I got a DMARC report for my domain as xyz.xml where it showed me domains & their corresponding checks (either SPF / DKIM) that failed.My problem is I have one entry as follows:
<source_ip></source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
209.85.220.41 points to mail-sor-xxx.google.com .
My SPF & DKIM :
"v=spf1 include:_spf.google.com ~all"
"v=DKIM1; k=rsa; p=xfdf+sadasfsa+sacsc+""
Why doe DKIM pass & SPF fail ? What am I doing wrong ?
Thanks in advance
I also had the same problem, and saw this thread, says "Safe to ignore it"
https://support.google.com/mail/thread/19303899?hl=en
Related
I'm losing my mind (again) on something about e-mails.
I have a Kimsufi/OVH (Debian Wheezy 7.10) server. I have postfix and dovecot all set.
My main domain/hostname is mywebsite.fr, and i'm using mywebsite.fr set on mywebsite.fr.
I set spf, dkim and dmarc entries in dns zones for both of domains. From contact[at]mywebsite[dot]fr and no-reply[at]mywebsite[dot]fr, all the tests I ran are good :
1) auth-resultats#verifier.port25.com
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname: mywebsite.fr
Source IP: 91.121.166.194
mail-from: contact#mywebsite.fr
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mailfrom=contact#mywebsite.fr
DNS record(s):
mywebsite.fr. SPF (no records)
mywebsite.fr. 6055 IN TXT "v=spf1 a mx include:mx.ovh.com ~all"
mywebsite.fr. 6054 IN A 91.121.166.194
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=contact#mywebsite.fr
DNS record(s):
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass (matches From: contact#mywebsite.fr)
ID(s) verified: header.d=mywebsite.fr
2) dmarcian.com
https://dmarcian.com/dmarc-inspector/mywebsite.fr
All seems good
3) dkimvalidator.com
DKIM Information:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mywebsite.fr;
s=mail; t=1491673268;
bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=Date:From:To:Subject:From;
b=CScyX9ZvWCDL6FGLroXZi/8dFiWmgPbKwcTuSZqPuCHBOR4tv4QdGzxgZ3acWf6AP
AwAt3Y2h+9IHeayu8mT2rl2Bz3E3XbMC6waEHoc645sAOq1nV9l8hAuw73hm6YsvXU
QEAgcDIaD8b5fAXoX99rGkSfD6Rx5ygeuJOs0MzZcxnOzaJM+6mvOzusep4PRv0XvG
eEJYYwL2sNd0qEJSLJ666fhvE781qtwnWaUewlceSgek5bnJ1DVEOsLkcl3uwTabau
PsLZm9SPuqsc+aDRTTNNRKuI2noO1/w3M6XWfZxpYPIeoxwNnflWxP0s9O6+UbhsCJ
PJbZeYVATVFKYKjFJlbwAqPMMmJAiqSWzsXvT06/P/Qw70nT5Q9qK1FI8Uu9NRFhWe
g+35wx03zNG5OMgKzKsv9qH06qccBsbfhHXKm63YkxLDhO+2AtdicdWqrMlZQap7V0
CC4VyTCNLZdOASWdLJdh8JDsY2TXNU/Pcpxw0uSf0BigY/0q3qj5O7GRzzSLG1rKz0
+HpvDql/PpsscXt16URaOtO7/rZ6H3EsS1ZkutO5udiwJvoZulraMbI8sQQghR3Yyw
OZqDardodYdVo1tHzTPQ4MJTEKI+2IO4ulCj7/kJ109xpTYo8+8x3I7Z5Bhmnyui7j
TIxRT8MCD1sRUOoP7mD/7Pb0=
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: mywebsite.fr
s= Selector: mail
