Re: ot: SPF/DKIM woes
On Sat, Sep 17, 2022 at 10:39:46AM -0400, Viktor Dukhovni wrote: > If this domain was in fact served by netregistry.net, that could well > have been the problem. There is an ongoing over 24hour DNS outage at > netregistry.net (where, e.g., they seem to be dropping all DNS queries > from most Google DNS resolvers). > > https://status.webcentral.au/ > > So any domains (mostly Australian) served by netregistry.net (directly, > or indirectly, when e.g. the A records of nameservers for a domain are > in turn served by netregistry, ...) fail to resolve from Google's > perspective. DNS service at netregistry.net is gradually returning to normal. The majority of locations (though not yet all) where queries were previously failing now appear to be working. -- Viktor.
Re: ot: SPF/DKIM woes
On Sat, Sep 17, 2022 at 01:46:10PM +0200, Benny Pedersen wrote: > li...@sbt.net.au skrev den 2022-09-17 09:12: > > I have mail server on geko.sbt.net.au serving sbt.net.au as well as > > several other TLD domains, > > https://dmarcian.com/spf-survey/?domain=geko.sbt.net.au > > there is no spf there, dmarc will not pass on missing subdomains, spf will > be none The logfile message showed that the envelope sender domain was sbt.net.au, not geko.sbt.net.au. That is just the name of the server sending the email. So there is no reason to expect an SPF record for it. The expectation is that the SPF record for sbt.net.au contain the IP address of geko.sbt.net.au, which it does. > avoid unneed google includes in spf Maybe that's needed when sending emails from gmail. Either way, it shouldn't have any bearing on the problem. Unless I'm missing something. cheers, raf
Re: ot: SPF/DKIM woes
On Sat, Sep 17, 2022 at 11:54:57AM +0200, Matus UHLAR - fantomas wrote: > On 17.09.22 17:12, li...@sbt.net.au wrote: > > I have mail server on geko.sbt.net.au serving sbt.net.au as well as > > several other TLD domains, > > a while back using help from this list, some write ups and mxtoolbox as > > means of verifying/testing I've set SPF/DKIM/DMARC (or so I thought...) > > > > as it seemed to pass all test I was able to run, I assumed it was set up > > correctly, just now, noticed I get rejected from my own gmail address with > > SPF/DKIM (1) (it was working OK in the past) > > > > checking with mxtoolbox: > > > > I get NO SPF for geko.sbt.net.au, I do get SPF for sbt.net.au > > do I need SPF record for both mail host as well as domain ? > > you only need SPF for geko.sbt.net.au if you want to stop other servers for > impoersonating geko.sbt.net.au (sending it in EHLO/HELO), or if you send > mail from geko.sbt.net.au. > > > what else am I missing or stuffed up ? > > > (1) > > Sep 16 13:04:55 geko postfix/smtp[2651]: BC9EB200534: to=, > > relay=gmail-smtp-in.l.google.com[172.217.194.26]:25, delay=11, > > delays=0.01/0.04/2/8.8, dsn=5.7.26, status=bounced (host > > gmail-smtp-in.l.google.com[172.217.194.26] said: 550-5.7.26 This message > > does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not > > pass). SPF check for [sbt.net.au] does not pass with ip: 550-5.7.26 > > [103.106.168.106].To best protect our users from spam, the message > > 550-5.7.26 has been blocked. Please visit 550-5.7.26 > > https://support.google.com/mail/answer/81126#authentication for more 550 > > 5.7.26 information. p2-20020a170902e74200b00176a0d8780csi2398305plf.285 - > > gsmtp (in reply to end of DATA command)) > > your domain is registered to ns1.netregistry.net. nameservers: > > Name Server: NS1.NETREGISTRY.NET > Name Server: NS2.NETREGISTRY.NET > Name Server: NS3.NETREGISTRY.NET > > however, NS records say otherwise: > > sbt.net.au. 3600IN NS ns1.yourdnshost.net. > sbt.net.au. 3600IN NS ns2.yourdnshost.net. > sbt.net.au. 3600IN NS ns3.yourdnshost.net. > > these servers have the same IP addresses, but such discrepancy can cause you > troubles. > > currently 8.8.8.8 (and 1.1.1.1) fail to return response for your domain: > > % dig mx sbt.net.au @8.8.8.8 > > ; <<>> DiG 9.16.27-Debian <<>> mx sbt.net.au @8.8.8.8 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21196 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > also, your nameservers fail to return answer for type ANY: > > % dig any geko.sbt.net.au @ns1.yourdnshost.net. > ;; Connection to 203.209.194.250#53(203.209.194.250) for geko.sbt.net.au > failed: timed out. > ;; Connection to 203.209.194.250#53(203.209.194.250) for geko.sbt.net.au > failed: timed out. > > this may and may not cause with google DNS issues. > however, it indicates something broken with your DNS. > google is apparently one of those having problems. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > I drive way too fast to worry about cholesterol. That's wierd. I can see lots of DNS records for sbt.net.au: > host sbt.net.au sbt.net.au has address 103.106.168.106 sbt.net.au mail is handled by 10 geko.sbt.net.au. > host -t txt sbt.net.au sbt.net.au descriptive text "v=spf1 ip4:103.106.168.106 ip4:103.106.168.105 ip4:125.168.124.3 include:_spf.google.com ~all" > host -t any sbt.net.au sbt.net.au mail is handled by 10 geko.sbt.net.au. sbt.net.au has address 103.106.168.106 sbt.net.au descriptive text "v=spf1 ip4:103.106.168.106 ip4:103.106.168.105 ip4:125.168.124.3 include:_spf.google.com ~all" cheers, raf
Re: ot: SPF/DKIM woes
It has been my experience that it is beneficial to include SPF and DMARC records for the mail server's hostname along with the domain name. Domain example.com with mail server mail.example.com: @IN TXT "v=spf1 a mx -all" mail IN TXT "v=spf1 include:example.com -all" _dmarc IN TXT "v=DMARC1; p=reject;" _dmarc.mail IN TXT "v=DMARC1; p=reject;" My memory is fuzzy on the exact situation that caused it, and while rare, Ive seen the server try to send out mail using the hostname. I can't remember if it was a bounce notice or something generated by a script, etc. Doing so has no downside. Since Im here, another SPF tip someone might find interesting, which I have never seen in any online how-to's. If you have many IP's you want to include in your SPF record, instead of trying to cram them all into the text record like: @IN TXT "v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 ip4:192.168.0.3 ip6:2001:db8:85a3:8d3:1319:8a2e:370:7348 ... mx -all" You can setup a subdomain for all of the IP's like this: @IN TXT "v=spf1 a:spf.example.com mx -all" spf IN A 192.168.0.1 spf IN A 192.168.0.2 spf IN A 192.168.0.3 spf IN 2001:db8:85a3:8d3:1319:8a2e:370:7348 spf IN 2001:db8:85a3:8d3:1319:8a2e:370:7350 spf IN 2001:db8:85a3:8d3:1319:8a2e:370:7352
Re: ot: SPF/DKIM woes
On Sat, Sep 17, 2022 at 11:54:57AM +0200, Matus UHLAR - fantomas wrote: > your domain is registered to ns1.netregistry.net. nameservers: > > Name Server: NS1.NETREGISTRY.NET > Name Server: NS2.NETREGISTRY.NET > Name Server: NS3.NETREGISTRY.NET > > however, NS records say otherwise: > > sbt.net.au. 3600IN NS ns1.yourdnshost.net. > sbt.net.au. 3600IN NS ns2.yourdnshost.net. > sbt.net.au. 3600IN NS ns3.yourdnshost.net. > > these servers have the same IP addresses, but such discrepancy can cause you > troubles. 1. Google DNS is *parent-centric*. What matters are the NS records published by .net.au, presently (perhaps changed recently): sbt.net.au. NS ns1.partnerconsole.net. sbt.net.au. NS ns2.partnerconsole.net. sbt.net.au. NS ns3.partnerconsole.net. > currently 8.8.8.8 (and 1.1.1.1) fail to return response for your domain: > > % dig mx sbt.net.au @8.8.8.8 If this domain was in fact served by netregistry.net, that could well have been the problem. There is an ongoing over 24hour DNS outage at netregistry.net (where, e.g., they seem to be dropping all DNS queries from most Google DNS resolvers). https://status.webcentral.au/ So any domains (mostly Australian) served by netregistry.net (directly, or indirectly, when e.g. the A records of nameservers for a domain are in turn served by netregistry, ...) fail to resolve from Google's perspective. -- Viktor.
