We've configured SPF, DKIM and DMARC records for our domain and they're working fine. Our DMARC reports from Gmail, Hotmail, Yahoo also confirm the same.
However, just last week, one of our (Gmail) users brought to our attention a fraudulent email sent from a spoofed email address on our domain.
After looking at the email headers, we realised Gmail didn't initiate a DMARC check at all and the email landed in user's inbox. