Just an update. Looks like Apple Mail is broken and does not pass the right DKIM info. I tested Outlook :( and that just shows up correctly.
Remo > On Sep 6, 2019, at 11:30, Remo Mattei <r...@mattei.org> wrote: > > Ok guys question I found this tool > > https://toolbox.googleapps.com/apps/checkmx/check?domain=mattei.org&dkim_selector=DKIM1 > > <https://toolbox.googleapps.com/apps/checkmx/check?domain=mattei.org&dkim_selector=DKIM1> > > Which if I add the DKIM optional as DKIM1 then it does not complain but if I > leave it empty it does and I think that’s what Google is using to check some > of those issues.. What would be the best way to setup this up with going out > with DKIM instead of DKIM just editing the file? > > Thanks > >> On Aug 30, 2019, at 09:18, Eric Broch <ebroch.w...@gmail.com >> <mailto:ebroch.w...@gmail.com>> wrote: >> >> Thanks, Andrew. >> >> I was testing my DKIM record with all my email client interfaces against >> Gmail, all passed except Roundcube sending in text format. Roundcube sending >> in html format passed DKIM check at Gmail. Posted a question about it on the >> Roundcube mailling list and never got back to it. Anyway, strange DKIM >> reject. >> >> Eric >> >> On Fri, Aug 30, 2019 at 10:12 AM Andrew Swartz <awswa...@acsalaska.net >> <mailto:awswa...@acsalaska.net>> wrote: >> I send a lot of email to people with gmail accounts. I can testify that >> gmail will send you a daily DMARC report with pass/fail stats for the >> preceeding 24 hours. This was really cool at first. I turned it off >> (i.e. changed the DMARC record) after about 2-3 wks because it quickly >> became an annoyance. >> >> Gmail definitely follows the rules that you specify. If you specify >> "reject", it will reject any email which fails the spf check or where >> the dkim signature does not verify. Mine has been set to "reject" for a >> couple years. But you should leave it set to "none" for a couple weeks >> and read the reports to make darn sure that everything is working properly. >> >> When I was monitoring this, I was surprised that about 5% of emails end >> up with an invalid DKIM signature for unclear reasons. But it is not a >> problem when the receiving servers check the signature during the smtp >> transaction and reject the mail, because the sending server will just >> try again and it will go through then. But if the receiving server >> accepts the mail and filters it after the transaction, and the dkim >> signature fails to verify, the mail will likely get a bad rating and go >> to a spam folder. >> >> -Andy >> >> >> On 8/30/2019 7:36 AM, Eric Broch wrote: >> > Hi Chandran, >> > >> > This email landed in my spam folder sorry to say (gmail). >> > >> > Never set up a DMARC record...any tutorials you recommend (anyone)? >> > >> > Eric >> > >> > On Wed, Aug 28, 2019 at 10:16 PM ChandranManikandan <kand...@gmail.com <> >> > <mailto:kand...@gmail.com <>>> wrote: >> > >> > Hi Friends, >> > >> > I have updated SPF and DMARC record into my DNS server after that >> > the email is delivered to inbox instead spam/junk folder. >> > >> > Please try to create SPF and DMARC record in your DNS servers >> > >> > On Wed, Aug 28, 2019 at 11:39 AM ChandranManikandan >> > <kand...@gmail.com <>> wrote: >> > >> > Hi Friends, >> > >> > As per Andrew stats, i have checked all those points in my server. >> > I have installed letsencrypt certificate in past two years >> > without any issue and spf record validated and configured on the >> > DNS server. >> > DKIM also installed on my server well. >> > >> > When users send an email to gmail, some emails are going to >> > inbox and some going to spam with the same my domain. >> > >> > I have no clue to setup the dmarc record in the dns server. >> > >> > Could anyone help me for the process of creating dmarc record. >> > Do i need to create my server or dns server. >> > >> > My domain result for the reputation. >> > >> > MEDIUM REPUTATION >> > >> > Not suspicious. We have not seen any direct references to this >> > email address, but the sender domain is highly reputable, and >> > the email is deliverable. We've observed no malicious or >> > suspicious activity from this address. >> > >> > curl emailrep.io/m...@panasiagroup.net <> >> > >> > { >> > >> > "email": "x...@xxx.net <>", >> > >> > "reputation": "medium", >> > >> > "suspicious": false, >> > >> > "references": 0, >> > >> > "details": { >> > >> > "blacklisted": false, >> > >> > "malicious_activity": false, >> > >> > "malicious_activity_recent": false, >> > >> > "credentials_leaked": false, >> > >> > "credentials_leaked_recent": false, >> > >> > "data_breach": false, >> > >> > "first_seen": "never", >> > >> > "last_seen": "never", >> > >> > "domain_exists": true, >> > >> > "domain_reputation": "high", >> > >> > "new_domain": false, >> > >> > "days_since_domain_creation": 5524, >> > >> > "suspicious_tld": false, >> > >> > "spam": false, >> > >> > "free_provider": false, >> > >> > "disposable": false, >> > >> > "deliverable": true, >> > >> > "accept_all": false, >> > >> > "valid_mx": true, >> > >> > "spoofable": true, >> > >> > "spf_strict": true, >> > >> > "dmarc_enforced": false, >> > >> > "profiles": [] >> > >> > } >> > >> > } >> > >> > >> > Appreciate of all your supporting. >> > >> > >> > On Wed, Aug 28, 2019 at 8:49 AM Andrew Swartz >> > <awswa...@acsalaska.net <>> wrote: >> > >> > This seems an issue mostly with server "suspiciousness", of >> > which >> > reputation is a component. >> > >> > Of the factors effecting suspiciousness, only two are local >> > to the smtp >> > server: >> > 1. DKIM signatures >> > 2. TLS certificates >> > >> > To address these, confirm that both are working properly: >> > 1. DKIM: send an email to a "dkim reflector" and then >> > examine the email >> > you get back. This pages discusses: >> > >> > https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118571-technote-esa-00.html >> > <> >> > >> > 2. Use a proper TLS certificate. By proper, I mean one >> > that verifies. >> > Therefore you need to either purchase one or use "Let's >> > Encrypt". I've >> > been using Lets Encrypt certs for the last year without any >> > problems. >> > Setting up the client is not difficult, and it subsequently >> > auto-renews >> > every 60 days. >> > >> > The remaining factors are outside your server, but just as >> > important: >> > 1. Reverse-DNS yields same result as the domain MX record. >> > This is >> > known as FCRDNS (forward-confirmed reverse DNS). >> > Additionally, that >> > result must not resemble a dynamic IP address (i.e. have the >> > IP address >> > in the domain name). >> > 2. SPF is properly set up. >> > 3. DMARC set up and working properly. >> > 4. Age of the domain name. If created recently, that looks >> > bad. >> > 5. Presence of IP on blacklists. That is not hard to >> > check. If you >> > acquired an IP recently, it's former owner may have earned >> > it a place on >> > a blacklist. Easiest fix for that seems to be to get a >> > different IP. >> > >> > I'm curious to hear what others might add to this. >> > >> > A good place for ideas is to browse through the >> > spamdyke.conf file and >> > think about all of the things it checks. Gmail is certainly >> > using >> > similar data points, but with neural network analysis rather >> > than simple >> > pass/fail rules. >> > >> > For those who have set up a second server to test things, >> > there is a >> > good chance something above is not set up or does not >> > support the new >> > server. Gone are the days when you can bring a new parallel >> > server >> > online and start sending mails immediately. There are lots >> > of "i's" to >> > dot and "t's" to cross before other servers will confidently >> > accept your >> > mail. >> > >> > Another thought: >> > https://emailrep.io/ <> will give you a report about an email >> > ADDRESS's >> > reputation. It is interesting. Here is the result for mine >> > (I replaced >> > my email address for posting): >> > >> > curl emailrep.io/first.l...