail.lislehost.com regardless of the From address.

So after research i found /etc/exim4/mailhelo.conf

server.lislehost.com:server.lislehost.com - left this as is

lislehost.com:server.lislehost.com
was changed to
lislehost.com:mail.lislehost.com

new report from dkimvalidator.com

Received: from mail.lislehost.com (mail.lislehost.com [176.9.39.21])

DKIM = pass

SPF = pass
Helo Address = mail.lislehost.com
From Address = [email protected]
From IP = 176.9.39.21

spamAssassin Score: -0.098
Message is NOT marked as spam
Points breakdown:
0.0 URIBL_BLOCKED
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author’s domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

Looking better

now a check on dmarcanalyzer.com/spf/checker/

SPF results for domain: mail.lislehost.con

We could not find a SPF record

i take this the same as mxtoolbox

DNS Record Published DNS Record not found

really not sure why still getting this?

So now i have both the following looking ok

DKIM/DMARC
Helo response

I still the SPF dns entry issue, plus the fact that i need to go through every domains DNS to amend dmac entry to add policy and edit the /etc/exim4/mailhelo.conf so every domain shows correct Helo response of:

mail.domain.tld
and not
server.domain.tld (hostname)

so in /etc/exim4/mailhelo.conf it will change from

domain.tld:server.lislehost.com(hostname
to
domain.tld:mail.domain.tld

Note i need to disable DKIM and save then re-enable it after editing/etc/exim4/mailhelo.conf entry for it to be seen by dkimvalidator.com

Now not being proper system admin i may have missed something, especially relating to the host/domain details:

host server.lislehost.com vs domain lislehost.com

but with checks on smtp becoming tighter having correct DKIM/SPF/Helo response are becoming very important you can get blocked even if you are not sending spam.

Is it possible for Hestiacp to be able to have choice to add basic DKIM policy to dns and have correct Helo response for each domain?

bit of long post, but nothing else to do, now to go through all my email domains on server.

thanks

Noticed that some domains have dkin dns entry of

“v=DMARC1; p=quarantine; pct=100”

wonder if the inconsistencies are left over from importing from vestacp?

What do you have set for rDNS/PTR? It should match your outbound IP DNS.
Haven’t delved deeply into Hestia but you may be able to add some of those TXT records to a default vhost template.

In WHM/cPanel and CWP, I manually add in the relevant TXT records for each user account domain, when setting up their account. A bit of a pain but you get used to the process.

It is a never ending saga to run you own email server, with changing goalposts and conflicting advice on what the rDNS should actually be - hostname or domainname (I use the former).
The alternative is to use an external mail provider, such as mxroute - though I haven’t found time/energy to set one up, yet.

(Don’t confuse DKIM/_DMARC :wink: One is semi-automated, the other manually adjusted. _DMARC of “v=DMARC1; p=none” used to be sufficient but things are becoming silly lately.)

1 Like

Thanks for reply,

rDNS/PTR for primary server IP set to mail.lislehost.com

Really don’t want to use external mail provider, additional work and cost.

Changing goal post is a real pain, just when you think you have a handle on it, it all changes any you have to wade through conflicting information and try and try and work out what is the right method.

Thanks for info on DKIM/_DMARC, really think hestia should be adding an upto entry in DNS when enabling DKIM and a better mailhelo.conf entry to.

thanks

Looking at this setup info it looks like CPanel has much better exim configuration options in relation to these issues:

https://www.knownhost.com/wiki/email/troubleshooting/mailserver-configuration

Certainly mxtoolbox/intodns is reporting as I’d expect, though you really shouldn’t have your two nameservers pointing to the same IP. Look to setting up a further nameserver only VPS, or a slave nameserver, such as from ClouDNS/BuddyNS.

Just check that you have…
_DMARC.mail.lislehost.com TXT “v=DMARC1; p=none”
mail.lislehost.com TXT “v=spf1 a mx ip4:176.9.39.21 ~all”
lislehost.com MX 10 mail.lislehost.com
default._domainkey.mail.lislehost.com TXT “v=DKIM…”

1 Like

Thanks for reply,

Before i move forward i need some clarification on host/domain mail server

so server was setup with host

server.mydomain1.com

this has its own settings in HestiaCP web/mail/dns

I also added mydomain1.com in hestacp
this has its own settings in HestiaCP web/mail/dns

so now i have two separate entries for same domain:

server.mydomain1.com
mydomain1.com

both with seperate mail/dns/web settings, there seems a possibility of conflict, especially with my tinkering.

