Koozali.org: home of the SME Server

SPF records

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #15 on: February 15, 2019, 11:45:02 AM »
I must have got something wrong its now lower

Que ????

Quote
We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain thesecurityinstaller.co.uk using the selector default.
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours, it may take some time for the DNS to be propagated

Yup - something is amiss

Is this your domain?

thesecurityinstaller.co.uk

https://mxtoolbox.com/SuperTool.aspx?action=mx%3athesecurityinstaller.co.uk&run=toolpage

https://mxtoolbox.com/domain/thesecurityinstaller.co.uk/

Go back and start looking at your DNS records.

You can post here what you have currently got set.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #16 on: February 20, 2019, 03:25:46 PM »
Que ????

Yup - something is amiss

Is this your domain?

thesecurityinstaller.co.uk

https://mxtoolbox.com/SuperTool.aspx?action=mx%3athesecurityinstaller.co.uk&run=toolpage

https://mxtoolbox.com/domain/thesecurityinstaller.co.uk/

Go back and start looking at your DNS records.

You can post here what you have currently got set.
Great Thanks I never know what shoudl and shouldnt be posted

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #17 on: February 20, 2019, 03:31:13 PM »
I have just added
Quote
"v=DMARC1; p=none; sp=none; rua=mailto:james.wilson@thesecurityinstaller.co.uk; ruf=mailto:james.wilson@thesecurityinstaller.co.uk; rf=afrf; pct=100; ri=86400"

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #18 on: February 20, 2019, 03:50:28 PM »
Not sure it is right to have 2 MX records like that. Check the mxtoolbox and you can see it isn't happy.

I *think* you should have

A comms.thesecurityinstaller.co.uk

MX comms.thesecurityinstaller.co.uk

I don't think you need the MX record for '@'

Have a look on mx toolbox using links above for my work domain impamark.co.uk to see the differences.

I have an A for mail and then an MX for mail.

I don't have MX @ because @ is not a single host / A record.

Note if you had MX backup you would add A records for each host, then a MX for each A with a priority.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline warren

  • *
  • 291
  • +0/-0
Re: SPF records
« Reply #19 on: February 20, 2019, 04:15:07 PM »
Just on the DNS entry for DKIM ( i have followed wikias above ) but had to scratch around for the formatting of the dns entry :

this is what i found works :

Type : TXT
Host name :  default_.domainkey.thesecurityinstaller.co.uk
Value : ""v=DKIM1\;p............;t=y"

where value is the dkim value you get from :
Code: [Select]
qpsmtpd-print-dns

You might have to exclude the "at begining and end " ( depends on how the DNS Provider  - some strip it out )
« Last Edit: February 20, 2019, 04:18:36 PM by warren »

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #20 on: February 20, 2019, 04:28:41 PM »
Just on the DNS entry for DKIM ( i have followed wikias above ) but had to scratch around for the formatting of the dns entry :

this is what i found works :

Type : TXT
Host name :  default_.domainkey.thesecurityinstaller.co.uk
Value : ""v=DKIM1\;p............;t=y"

where value is the dkim value you get from :
Code: [Select]
qpsmtpd-print-dns

You might have to exclude the "at begining and end " ( depends on how the DNS Provider  - some strip it out )

I have added the attached to the 1and1 dns entry


but now get this on mail-tester.com
Quote
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

The DKIM signature of your message is:

   v=1;
   a=rsa-sha256;
   c=relaxed;
   d=thesecurityinstaller.co.uk;
   h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding;
   s=default;
   bh=iLwiFZNUfdJrkW/1bs6DSZAArywjUi3Vr9qKRmodS5o=;
   b=aQxVMpJbPyY9frs0LKLMS7tgOQpVUSnd5JKpjrmKEKuqoPEqR/hqMR862lrQg2rlhDZMEOAdjOIVodqhFtJCxkZ444H9ObrD1917w4PW/HS2oDx+/+b19bmDzKdYrBPbheMAiytPQ+hl5+87vlX4Aeyd/W2yhzdSP8KSf+RLASg1YAEjL1zxwAjWlUx374LavnMyjzpSM47OFX5ajHFTPaPlsK0CZbokCuyT429h68isdKmmFtYLAPgFr4wPNZr0ayrXLVFZNps2T5ct08eqxJaLijd+e++hIYzZXbxC9UOt6Wi3IJf3Zs07UEQhC49Iu1iPM9mRpigNmfGLpYsSgA==

We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain thesecurityinstaller.co.uk using the selector default.
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours, it may take some time for the DNS to be propagated

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #21 on: February 20, 2019, 04:29:09 PM »
Not sure it is right to have 2 MX records like that. Check the mxtoolbox and you can see it isn't happy.

I *think* you should have

A comms.thesecurityinstaller.co.uk

MX comms.thesecurityinstaller.co.uk

I don't think you need the MX record for '@'

Have a look on mx toolbox using links above for my work domain impamark.co.uk to see the differences.

I have an A for mail and then an MX for mail.

I don't have MX @ because @ is not a single host / A record.

Note if you had MX backup you would add A records for each host, then a MX for each A with a priority.
i have removed the comms entries as i dont know what they were for.

Offline warren

  • *
  • 291
  • +0/-0
Re: SPF records
« Reply #22 on: February 20, 2019, 04:51:20 PM »
I have added the attached to the 1and1 dns entry


but now get this on mail-tester.com

The host name must be : default_.domainkey.thesecurityinstaller.co.uk

The value field must only contain : "v=DKIM1\;p............;t=y"

When finished it should look like below part :
Code: [Select]
Type HostName                           Value
TXT default_.domainkey.thesecurityinstaller.co.uk       "v=DKIM1\;p............;t=y"



at the moment nslookup shows no record ( neither soes MXtoolbox) :
Code: [Select]
dig -t txt default_.domainkey.thesecurityinstaller.co.uk

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t txt default_.domainkey.thesecurityinstaller.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5689
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;default_.domainkey.thesecurityinstaller.co.uk. IN TXT

;; Query time: 2141 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Feb 20 17:31:19 2019
;; MSG SIZE  rcvd: 63


Once you have the format correct you will get following from dig ( Use Reetp domain as example )

Code: [Select]
dig -t txt  default._domainkey.impamark.co.uk

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t txt default._domainkey.impamark.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35998
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;default._domainkey.impamark.co.uk. IN  TXT

;; ANSWER SECTION:
default._domainkey.impamark.co.uk. 3600 IN TXT  "v=DKIM1\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpPAb1A/itvbbFdKbMywrSxP5myVnfiIHwdOdtCxt/jsJBQ5DlFD0VXQ3JWLZ4aaOc2QQFVhjoZWTnwTZ35m/DjATpydexaC9cvg8TzoZ3VHvQ4VEXBhWlwaRET7oK8NUQHoe56EZILGb60kRjV5tuDygka4i/J0C5ulqkO2JfQQIDAQAB\;"

;; Query time: 903 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Feb 20 17:50:43 2019
;; MSG SIZE  rcvd: 291


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #23 on: February 20, 2019, 05:00:38 PM »
Quote
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours

So you may need to wait for changes to propagate.

I still believe you would also be better off having a specific mail host and not relying on @ just the same as you have an A record for www

So like I said before, an A record for mail 'host' and a MX record for it as well. Eg:

A mail.thesecurityinstaller.co.uk

MX mail.thesecurityinstaller.co.uk

That way you can move your mail host as you require.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline warren

  • *
  • 291
  • +0/-0
Re: SPF records
« Reply #24 on: February 20, 2019, 07:19:15 PM »
Your DNS Record is entered incorrectly :
this is how its showing :
Code: [Select]
dig -t txt thesecurityinstaller.co.uk
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> -t txt thesecurityinstaller.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62769
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thesecurityinstaller.co.uk.    IN      TXT

;; ANSWER SECTION:
thesecurityinstaller.co.uk. 3600 IN     TXT     "v=spf1 include:_spf.perfora.net include:_spf.kundenserver.de ip4:81.143.33.108 ~all"
thesecurityinstaller.co.uk. 3600 IN     TXT     "v=DMARC1\; p=none\; sp=none\; rua=mailto:james.wilson@thesecurityinstaller.co.uk\; ruf=mailto:james.wilson@thesecurityinstaller.co.uk\; rf=afrf\; pct=100\; ri=86400"
thesecurityinstaller.co.uk. 3600 IN     TXT     "default._domainkey IN TXT v=DKIM1\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9vP9oXU3IcKu8yOu0cXeCuFK+ZqM/L4EIa9+9yByi7R0ErB/uFLeclmHn0CPsV2REJk97jogL5P2sfT+I7WcRApGVD2Xv4v5krT5YrjKBMgO2u2bBF3yLTqs3e1pgOleI4BuemMaaz702ymmQgVCaIaP4ytoZylKY6ueDr5/XcWD7V" "btk0HO8iebJraimGF9PDs3Q/5izd+g2qxrpxyRatfBtgZL5mPnO7HzCIbmkTcSlAEUuY2HxSj/TTKpMA/LYZJlnaq9VzPuu5XLbPCRCKW43AJ9r3pEvZ6YfAuh2fuEmDpsZnqHX3BBIWMZloFB6hCI37M2X68rAeD3FeOCQIDAQAB\;t=y @ IN SPF v=spf1 mx a -all @ IN TXT v=spf1 mx a -all _dmarc IN TXT v=DMARC1\; p" "=none\; adkim=s\; aspf=r\; rua=mailto:dmarc-feedback@thesecurityinstaller.co.uk\; pct=100"




It should look like :

Code: [Select]
default_.domainkey.thesecurityinstaller.co.uk.  3600 IN     TXT   " v=DKIM1\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9vP9oXU3IcKu8yOu0cXeCuFK+ZqM/L4EIa9+9yByi7R0ErB/uFLeclmHn0CPsV2REJk97jogL5P2sfT+I7WcRApGVD2Xv4v5krT5YrjKBMgO2u2bBF3yLTqs3e1pgOleI4BuemMaaz702ymmQgVCaIaP4ytoZylKY6ueDr5/XcWD7V" "btk0HO8iebJraimGF9PDs3Q/5izd+g2qxrpxyRatfBtgZL5mPnO7HzCIbmkTcSlAEUuY2HxSj/TTKpMA/LYZJlnaq9VzPuu5XLbPCRCKW43AJ9r3pEvZ6YfAuh2fuEmDpsZnqHX3BBIWMZloFB6hCI37M2X68rAeD3FeOCQIDAQAB\;t=y"

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #25 on: February 20, 2019, 07:51:43 PM »
I have tried adding as both a txt entry and a subdomain

default_.domainkey.thesecurityinstaller.co.uk

but I get this error

The subdomain contains invalid characters.
Allowed: Letters from a-z, numerics from 0-9 and hyphens.

It seems I cant use _ in either?

Thanks

Offline warren

  • *
  • 291
  • +0/-0
Re: SPF records
« Reply #26 on: February 20, 2019, 08:27:10 PM »
I have tried adding as both a txt entry and a subdomain

default_.domainkey.thesecurityinstaller.co.uk

but I get this error

The subdomain contains invalid characters.
Allowed: Letters from a-z, numerics from 0-9 and hyphens.

It seems I cant use _ in either?

Thanks

Never used 1&1....
check if this helps ( from 4:38 onwards ) https://www.youtube.com/watch?v=Bj1Xq-Hvh24