q= Protocol:
bh= g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=
h= Signed Headers: Date:From:To:Subject:From
b= Data: CScyX9ZvWCDL6FGLroXZi/8dFiWmgPbKwcTuSZqPuCHBOR4tv4QdGzxgZ3acWf6AP
AwAt3Y2h+9IHeayu8mT2rl2Bz3E3XbMC6waEHoc645sAOq1nV9l8hAuw73hm6YsvXU
QEAgcDIaD8b5fAXoX99rGkSfD6Rx5ygeuJOs0MzZcxnOzaJM+6mvOzusep4PRv0XvG
eEJYYwL2sNd0qEJSLJ666fhvE781qtwnWaUewlceSgek5bnJ1DVEOsLkcl3uwTabau
PsLZm9SPuqsc+aDRTTNNRKuI2noO1/w3M6XWfZxpYPIeoxwNnflWxP0s9O6+UbhsCJ
PJbZeYVATVFKYKjFJlbwAqPMMmJAiqSWzsXvT06/P/Qw70nT5Q9qK1FI8Uu9NRFhWe
g+35wx03zNG5OMgKzKsv9qH06qccBsbfhHXKm63YkxLDhO+2AtdicdWqrMlZQap7V0
CC4VyTCNLZdOASWdLJdh8JDsY2TXNU/Pcpxw0uSf0BigY/0q3qj5O7GRzzSLG1rKz0
+HpvDql/PpsscXt16URaOtO7/rZ6H3EsS1ZkutO5udiwJvoZulraMbI8sQQghR3Yyw
OZqDardodYdVo1tHzTPQ4MJTEKI+2IO4ulCj7/kJ109xpTYo8+8x3I7Z5Bhmnyui7j
TIxRT8MCD1sRUOoP7mD/7Pb0=
Public Key DNS Lookup
Building DNS Query for mail._domainkey.mywebsite.fr
Retrieved this publickey from DNS: v=DKIM1; k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAomnPCDLufwn5YnIxZ+4veAqdQiTNyk3OsqxTXddGXstKjYefjeJZ/Wgd4vFRheS9DSRjtqLvc66KyM3Ubk37G3S2tXU6dpIPh/poiQuDhdZMWlp829YyR47sYtSSJqFrzd+dKDGfPwrlJb6iIeYksfXOXSHej6s9z1mDobl+fDhORKaB5JySZyPhh/FqCIVMHJffr8tod0Q55MAfRpl38WIJjRjjTXHS2OTNUSQq53kIqSZkx3iFdlxxZh5Tj1DU1bzIGfB4tQaJAGqGhSz4pyzkdc+uVuvXr6NbIrEQ/YnueDHWrbbPoMq77QcToMGqfypgB2CcEU2rlcDYq9aPqYAalv22zY6S0M5FUjlpiHDIR3Hb/ID2ZC2Q/XtCKgaOxr2C4T7Ad0CdcjjQMLnFkOY337U7/P0FgaSQaykiUvSkXDvURgunBv0GLqXfjfwK2Ge8fl+dhYN5bZ/59/GFPcyB/sLHB/cMFWEUyp63RXHBRm+q+c6PMdGIgmoTHYH/0FbYI+/9NHhYOLWhBrgds3x54vStQk0jqYKAipd2494v2dr3p5XlhXU4NEOSEH4FnBfiqoHiYDgjPEIm0ddqH2kBEiuymIoGtWPuBCmY993/1wevOMVjrQlysw2Gf1DZnlbnaytgcSAR0fHgIlLPPoRqGXodvgtW6Zj8ocy71qsCAwEAAQ==
Validating Signature
result = pass
Details:
SPF Information:
Using this information that I obtained from the headers
Helo Address = mywebsite.fr
From Address = contact#mywebsite.fr
From IP = 91.121.166.194
SPF Record Lookup
Looking up TXT SPF record for mywebsite.fr
Found the following namesevers for mywebsite.fr: ns.kimsufi.com nsXXXXXX.ip-91-XXX-166.eu
Retrieved this SPF Record: zone updated 20170408 (TTL = 46739)
using authoritative server (ns.kimsufi.com) directly for SPF Check
Result: pass (Mechanism 'a' matched)
Result code: pass
Local Explanation: mywebsite.fr: 91.121.166.194 is authorized to use 'contact#mywebsite.fr' in 'mfrom' identity (mechanism 'a' matched)
spf_header = Received-SPF: pass (mywebsite.fr: 91.121.166.194 is authorized to use 'contact#mywebsite.fr' in 'mfrom' identity (mechanism 'a' matched)) receiver=ip-172-31-3-128.us-west-1.compute.internal; identity=mailfrom; envelope-from="contact#mywebsite.fr"; helo=mywebsite.fr; client-ip=91.121.166.194
Etc, etc, etc.
All seems good and all the mail-testers i'm sending an e-mails are saying "10/10, you're good to go buddy".
The problem is, I receive dmarc-reports and they are not good.
For example, last in date from yahoo :
<?xml version="1.0"?>
<feedback>
<report_metadata>
<org_name>Yahoo! Inc.</org_name>
<email>postmaster#dmarc.yahoo.com</email>
<report_id>1491615950.716847</report_id>
<date_range>
<begin>1491523200</begin>
<end>1491609599 </end>
</date_range>
</report_metadata>
<policy_published>
<domain>mywebsite.fr</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>91.121.166.194</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mywebsite.fr</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mywebsite.fr</domain>
<result>permerror</result>
</dkim>
<spf>
<domain>mywebsite.fr</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
And last in date from google.com :
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support#google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>14868783784049997701</report_id>
<date_range>
<begin>1491523200</begin>
<end>1491609599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>mywebsite.fr</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>2001:41d0:1:e7c2::1</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mywebsite.fr</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mywebsite.fr</domain>
<result>fail</result>
<selector>mail</selector>
</dkim>
<spf>
<domain>mywebsite.fr</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>2001:41d0:1:e7c2::1</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mywebsite.fr</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mywebsite.fr</domain>
<result>pass</result>
<selector>mail</selector>
</dkim>
<spf>
<domain>mywebsite.fr</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
I'm lost, I don't know what to do more than is already set. Don't hesitate ask me more informations, if it can help. Thx...
Anyway, looking over your results from those other testers, it looks like you're using a 4096 DKIM, which produces key sizes over 512 bytes. Drop your DKIM size back down to 2048 and I think your issues will go away with the DKIM Failures. I seen numerous instances where large key sizes cause DKIM Failures.
Also the results from google show an ipv6 address as the source IP, I have a feeling Google might be bugged, that is might not be doing the SPF Lookup correctly concerning a and aaaa records, you should add ip6:2001:41d0:1:e7c2::1 to your SPF and see if that resolves the SPF Failures at Google.
In theory, When an ESP receives and ipv6 IP they should look up the aaaa record for SPF if a is specified as a mechanism and a if IPv4 is specified"
The SPF problem you're seeing is an alignment problem. SPF only counts for DMARC when the Return-Path domain and the Header From domain are on the same organizational domain. In somewhat oversimplified terms, they need to be the same or have a common parent domain that isn't a TLD.
From the reports, you can see that your Return-Path domain (used for SPF) is vaeserveur.fr while the header from domain is calendridel.fr. In this case, it doesn't matter that SPF yields a pass - that pass value won't be used for DMARC. See the discussion here - https://www.rfc-editor.org/rfc/rfc7489#section-3.1
As for DKIM, the other answer is on point. Verifiers don't generally support 4096 bit keys, and they don't actually have to according to the RFC - https://www.rfc-editor.org/rfc/rfc6376#section-3.3.3
When i try to send mail from my server,it goes into spam box of gmail.I checked with Isnotspam website.Everything looks good expect DomainKeys Check.Can you verify my log and tell me how to solve this problem.
==========================================================
Summary of Results
==========================================================
SPF Check : pass
Sender-ID Check : pass
DomainKeys Check : neutral
DKIM Check : pass
SpamAssassin Check : ham (non-spam)
==========================================================
Details:
==========================================================
HELO hostname: mail.cybapps.com
Source IP: xxx.xxx.xxx.xxx
mail-from: mailme#cybapps.com
Anonymous To: ins-ywhteogz#isnotspam.com
---------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mail=mailme#cybapps.com
DNS record(s):
cybapps.com. 300 IN TXT "v=spf1 a mx ip4:xxx.xxx.xxx.xxx ~all"
----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mail=mailme#cybapps.com
DNS record(s):
cybapps.com. 300 IN TXT "v=spf1 a mx ip4:xxx.xxx.xxx.xxx ~all"
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=mailme#cybapps.com
Selector=
domain=
DomainKeys DNS Record=
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass
ID(s) verified: header.From=mailme#cybapps.com
Selector=mail
domain=cybapps.com
DomainKeys DNS Record=mail._domainkey.cybapps.com
----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin 3.4.1 (2015-04-28)
Result: ham (non-spam) (03.6points, 10.0 required)
pts rule name description
---- ---------------------- -------------------------------
* 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
* [score: 1.0000]
* -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
* domain
* -0.0 SPF_PASS SPF: sender matches SPF record
* 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
* [score: 1.0000]
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
X-Spam-Status: Yes, hits=3.6 required=-20.0 tests=BAYES_99,BAYES_999,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_PASS,T_RP_MATCHES_RCVD autolearn=no
autolearn_force=no version=3.4.1
X-Spam-Score: 3.6
To learn more about the terms used in the SpamAssassin report, please search
here: http://wiki.apache.org/spamassassin/
==========================================================
Explanation of the possible results (adapted from
draft-kucherawy-sender-auth-header-04.txt):
==========================================================
I did a DNS lookup to your domain and found it:
$ host -t txt cybapps.com
cybapps.com descriptive text "google-site-verification=r3eFsCxzevI8CjwQsDi21PbKILrMc-EQjfQsSe301Wk"
cybapps.com descriptive text "v=spf1 a mx ptr ip4:172.110.8.33 mx:cybapps.com ~all"
So, you're adding a Google verification TXT, which conflicts with SPF. Can you do Google verification via a file instead and try again? Note you'll need to wait until TTL expires.
Also note: a fail or neutral result on DKIM or DomainKey results does not turn your mail into SPAM. It's more likely that your MX server is/was on some blacklist. Also note your PTR record for given mail IP does not point to your mail server, but to your plain domain (it should be mail.cybapps.com instead):
$ host mail.cybapps.com
mail.cybapps.com has address 172.110.8.33
$ host 172.110.8.33
33.8.110.172.in-addr.arpa domain name pointer cybapps.com.
EDIT:
I usually use mxtoolbox to check my mail installation:
http://mxtoolbox.com/domain/cybapps.com/
Hope it helps!
This is a result from isnotspam.com
========================================================== Summary of Results
SPF Check : softfail Sender-ID Check : neutral DomainKeys Check : neutral DKIM Check : neutral SpamAssassin Check : ham (non-spam)
========================================================== Details:
HELO hostname: in6.hostgator.in Source IP: 119.18.60.5 mail-from: info#propertyfirst.in Anonymous To: ins-kgqo0hhz#isnotspam.com
--------------------------------------------------------- SPF check details:
Result: softfail ID(s) verified: smtp.mail=info#propertyfirst.in DNS record(s): propertyfirst.in. 14394 IN TXT "v=spf1 a mx include:websitewelcome.com ~all"
---------------------------------------------------------- Sender-ID check details:
Result: neutral
ID(s) verified: smtp.mail=info#propertyfirst.in DNS record(s): propertyfirst.in. 14394 IN TXT "v=spf1 a mx include:websitewelcome.com ~all"
---------------------------------------------------------- DomainKeys check details:
Result: neutral (message not signed) ID(s) verified: header.From=info#propertyfirst.in Selector= domain= DomainKeys DNS Record=
---------------------------------------------------------- DKIM check details:
Result: neutral (message not signed) ID(s) verified: header.From=info#propertyfirst.in Selector= domain= DomainKeys DNS Record=
---------------------------------------------------------- SpamAssassin check details:
---------------------------------------------------------- SpamAssassin v3.3.1 (2010-03-19)
Result: ham (non-spam) (05.9points, 10.0 required)
pts rule name description
Can someone please tell me what is the issue here and what spf and how do I set it up.