Re: ot: SPF/DKIM woes
On Sat, September 17, 2022 7:54 pm, Matus UHLAR - fantomas wrote: > your domain is registered to ns1.netregistry.net. nameservers: > > Name Server: NS1.NETREGISTRY.NET > Name Server: NS2.NETREGISTRY.NET > Name Server: NS3.NETREGISTRY.NET > > > however, NS records say otherwise: > > sbt.net.au. 3600IN NS ns1.yourdnshost.net. > sbt.net.au. 3600IN NS ns2.yourdnshost.net. > sbt.net.au. 3600IN NS ns3.yourdnshost.net. > > these servers have the same IP addresses, but such discrepancy can cause > you troubles. > > currently 8.8.8.8 (and 1.1.1.1) fail to return response for your domain: > > % dig mx sbt.net.au @8.8.8.8 Matus, Benny, Raf, thanks for helping out, thanks for all suggestions. the domain registrar told me to use nsX.partnerconsole.net instead of netregistry/yourdnshost original default, I've now updated and can see some improvement, I'll retest tomorrow, thanks again Voytek
Re: ot: SPF/DKIM woes
Matus UHLAR - fantomas skrev den 2022-09-17 11:54: % dig any geko.sbt.net.au @ns1.yourdnshost.net. ;; Connection to 203.209.194.250#53(203.209.194.250) for geko.sbt.net.au failed: timed out. ;; Connection to 203.209.194.250#53(203.209.194.250) for geko.sbt.net.au failed: timed out. https://multirbl.valli.org/lookup/geko.sbt.net.au.html https://multirbl.valli.org/lookup/203.209.194.250.html oh dns server on dynamic ip, its basicly unstable so
Re: ot: SPF/DKIM woes
li...@sbt.net.au skrev den 2022-09-17 09:12: I have mail server on geko.sbt.net.au serving sbt.net.au as well as several other TLD domains, https://dmarcian.com/spf-survey/?domain=geko.sbt.net.au there is no spf there, dmarc will not pass on missing subdomains, spf will be none avoid unneed google includes in spf
Re: ot: SPF/DKIM woes
raf skrev den 2022-09-17 11:30: "v=spf1 ip4:103.106.168.106 ip4:103.106.168.105 ip4:125.168.124.3 include:_spf.google.com ~all" include _spf.google.com is unneeded https://dmarcian.com/spf-survey/?domain=sbt.net.au sbt.net.au will pass without, if the ip that send email to google is listed in sbt.net.au, was the envelope sender a subdomain of sbt.net.au ?
Re: ot: SPF/DKIM woes
li...@sbt.net.au skrev den 2022-09-17 09:12: I get NO SPF for geko.sbt.net.au, I do get SPF for sbt.net.au you need spf rr pr enveloper sender domains, and that include subdomains, only dmarc dont need subdomains dmarc, confused ?, yes but it imho very simple, and lastly remember envelope sender do change on nexthop, so if nexthop try to aviod this this maillist is time to leave from then since its broken have you ever seen your own mail address on postfix maillist as envelope sender, dont use SRS ever, and check postfix maps dont map it to get this error
Re: ot: SPF/DKIM woes
On 17.09.22 17:12, li...@sbt.net.au wrote: I have mail server on geko.sbt.net.au serving sbt.net.au as well as several other TLD domains, a while back using help from this list, some write ups and mxtoolbox as means of verifying/testing I've set SPF/DKIM/DMARC (or so I thought...) as it seemed to pass all test I was able to run, I assumed it was set up correctly, just now, noticed I get rejected from my own gmail address with SPF/DKIM (1) (it was working OK in the past) checking with mxtoolbox: I get NO SPF for geko.sbt.net.au, I do get SPF for sbt.net.au do I need SPF record for both mail host as well as domain ? you only need SPF for geko.sbt.net.au if you want to stop other servers for impoersonating geko.sbt.net.au (sending it in EHLO/HELO), or if you send mail from geko.sbt.net.au. what else am I missing or stuffed up ? (1) Sep 16 13:04:55 geko postfix/smtp[2651]: BC9EB200534: to=, relay=gmail-smtp-in.l.google.com[172.217.194.26]:25, delay=11, delays=0.01/0.04/2/8.8, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[172.217.194.26] said: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not pass). SPF check for [sbt.net.au] does not pass with ip: 550-5.7.26 [103.106.168.106].To best protect our users from spam, the message 550-5.7.26 has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. p2-20020a170902e74200b00176a0d8780csi2398305plf.285 - gsmtp (in reply to end of DATA command)) your domain is registered to ns1.netregistry.net. nameservers: Name Server: NS1.NETREGISTRY.NET Name Server: NS2.NETREGISTRY.NET Name Server: NS3.NETREGISTRY.NET however, NS records say otherwise: sbt.net.au. 3600IN NS ns1.yourdnshost.net. sbt.net.au. 3600IN NS ns2.yourdnshost.net. sbt.net.au. 3600IN NS