Previous to my tinkering mail server would report back as

server.mydomain1.com

I did edit the dns mx for server.mydomain1.com

mx = server.mydomain1.com
to
mx = mail.mydomain1.com

this of course sets up a conflict with mydomain1.com dns settings which also has

mail.mydomain1.com

So now i have the same mx setting twice?

Possible i need to revert server.mydomain1.com mx back to server.mydomain1.com and just edit the mailhelo.conf so it reports back as mail.mydomain1.com

I am definitely a bit confused as to dns setting for mail server, but do know i want each domain mx to report back as mail.domain.com

Any thoughts? Have tied myself up in knot?

thanks

Yup!
If you revert to server. then you’ll also need to ask Hetzner to change the PTR (unless able to do so in their hosting panel).
One is a TLD, the other a sub-domain (the host); bear that in mind. In fact many control panels don’t allow the same TLD to be used for a vhost. Understandable, given the confusion it can cause but a pain, if you do know what you’re doing.
Multi domains can point to the same mail server via MX record - the essence of many shared hosting setups. That is not an issue.

1 Like

I can change PTR myself, and have change back to

server.mydomain1.com

edited mx dns for server.mydomain1.com to
server.mydomain1.com

edited mailhelo.conf
server.mydomain1.com:mail.mydomain1.com

As to dns entries for server.mydomain1.com

mail._domainkey TXT “v=DKIM1; k=rsa; p=mykeyhere”
_dmarc TXT “v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; aspf=r; rf=afrf”
@ MX server.lislehost.com.
@ TXT “v=spf1 a mx ip4:176.9.39.21 ~all”

thanks for help

After making changes, results from dkimvalidator.com sending email from [email protected] all look good.

I signed up for a trial account at ondmarc.com passes checks, though:

The EHLO domain does not match the [PTR record] of A Record of the EHLO domain in both directions.
mail.domain1.com - server.domain1.com
(primary server IP)

mxtoolbox still reports
DNS Record Published DNS Record not found
possible this will change as PTR record may have to work it way across the net.

So all looking better with good trust levels for domains now being reported :slight_smile:

You still have a number of issues to sort out:
http://leafdns.com/index.cgi?testid=76009B6B
http://leafdns.com/index.cgi?testid=EA80068D
Looks like you don’t have an A record for mail.
Suggest you use OpenDNS for your server resolver and then you can refresh the cache quicker.

BTW, this forum has a Thanks button. :wink:

1 Like

Can’t see the thanks button, trust me if could i would click it a hundred time, do you the heart shaped button?

I was thing about using OpenDNS, but it is working through how to get setup with messing things up,

As far as i can see i have an A record for mail?

I assume that’s the records for your TLD.
I can ping mail.xx.xx so that’s fine.
You have your NS records a bit mixed up:
http://leafdns.com/index.cgi?testid=76009B6B

1 Like

I was going through the issue your post highlighted, mainly i needed to correct the NS mismatch, which i have done and all looks ok now, including mail record.

http://leafdns.com/index.cgi?testid=CDB478AE

Looking at Hetzner there is the option to use them for secondary NS
https://docs.hetzner.com/robot/domain-registration-robot/getting-started/

but dns is a bit of a mind f*$k

thanks for help

I actually said as the resolver (/etc/resolv.conf) not as your DNS provider but not to worry.

Yay! Once you raise the TTL, you’ll get 100% on the TLD. :slight_smile: A good starting point.

I have previously played with that when trying to local dns cache working to help with spamassassin rbl requests, but no joy there :frowning:

cat /etc/resolv.conf

Hetzner Online GmbH installimage

nameserver config

search server.lislehost.com
nameserver 127.0.0.1
#nameserver 1.1.1.1
#nameserver 1.0.0.1
nameserver 213.133.100.100
nameserver 213.133.98.98
nameserver 213.133.99.99
nameserver 2a01:4f8:0:1::add:1010
nameserver 2a01:4f8:0:1::add:9999
nameserver 2a01:4f8:0:1::add:9898

Don’t worry yourself with the resolver, you’ll just have to put up with the current propagation rates, that’s all.

1 Like