Will setting up a spf help me in anyways ?
Indeed, an SPF SoftFail can cause your email to be classified as spam.
Judging from the current state of the TXT record for propertyfirst.in, you have already figured it out on your own, but for future reference, SPF is a way for the domain administrator to designate hosts as legitimate senders for the domain in question. The policy is published in DNS using a TXT or SPF RR.
In this particular case, the SPF policy of propertyfirst.in did not designate your web server 119.18.60.5 as a permitted sender. Consequently, emails from your web server were considered to be forged and marked as spam.
Your current SPF policy is v=spf1 +a +mx +ip4:119.18.60.5 +include:propertyfirst.in ~all, which explicitly permits 119.18.60.5 to send emails in the name of propertyfirst.in.
By the way you can lose the "+" PASS qualifiers, SPF mechanisms default to that.
I am testing my mail serveur DKIM and SPF settings with Port25 auth test.
SPF is perfect, but my DKIM doesn't work. Here is the error:
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: permerror (key "default._domainkey.pokesharp.com" doesn't exist)
ID(s) verified:
Canonicalized Headers:
message-id:<4b811ef394a3840c888aaf70e625190c#pokesharp.com>'0D''0A'
subject:123'0D''0A'
to:check-auth#verifier.port25.com'0D''0A'
from:admin#pokesharp.com'0D''0A'
date:Mon,'20'12'20'Aug'20'2013'20'10:38:04'20'-0400'0D''0A'
mime-version:1.0'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=pokesharp.com;'20's=default;'20'h=Message-ID:Subject:To:From:Date:MIME-Version;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;
Canonicalized Body:
DNS record(s):
default._domainkey.pokesharp.com. TXT (NXDOMAIN)
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
Although, in my DNS, I do have "default._domainkey" IN TXT 14400 with value:
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjUEWGRzEyKE0GcoICtp4bAKhrIjG8zubaDBV8MJSEO49nJHPk8zTJNFYmFBaMX0GVwxstam3C231TedkiRBk5RQ32lOqiaHW/PGpYqGrdE95arh8floBinkcVCqwnodUMBizDLh0rZvdOf+lElQAf0nBFL0X2EhGDC4IlEYpu7QIDAQAB;"
I don't quite understand why it doesn't see it. (I'm using cPanel/WHM)
Thank you very much!
Is it possible that it was just propagation delays? If I query your DNS now, I get your DKIM public key (see below). Are you still getting the same results from the port25 verifier?
mti2935#basement:~$ nslookup -q=TXT default._domainkey.pokesharp.com
Server: 75.75.75.75
Address: 75.75.75.75#53
Non-authoritative answer:
default._domainkey.pokesharp.com text = "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjUEWGRzEyKE0GcoICtp4bAKhrIjG8zubaDBV8MJSEO49nJHPk8zTJNFYmFBaMX0GVwxstam3C231TedkiRBk5RQ32lOqiaHW/PGpYqGrdE95arh8floBinkcVCqwnodUMBizDLh0rZvdOf+lElQAf0nBFL0X2EhGDC4IlEYpu7QIDAQAB\;"
Authoritative answers can be found from:
I've got a problem with Gmail.
It started after one of our trojan infected PCs sent spam for one day from our IP address.
We've fixed the problem, but we got into 3 black lists. We've fixed that, too. But still every time we send an email to Gmail the message is rejected:
So I've checked Google Bulk Sender's guide once again and found an error in our SPF record and fixed it. Google says everything should become fine after some time, but this doesn't happen. 3 weeks already passed but we still can't send emails to Gmail.
Our mail setup is a bit complex, but not too much. We have a domain name delo-company.com, it has it's own mail #delo-company.com (this one is fine, but the problems are with sub-domain name corp.delo-company.com).
