When selecting the option to enable DMARC in DNS Options, the entry is added for example.tld, but not mail.example.tld.
Apparently this runs afoul of how some companies want it to be set up. They want the DMARC entry applied to the mail server itself.
The manual fix is simple: Just enable DMARC for the domain, and then copy the entire DMARC entry, inserting .mail between _dmarc and .example.tld, and paste it into the record.
So…
Once you have
_dmarc.example.tld [directives]
copy, edit, and paste the whole line into the record as
_dmarc.mail.example.tld [directives]
I can’t think of a good reason not to do this anyway, however, whenever DMARC is enabled.
DMARC applies to the domain which is sending email, not the mail server.
So if your domain is example.com you’d create a DMARC record at _dmarc.example.com
Virtualmin sets things up correctly.
The only record related to DMARC which relates to the mail server itself is the SPF record which is a whitelist of servers or IPs which are permitted to send mail on behalf of your domain.
Yeah, we know that. But tell it to Microsoft Deliverability Support. They’re the ones who told me I had to add the entry to get off their blacklist. Their bots pick its absence up as a violation of their policies, and their humans are even more stupid than their bots.
It’s kind of ironic that the company that moves half the spam sent in the world makes those demands. They must have balls the size of grapefruits. But arguing with idiots is pointless. I’d rather add the line.
Honestly, this could just be some bullshit they came up with so they could blame me for their own stupidity. That IP never should have been on their list, anyway. But they have to make it seem like you’re some sort of ogre and they’re being compassionate by removing you from a list you never belonged on in the first place.
The server in question has two mail users: myself, and my octogenarian father who wouldn’t know how to send spam if he wanted to. He barely knows how to check his mail, much less send spam.
So fine. If a superfluous DNS entry is what they want to make it right, so be it.
Well they are not the only ones, Mozzila went out with a statement that everyone who didnt mark mx server correctly with dmarc, dkim, spf would get returned. I can see it from their side as well its easy to spoof a email if it isn’t validated. No matter who few users they have on it. But a spf, dmarc and simple ptr is all they want which is pretty much standard for everyone these days. I think apple is worse I have a backup mail for private things there, and not much comes trough and they put the sender on a blacklist for nothing, cant remember the name of the firm they use.
I don’t really see it from their side unless the MX is on a different IP, in which case it would need PTR, SPF, DKIM, and DMARC. I don’t understand what practical benefit there is to adding a second DMARC entry to a mail server on the same IP and domain as the Web server, which already has PTR, SPF, DKIM, and DMARC.
But I decided that pasting a line into the record was easier than arguing with them. And if more providers are going to insist upon it, I’m ahead of the game.
I have a mail account on Apple. I forget what it is offhand because I only use it to log into iCloud, which has it saved. But it’s written down somewhere, I’m sure. I should check whether there’s any mail there… once I remember what the address is.
So your ex domain.ltd is both web and mail in/out for here ? Yeah then your right that dont make any sense. But as I mention google is applying it from august I think because of a idea Mozilla had. Apple with their mail has been doing it for a year now. I got one ip blacklisted because I forgot to put a ptr on in and I got a letter from the German Federal It something about if I did it to help people abuse it or if it was a fault. Nuts. But yeah so im putting ptr on everything these days just to be sure, when they all start and they use different washing companies it isn’t so easy to get off them. But you didnt do anything wrong then no if it was set for the domain. You need to specify a email on the spf for quarantine and if you dont have a real SSL/TLS it is also goodbye according to Mozilla. Openssl is shutting down, none of the big data think they are trustworthy anymore. I got digicert wildcard ev it isn’t exactly so cheap… Soon ill go over to use pigeons
I would love to see some documentation on why you need to have a DMARC record attached to your mail server’s domain.
Frankly this doesn’t make any sense, since DMARC is domain based and simply tells receiving servers what policy should apply to the sending domain, regardless of the server which sends it.
Again, if evidence of an actual standard being rolled out can be provided I’d be interested in reading about it.
It’s not a standard as far as I know, Peter. It’s something Microsoft insisted on in between telling me to join the JMRP and SNDS (which I’ve belonged to for years and have NEVER received a complaint through), and pitches to buy a paid “certification” through Validity Return Path (complete with an obfuscated compensated link that Thunderbird picked up on).
In other words, it’s a scam.
I’ll look through the emails tomorrow. There are hundreds of them that went back and forth between Microsoft and myself. But one of the last ones was kind of eye-opening. They sent me a link to the DMARC test on MX Toolbox. I went there to humor them; but when I plugged in the IP, it returned a fail for DMARC because the “subdomain” mail.example.tld didn’t had a DMARC entry.
So I agree, it makes no sense. But MX Toolbox agrees with Microsoft that it should be there. Personally, I think they’re both wrong. But at least MX Toolbox isn’t trying to shake me down for an expensive and meaningless “certification.”
By the way, the only way I was able to get past the form-letter folks was to block the entire IP range (40.92.0.0/14) that Microsoft uses for Hotmail, Outlook, and the rest of their shitty mail services from all my servers. After a few days, I got a removal request from Microsoft, and I referred them back to the one I’d submitted to their Deliverability Support department. That’s when I started seeing some action.
After I refuted all the other bullshit they threw at me (for example, sending them screenshots of my pristine JMRP and SNDS pages to prove that there had been no complaints against the IP), they told me it was because I didn’t have DMARC on the mail server. I added it, and they removed my IP from their list. And I removed theirs from my list.
In the end, I think they just had to find some way they could blame me so they could say that I’d resolved the problem, and I’d disproved everything else they threw at me. I can’t explain why MX Toolbox also flagged the lack of a DMARC entry on “mail.” as a fail, though. They’re usually pretty accurate.
So how would this work out for domains that don’t have/host their own email servers?
I have one email server that runs zimbra for our community with about 100 accounts.
All the DMARC entries in DNS for the domains hosted on zimbra server are the respective names of the clients domain name.
How would they be able to enter a DMARC pointing to the zimbra email server?
Running a mail server these days isn’t for everyone. We do it, but that’s because we deal with mailing lists, and millions of messages each month. DMARC, DKIM, SPF “oh my!”… You definitely have to invest lots of time into maintaining a good mail server, otherwise those standards along with RBLs will have your mail going nowhere fast.
We deal with the big players like Google, Microsoft, Verizon, and many others… It can be fun at times but generally a real pain in the ass since many of the top players don’t operate on a level playing field… You get on their bad side, and good luck getting mail into their network along with any of the hundreds or thousands of domains under their management (both private and public ones).
So yes, if you aren’t up for dealing with nearly daily challenges and otherwise have better things to do with your time, outsource to someone who makes a living dealing with the insanity.
I still have found no actual evidence to the claim that a DMARC record needs to be setup on the mail server’s hostname. It doesn’t align with the actual purpose of a DMARC record, so anyone claiming this really just doesn’t know what they’re talking about. Bring me evidence that things are changing in this area, and I’ll be happy to re-evaluate.
*** I deal with lots of poorly run IT departments for organizations like law firms, fortune 500 companies, and reputable organizations who simply, sadly don’t have a clue what they’re doing. At least some of their team doesn’t to be fair. ***
I’m certainly no expert on EVERY topic, and open to learning new things when the opportunity presents itself.
All I can tell you is that after I made the entry that Microsoft wanted, I checked the rest of the domains on MX Toolbox, and they all failed DMARC for not having an entry for _demarc.mail.domain.tld. MX Toolbox considers mail.domain.tld to be a “subdomain” of domain.tld and wants it to have DMARC.
Of course, it’s wrong. But that’s beside the point. If Microsoft and other providers are going to use the same flawed logic, should I fly to Redmond to educate them and change their minds? Or should I just add another line of superfluous text to a zone file and not have to deal with them?
So I went through the domains and added the line to each zone file, and they all passed. Problem solved as far as I’m concerned. I’m too old to care about anything more than that.
Running a mail server is easy. I’ve been doing it since 1998. If anything, it’s easier today than it’s ever been, especially with a panel. Everything is automated. Just … Well, just use it. It’s already configured.
The only thing that makes it hard is dealing with idiots.
I’m no genius. But when I wrote my blocklist scripts, even I had the good sense to know that IP addresses aren’t moral beings with immutable souls predestined by divine fiat. They’re just numbers. They change hands. The person who abuses them today is not the person who may own them tomorrow. So my blocklists are self-rehabilitating. If an IP behaves itself for a few days, it’s stricken from the list and given another chance.
So if an idiot like me can figure that out, why can’t Microsoft? Or even worse, Verizon? At least Microsoft responds to tickets. The responses are bullshit, but at least they answer. Verizon doesn’t even do that. If an IP gets on Verizon’s list, it’s there for eternity.
(Actually, there’s one way to get off their list: but I only share that method in private lest it disappear.)
You know who did it well? AOL. When you contacted their postmaster, they actually read your mail. I have one client who sends out thousands of invoices every month; and invariably, a few idiot AOL users would tag them as spam. I’d show the postmaster that the emails were legit invoices, and they’d immediately delist the server. Eventually they whitelisted the domain, and that was the end of my problems with AOL.
On that we agree. Nowadays, companies want to use dumb bots and even dumber humans to run their companies. That’s the hard part of email. Not running the server, and not even filtering the spam. Those things are easy. Dealing with idiots is hard.
Hell, Spamassin with default settings catches about 90 percent of the spam. With minimal skill and a bit of monitoring of what gets through, you can make a few tweaks to local.cf that can boost the catch rate to better than 95 percent. With scripts gathering data from multiple servers and dozens of honeypots and sharing it in real-time, you can get it close to 98 percent.
I get almost no spam anymore – at least not on my own servers.
It’s not that hard to run a mail server. I’ve been doing it for 23 years. But dealing with idiots… that’s hard.
My point of it being “hard” is that yes, the human element and sometimes the way their AI or automated filtering is setup can be silly. Well, not silly in the sense it has a purpose, but because it creates often a lot of false positives along the way which then requires “humans” to deal with… and well… we know what that means… Heh heh
Oh and on the human front, sadly it’s the fact that the wrong tier of agent is often in charge of dealing with us, not the folks who actually could solve the problem – because their not accessible to us.