ns3.yourdnshost.net. these servers have the same IP addresses, but such discrepancy can cause you troubles. currently 8.8.8.8 (and 1.1.1.1) fail to return response for your domain: % dig mx sbt.net.au @8.8.8.8 ; <<>> DiG 9.16.27-Debian <<>> mx sbt.net.au @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 also, your nameservers fail to return answer for type ANY: % dig any geko.sbt.net.au @ns1.yourdnshost.net. ;; Connection to 203.209.194.250#53(203.209.194.250) for geko.sbt.net.au failed: timed out. ;; Connection to 203.209.194.250#53(203.209.194.250) for geko.sbt.net.au failed: timed out. this may and may not cause with google DNS issues. however, it indicates something broken with your DNS. google is apparently one of those having problems. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: ot: SPF/DKIM woes
On Sat, Sep 17, 2022 at 05:12:40PM +1000, li...@sbt.net.au wrote: > I have mail server on geko.sbt.net.au serving sbt.net.au as well as > several other TLD domains, > a while back using help from this list, some write ups and mxtoolbox as > means of verifying/testing I've set SPF/DKIM/DMARC (or so I thought...) > > as it seemed to pass all test I was able to run, I assumed it was set up > correctly, just now, noticed I get rejected from my own gmail address with > SPF/DKIM (1) (it was working OK in the past) > > checking with mxtoolbox: > > I get NO SPF for geko.sbt.net.au, I do get SPF for sbt.net.au > > what tools/website should I use to test/verify SPF/DKIM/DMARC ? > do I need SPF record for both mail host as well as domain ? > what else am I missing or stuffed up ? > > thanks for any pointers, hope I'm not too far off topic > > Voytek > > > (1) > Sep 16 13:04:55 geko postfix/smtp[2651]: BC9EB200534: to=, > relay=gmail-smtp-in.l.google.com[172.217.194.26]:25, delay=11, > delays=0.01/0.04/2/8.8, dsn=5.7.26, status=bounced (host > gmail-smtp-in.l.google.com[172.217.194.26] said: 550-5.7.26 This message > does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not > pass). SPF check for [sbt.net.au] does not pass with ip: 550-5.7.26 > [103.106.168.106].To best protect our users from spam, the message > 550-5.7.26 has been blocked. Please visit 550-5.7.26 > https://support.google.com/mail/answer/81126#authentication for more 550 > 5.7.26 information. p2-20020a170902e74200b00176a0d8780csi2398305plf.285 - > gsmtp (in reply to end of DATA command)) I can't see what's wrong. The IP address of the sending mail server is 103.106.168.106 which is listed in the SPF record for sbt.net.au. "v=spf1 ip4:103.106.168.106 ip4:103.106.168.105 ip4:125.168.124.3 include:_spf.google.com ~all" So unless you added ip4:103.106.168.106 to the SPF record after the bounce, I can't see what's wrong. Maybe someone else will. The sending server doesn't require its own SPF record. That's just for the domain used in the envelope address (sbt.net.au). There are lots of mail testing sites, e.g.: https://mail-tester.com https://mailtester.com https://www.mailgenius.com https://www.mailreach.co/mail-tester-alternative I've only used the first one. cheers, raf
ot: SPF/DKIM woes
I have mail server on geko.sbt.net.au serving sbt.net.au as well as several other TLD domains, a while back using help from this list, some write ups and mxtoolbox as means of verifying/testing I've set SPF/DKIM/DMARC (or so I thought...) as it seemed to pass all test I was able to run, I assumed it was set up correctly, just now, noticed I get rejected from my own gmail address with SPF/DKIM (1) (it was working OK in the past) checking with mxtoolbox: I get NO SPF for geko.sbt.net.au, I do get SPF for sbt.net.au what tools/website should I use to test/verify SPF/DKIM/DMARC ? do I need SPF record for both mail host as well as domain ? what else am I missing or stuffed up ? thanks for any pointers, hope I'm not too far off topic Voytek (1) Sep 16 13:04:55 geko postfix/smtp[2651]: BC9EB200534: to=, relay=gmail-smtp-in.l.google.com[172.217.194.26]:25, delay=11, delays=0.01/0.04/2/8.8, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[172.217.194.26] said: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not pass). SPF check for [sbt.net.au] does not pass with ip: 550-5.7.26 [103.106.168.106].To best protect our users from spam, the message 550-5.7.26 has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. p2-20020a170902e74200b00176a0d8780csi2398305plf.285 - gsmtp (in reply to end of DATA command))