Delo-company.com domain has several DNS records fro its subdomain:
corp A 82.209.198.147
corp MX 20 corp.delo-company.com
corp.delo-company.com TXT "v=spf1 ip4:82.209.198.147 ~all"
(I set ~all for testing purposes only, it was -all before that)
These records are for our corporate Exchange 2003 server at 82.209.198.147. Its LAN name is s2.corp.delo-company.com so its HELO/EHLO greetings are also s2.corp.delo-company.com.
To pass EHLO check we've also created some records in delo-company.com's DNS:
s2.corp A 82.209.198.147
s2.corp.delo-company.com TXT "v=spf1 ip4:82.209.198.147 ~all"
As I understand SPF verifications should be passed in this way:
Out server s2 connects to MX of the recepient (Rcp.MX): EHLO s2.corp.delo-company.com
Rcp.MX says Ok, and makes SPF check of HELO/EHLO. It does NSlookup for s2.corp.delo-company.com and gets the above DNS-records. TXT records says that s2.corp.delo-company.com should be only from IP 82.209.198.147. So it should be passed.
Then our s2 server says RCPT FROM: <supruniuk-p#corp.delo-company.com>
Rcp.MX` server checks it, too. The values are the same so they should also be positive.
Maybe there is also a rDNS check, but I'm not sure what is checked HELO or RCPT FROM.
Our PTR record for 82.209.198.147 is:
147.198.209.82.in-addr.arpa. 86400 IN PTR s2.corp.delo-company.com.
To me everything looks fine, but anyway all emails are rejected by Gmail.
So, I've checked MXtoolbox.com - it says everything is fine, I passed http://www.kitterman.com/spf/validate.html Python check, I did 25port.com email test. It's fine, too:
Return-Path: <supruniuk-p#corp.delo-company.com>
Received: from s2.corp.delo-company.com (82.209.198.147) by verifier.port25.com id ha45na11u9cs for <check-auth#verifier.port25.com>; Fri, 2 Mar 2012 13:03:21 -0500 (envelope-from <supruniuk-p#corp.delo-company.com>)
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=supruniuk-p#corp.delo-company.com
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=supruniuk-p#corp.delo-company.com
Authentication-Results: verifier.port25.com; dkim=neutral (message not signed)
Authentication-Results: verifier.port25.com; sender-id=pass header.From=supruniuk-p#corp.delo-company.com
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CCF89E.BE02A069"
Subject: test
Date: Fri, 2 Mar 2012 21:03:15 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: <4C9EB1DB67831A428B2E14052F4A418707E1FF#s2.corp.delo-company.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: test
Thread-Index: Acz4jS34oznvbyFQR4S5rXsNQFvTdg==
From: =?koi8-r?B?89XQ0tXOwMsg8MHXxcw=?= <supruniuk-p#corp.delo-company.com>
To: <check-auth#verifier.port25.com>
I also checked with spf-test#openspf.net, but it FAILs all the time, no matter which SPF records I make:
<s2.corp.delo-company.com #5.7.1 smtp;550 5.7.1 <spf-test#openspf.net>: Recipient address rejected: SPF Tests: Mail-From Result="softfail": Mail From="supruniuk-p#corp.delo-company.com" HELO name="s2.corp.delo-company.com" HELO Result="softfail" Remote IP="82.209.198.147">
I've filled Gmail form twice, but nothing happens.
We do not send spam, only emails for our clients. 2 or 3 times we did mass emails (like New Year Greetings and sales promos) from corp.delo-company.com addresses, but they where all complying to Gmail Bulk Sender's Guide (I mean SPF, Open Relays, Precedence: Bulk and Unsubscribe tags). So, this should be not a problem.
Please, help me. What am I doing wrong?
I've been having serious problems with gmail rejecting legitimate mail. Somewhere I read a suggestion to delete URLs from your signature file. To my amazement, this worked. (My mail client is Eudora, which some of you may dimly remember.)
Hope it helps.
Gmail have now a postmaster tool you can check your domain/ip reputation, spam rate and in the "Authentication" area you can check DKIM/SPF/DMARC works correctly.
https://gmail.com/postmaster/
I recommend to use the CNAME record for authentication, if you are using the default TXT record also on SPF query this entry return.