postfix dkim spf correct - recommended setup

2 posts / 0 new
Last post
#1 Tue, 07/16/2019 - 16:29
miltosc

postfix dkim spf correct - recommended setup

Hello.

I send message to check-auth@verifier.port25.com and the results are following ubuntu bionic 18.10 LTS Webmin version 1.900 Usermin version 1.751 Virtualmin version 6.06-2

DKIM DMARC SPF enabled and automatically put dns records

Please suggest setup corrections to pass all or any of the tests. Thanks in advance!

This message is an automatic response from Port25's authentication verifier service at verifier.port25.com. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community. While it is not officially supported, we welcome any feedback you may have at verifier-feedback@port25.com.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================

Summary of Results

SPF check: permerror "iprev" check: fail DKIM check: none SpamAssassin check: ham

==========================================================

Details:

HELO hostname: ns1.hostname.com Source IP: 2a01:4f8:.... (IPv6)333 mail-from: info@mydomain.com

SPF check details:

Result: permerror (DNS void lookup limit exceeded) ID(s) verified: smtp.mailfrom=info@mydomain.com

DNS record(s): mydomain.com. 60 IN TXT "v=spf1 a mx a:mydomain.com ip4:1. ... (IPv4) ip4:1. ... (IPv4) ip6:2a01:4f8:.... (IPv6) ?all" mydomain.com. AAAA (no records) mydomain.com. 60 IN MX 5 mail.mydomain.com. mail.mydomain.com. AAAA (no records) mydomain.com. AAAA (no records)

"iprev" check details:

Result: fail (reverse lookup failed (NXDOMAIN)) ID(s) verified: policy.iprev="2a01:4f8:.... (IPv6)"

DNS record(s): 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.blah blah.a.2.ip6.arpa. PTR (NXDOMAIN)

DKIM check details:

Result: none (message not signed) ID(s) verified:

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions. If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.

SpamAssassin check details:

SpamAssassin v3.4.0 (2014-02-07)

Result: ham (0.8 points, 5.0 required)

pts rule name description

0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4981] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 HTML_MESSAGE BODY: HTML included in message

==============================================================

Explanation of the possible results (based on RFCs 7601, 7208) DKIM Results

none: The message was not signed.

pass: The message was signed, the signature or signatures were acceptable to the ADMD, and the signature(s) passed verification tests.

fail: The message was signed and the signature or signatures were acceptable to the ADMD, but they failed the verification test(s).

policy: The message was signed, but some aspect of the signature or signatures was not acceptable to the ADMD.

neutral: The message was signed, but the signature or signatures contained syntax errors or were not otherwise able to be processed. This result is also used for other failures not covered elsewhere in this list.

temperror: The message could not be verified due to some error that is likely transient in nature, such as a temporary inability to retrieve a public key. A later attempt may produce a final result.

permerror: The message could not be verified due to some error that is unrecoverable, such as a required header field being absent. A later attempt is unlikely to produce a final result.

SPF Results

none: Either (a) no syntactically valid DNS domain name was extracted from the SMTP session that could be used as the one to be authorized, or (b) no SPF records were retrieved from the DNS.

neutral: The ADMD has explicitly stated that it is not asserting whether the IP address is authorized.

pass: An explicit statement that the client is authorized to inject mail with the given identity.

fail: An explicit statement that the client is not authorized to use the domain in the given identity.

softfail: A weak statement by the publishing ADMD that the host is probably not authorized. It has not published a stronger, more definitive policy that results in a "fail".

temperror: The SPF verifier encountered a transient (generally DNS) error while performing the check. A later retry may succeed without further DNS operator action.

permerror: The domain's published records could not be correctly interpreted. This signals an error condition that definitely requires DNS operator intervention to be resolved.

"iprev" Results

pass: The DNS evaluation succeeded, i.e., the "reverse" and "forward" lookup results were returned and were in agreement.

fail: The DNS evaluation failed. In particular, the "reverse" and "forward" lookups each produced results, but they were not in agreement, or the "forward" query completed but produced no result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR) in a reply containing no answers, was returned.

temperror: The DNS evaluation could not be completed due to some error that is likely transient in nature, such as a temporary DNS error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or other error condition resulted. A later attempt may produce a final result.

permerror: The DNS evaluation could not be completed because no PTR data are published for the connecting IP address, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR) in a reply containing no answers, was returned. This prevented completion of the evaluation. A later attempt is unlikely to produce a final result.

==========================================================

Original Email

Return-Path: info@mydomain.com Received: from ns1.mydomain.com (2a01:4f8:.... (IPv6)) by verifier.port25.com id h5j66m2e8s4d for check-auth@verifier.port25.com; Mon, 15 Jul 2019 18:56:43 +0000 (envelope-from info@mydomain.com) Authentication-Results: verifier.port25.com; spf=permerror reason="DNS void lookup limit exceeded" smtp.mailfrom=info@mydomain.com; iprev=fail reason="reverse lookup failed (NXDOMAIN)" policy.iprev="2a01:4f8:.... (IPv6)"; dkim=none reason="message not signed" Received: from [192.168.1.3] (77.49.247.26.dsl.dyn.forthnet.gr [77.49.247.26]) by ns1.mydomain.com (Postfix) with ESMTPA id 2E46A6D82C9A for check-auth@verifier.port25.com; Mon, 15 Jul 2019 21:56:40 +0300 (EEST) To: check-auth@verifier.port25.com From: "info@mydomain.com" info@mydomain.com Subject: test Message-ID: a34d4142-f8e0-7b8e-1abc-768d556384e3@mydomain.com Date: Mon, 15 Jul 2019 21:56:40 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------F983DD6D13EB78053333854A" Content-Language: en-US

This is a multi-part message in MIME format. --------------F983DD6D13EB78053333854A Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit

test

-- Best Regards Your mydomain.com Team

--------------F983DD6D13EB78053333854A Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit

<meta http-equiv="content-type" content="text/html; charset=UTF-8">

test

-- Best Regards Your mydomain.com Team

--------------F983DD6D13EB78053333854A--

Sun, 07/21/2019 - 04:12
Jfro

First 100% solve dns and also reverse for ipv4 and ipv6 for mailhost and domains i think.