@example.tld <> >> > { >> > "email": "first.l...@example.tld >> > <mailto:first.l...@example.tld>", >> > "reputation": "low", >> > "suspicious": true, >> > "references": 1, >> > "details": { >> > "blacklisted": false, >> > "malicious_activity": false, >> > "malicious_activity_recent": false, >> > "credentials_leaked": false, >> > "credentials_leaked_recent": false, >> > "data_breach": false, >> > "first_seen": "never", >> > "last_seen": "never", >> > "domain_exists": true, >> > "domain_reputation": "low", >> > "new_domain": false, >> > "days_since_domain_creation": 5654, >> > "suspicious_tld": false, >> > "spam": false, >> > "free_provider": false, >> > "disposable": false, >> > "deliverable": false, >> > "accept_all": false, >> > "valid_mx": true, >> > "spoofable": false, >> > "spf_strict": true, >> > "dmarc_enforced": true, >> > "profiles": [] >> > } >> > } >> > >> > >> > Though my domain and address are over 10 years old and never >> > been >> > blacklisted, the address gets a "low" reputation. I'm quite >> > sure that >> > is because it has determined that my email address cannot >> > accept emails. >> > But it is incorrect. After testing it a few times, I'm >> > fairly >> > confident that it decides that mostly because it tries to >> > connect to my >> > server from smtp25a.kickboxio.net <>, whose IP (72.249.58.154) >> > is blocked >> > by Spamdyke due to being on some blacklist. Therefore it >> > concludes that >> > I'm "risky". Also, they feel the risk is increased because >> > my email has >> > never been seen on social media, in credential breaches, >> > etc. But I >> > feel it is a triumph that I've kept my email address off of >> > places where >> > spammers harvest addresses. >> > >> > Gmail is almost certainly considering all these factor and >> > many more in >> > deciding whether an email is rejected, sent to spam folder, >> > or sent to >> > inbox. That said, my wife uses gmail and we send numerous >> > emails back >> > and forth daily without any problem. >> > >> > It used to be that setting up an smtp server was the hard >> > part of >> > running your own server. But times have changed, and now >> > factors >> > external to your network seem far more complicated and >> > consequential >> > than the server itself. >> > >> > Again, I'm curious to hear other people thoughts. >> > >> > >> > -Andy >> > >> > PS: regarding the question of multiple certs, I do not see >> > how that >> > could work on the toaster. And in general, smtp does not >> > work that way. >> > The cert merely needs to be for the domain name pointed >> > to by the MX >> > record of the destination domain. There is no requirement >> > that the >> > destination domain be the name on the server certificate. >> > Thus numerous >> > virtual domains all have MX records which point to the same >> > server; that >> > server's cert merely needs to be for its own domain name, >> > not those of >> > all its virtual domains. For incoming mail, when connecting >> > to a server >> > and upgrading an smtp connection to a STARTTLS session, I >> > don't think >> > that the STARTTLS command has a way to specify the >> > destination address's >> > domain. That would need to happen for a server to know which >> > certificate to use. For outgoing mail, it is theoretically >> > easy to do, >> > but someone would need to write a qmail patch to implement it. >> > >> > DKIM works differently: each virtual domain has it's own >> > dkim signing >> > key. The toaster supports that, but it must be done >> > manually (i.e. it >> > does not occur when creating domains with vqadmin). Adding >> > that >> > functionality into vqadmin might be a good project for someone. >> > >> > I