DNS + DKIM + SPF

hi,

this is the setup:

on my provider server control panel i have (for my main domain, that one which will do as nameserver, that i will call “MYdomain” here on bottom):

  • ns1 IN A IP
  • ns2 IN A IP

and obviously the other needed records…

then, about Virtualmin:

i have some domains with DNS administration hosted somewhere else BUT i want to admin the nameserver, so I set in the providers control panel to manage myself and so I will wait…

SPF in those domains is

domain.com. IN TXT “v=spf1 +all”

DNS Records

$ttl 38400 domain.com. IN SOA ns1.MYdomain.com. root.hostname.MYdomain.com. ( 1416867554 10800 3600 604800 38400 ) domain.com. IN A IP www.domain.com. IN A IP ftp.domain.com. IN A IP m.domain.com. IN A IP localhost.domain.com. IN A 127.0.0.1 domain.com. IN MX 5 mail.domain.com. domain.com. IN NS ns1.MYdomain.com. domain.com. IN NS ns2.MYdomain.com. smtp.domain.com. IN A IP pop.domain.com. IN A IP imap.domain.com. IN A IP mail.domain.com. IN A IP domain.com. IN TXT "v=spf1 +all" 2014._domainkey.domain.com. IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuruY6eByciHDU" "zer1HDk6zdEmQCHK/f72iz8lBWoYM9sVnDa2RkXfSuA30hdQe9o//iz1uqkoiHv/FJOE+3F4ml4LZsQ5" "xvF1HX6F031nVqL57b7ssse5ox0XgtpbhbKDx8aDbUK+42bMb+u1ksrPcFKgbwIFmT0V6K3VsM5TyUK+" "pX82SKU+OyH/M6VyVZJU7X/aeMTj/KZDk4/OFXhYuY0DEHA99H7uv+5mnm1nJ1q+E43zosoZUTiIkIhS" "lWEDaBZuxDpOfkicj6NBTJtp9Bg1QNIOlntV6kUp1CK1HKSMDNmlB/zAR1qRAzTp02A1YaWZ/D9Da8CO" "9uWobDrEwIDAQAB" ) Our system has detected that this 550-5.7.1 message is likely unsolicited mail. ???
  • one of my domains is receiving that kind of “Undelivered Mail Returned to Sender” from Gmail and didn’t make spamming at all, the user just tried to send himself some test messages from the email set in his domain TO his Gmail account.
    Now I’ve set the DKIM. How many days can Gmail take to accept the messages again? Is there a cache? An amount of time they set?

  • the problem could be related to inet_protocols = all in Postfix, which now I changed to ipv4 only?
    other things to do in order to be safe?

thank you

Howdy,

in this example, is a problem if hostname.MYdomain.com (that is my FQDN) is equal to ns1.Mydomain.com?

No, that should be fine.

why Virtualmin adds that root.hostname.MYdomain.com. in SOA?

Virtualmin always adds an SOA record of “root.YOURHOSTNAME” by default. While that should be fine in your case, you can configure what the name used for the SOA record by going into System Settings -> Server Templates -> Default -> BIND DNS Domain, and there you can configure “Master DNS server hostname”.

this combination of DKIM+SPF can avoid such a message from Gmail

It’s not necessary to use SPF or DKIM to prevent that message, though I’m told it can help in some cases.

You would want to review this information on “Why has Google Blocked My Email Messages”:

https://support.google.com/mail/answer/188131?hl=en

And this here lists a lot of things that can be done to prevent email from being marked as spam:

https://support.google.com/mail/answer/81126?hl=en

Additionally, I’d recommend making sure that you have reverse DNS setup with your ISP for your primary IP address. Also, you may want to verify that you aren’t listed on any RBL’s:

http://www.anti-abuse.org/multi-rbl-check/

Now I’ve set the DKIM. How many days can Gmail take to accept the messages again? I

DKIM won’t necessarily fix that problem… though it may. It can be tough to tell why Google considers it spam. I’m not sure how long it’ll take to be removed from such a list though…

the problem could be related to inet_protocols = all in Postfix, which now I changed to ipv4 only? other things to do in order to be safe?

I’d start by going through the above documents at Google, and making sure that you’ve implemented as much in them as possible. And also configuring reverse DNS (which I think those documents mention), and making sure you aren’t on an RBL. Those would be excellent first steps into getting all that resolved.

There are other people in the Forums who ran into those same issues with Gmail – a few of those are linked below, some of the discussions here may help you out:

http://www.virtualmin.com/node/33298

http://www.virtualmin.com/node/32507

https://www.virtualmin.com/node/32255

-Eric

I'd recommend making sure that you have reverse DNS setup with your ISP for your primary IP address.

yes, that was already correctly set…

the problem about

550-5.7.1 [myIPV6] Our system has detected that this 550-5.7.1 message is likely unsolicited mail.

was indeed that my IPV6 had no correct Reverse Address, so I solved changing inet_protocols = all to inet_protocols = ipv4 in Postfix conf and restarting Posftix…
maybe you could set this to the default in Postfix instead of “all”, so IF the user really needs even the IPV6, then he decides…

ok, thank you :wink:

is this correct?

[root@myhost ~]# netstat -an | grep ":53 " tcp 0 0 MY_IP_ADDRESS:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp6 0 0 :::53 :::* LISTEN udp 0 0 MY_IP_ADDRESS:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp6 0 0 :::53 :::*

em is * … 0.0.0.0:*

Yup, your netstat command looks good! That shows BIND listening on your IP address, localhost, and listening for IPv6 connections.

-Eric

then,
i also had to change “DNS Client Options” in Webmin

there was a bad hostname yet, which comes from the CentOS 7 minimal… so i put there my correct hostname

  • on DNS servers i put my public Server IP for first, then those from my server ISP…and 127.0.0.1

  • i’m not sure about “Search domains”, now in that field there is a domain address by my ISP…

then i did

[root@hostname ~]# dig domain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62643
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.com. IN A

;; ANSWER SECTION:
domain.com. 38400 IN A MY_IP_ADDRESS

;; AUTHORITY SECTION:
domain.com. 38400 IN NS ns2.MYdomain.com.
domain.com. 38400 IN NS ns1.MYdomain.com.

;; ADDITIONAL SECTION:
ns1.MYdomain.com. 38400 IN A MY_IP_ADDRESS
ns2.MYdomain.com. 38400 IN A MY_IP_ADDRESS

;; Query time: 0 msec
;; SERVER: MY_IP_ADDRESS#53(MY_IP_ADDRESS)
;; WHEN: Thu Nov 27 15:55:06 CET 2014
;; MSG SIZE rcvd: 139

  • my domain provider had a TTL 24h, so now i have just to wait and it will be propagated without issues?

  • finally, I didn’t understand perfectly the difference between “recursion = yes” and = no … in BIND.

Using recursion = yes, which is the default now, the root nameservers and the others… will be informed about my hosted domain OR recursion = yes only serves to “ask the others and do caching” ?

my domain provider had a TTL 24h, so now i have just to wait and it will be propagated without issues?

Well, it’s hard to say for sure without having detailed knowledge of your entire setup, but if you run into any problems after 24 hours, let us know and we can look into it deeper :slight_smile:

finally, I didn’t understand perfectly the difference between “recursion = yes” and = no … in BIND.

If recursion is enabled, that means remote users can use your DNS server to look up any IP address on the Internet (that is, it will act as a general DNS server for all users).

If recursion is disabled, that means remote users can only use your DNS server to look up IP addresses hosted in your DNS server.

-Eric

In search of a solution for my problem ( gmail suddenly started bouncing back my emails when I shifted to a new box having IPv6) and this thread solved my issue. :slight_smile:

I forced postfix to send through only IPv4 and it works like charm.

Thanks a lot.

In search of a solution for my problem ( gmail suddenly started bouncing back my emails when I shifted to a new box having IPv6) and this thread solved my issue. :slight_smile:

This is probably an issue with your provider. When receiving e-mail via IPv6, Google considers the /64 the IPv6 address is part of the “end point address” (equivalent to a single IPv4). This is how IPv6 was designed. If you share a /64 with a lot of other people, as is common with most VPS providers, you’re going to have a hard time sending e-mail via IPv6. Not just to Google, but to other providers as well.

You should ask you provider for a /64 just for yourself, as that’s the real solution to the problem.

Thank you very much for a more specific reply.

Thanks again.