did not intend for this to be so long. It just happened. >> > >> > >> > >> > >> > >> > >> > >> > >> > On 8/26/2019 11:05 PM, Remo Mattei wrote: >> > > Ok guys.. needs some suggestions.. >> > > I found out that the client (apple Mail) does not honor >> > the DKIM since >> > > gmail said failed. I tested with Outlook and web round >> > cube and that >> > > does pass the email DKIM and the message does not go into >> > the spam >> > > folder in fact. >> > > >> > > Any help will be great.. I also wonder if there is a way >> > to setup >> > > multiple certs for the SMTP (per domain). >> > > >> > > Remo >> > > >> > >> On Aug 26, 2019, at 12:03, Tahnan Al Anas >> > <tah...@gmail.com <> >> > >> <mailto:tah...@gmail.com <>>> wrote: >> > >> >> > >> Basically Gmail put mail in spam folder for >> > various reasons, I have >> > >> found after hosing new domain in my qmail server, I need >> > to check spf, >> > >> dkim dmarc settings, even if all are ok, still gmail >> > sent mail to spam >> > >> folder, I need to check reverse forward record and also >> > need to work >> > >> to improve domain reputation, this is not an issue with >> > qmail server, >> > >> rather it is related with gmail's filtering. You have to >> > work to >> > >> improve server and domain's reputation for that. >> > >> >> > >> Sometime I chat with google to get my other domain's >> > mail in inbox by >> > >> sending them to gsuite account. >> > >> >> > >> >> > >> -- >> > >> -- >> > >> >> > >> Best Regards >> > >> Muhammad Tahnan Al Anas >> > >> >> > >> >> > >> On Mon, Aug 26, 2019 at 11:01 PM Eric Broch >> > <ebroch.w...@gmail.com <> >> > >> <mailto:ebroch.w...@gmail.com <>>> wrote: >> > >> >> > >> Create a google (gmail) account if you don't have >> > one. Send an >> > >> email to that account from the postmaster of the >> > problematic >> > >> domain. Open message, go to three vertical dots to >> > the upper right >> > >> of the interface, find 'show original', there you >> > will see why >> > >> gmail spammed your message. >> > >> >> > >> On Mon, Aug 26, 2019 at 10:51 AM Remo Mattei >> > <r...@mattei.org <> >> > >> <mailto:r...@mattei.org <>>> wrote: >> > >> >> > >> I just tested and I built a new qmail box >> > >> >> > >> >> > >> qmail-1.03-3.1.qt.el7.x86_64 >> > >> >> > >> The other two boxes >> > >> With >> > >> qmail-1.03-3.1.qt.el7.x86_64 >> > >> qmail-1.03-3.1.qt.el7.x86_64 >> > >> >> > >> So when sending from the new env which does not >> > have any load >> > >> no production etc.. the gmail gets the message >> > in the inbox >> > >> from the other two I get the msg on the spam >> > folder.. I >> > >> wonder.. how is Google…. Check the messages.. >> > The new box I >> > >> have even a domain called testdomain.com <> >> > >> <http://testdomain.com/ <>> which it’s bogus!! But >> > still in the >> > >> inbox. >> > >> >> > >> Any tips? >> > >> >> > >> Thanks >> > >> >> > >>> On Aug 25, 2019, at 21:10, ChandranManikandan >> > >>> <kand...@gmail.com <> <mailto:kand...@gmail.com >> > <>>> >> > wrote: >> > >>> >> > >>> Hi Folks, >> > >>> >> > >>> Emails are delivering to the spam or junk >> > folder when users >> > >>> send to the recipients. >> > >>> Mostly it's all public domain like gmail,yahoo >> > etc.. >> > >>> How to fix this issue in our server. >> > >>> Am using Centos 6 32 bit with qmailtoaster. >> > >>> Could anyone help me. >> > >>> >> > >>> -- >> > >>> */Regards, >> > >>> Manikandan.C >> > >>> /* >> > >> >> > > >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: >> > qmailtoaster-list-unsubscr...@qmailtoaster.com <> >> > For additional commands, e-mail: >> > qmailtoaster-list-h...@qmailtoaster.com <> >> > >> > >> > >> > -- >> > */Regards, >> > Manikandan.C >> > /* >> > >> > >> > >> > -- >> > */Regards, >> > Manikandan.C >> > /* >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com <> >> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com <> >> >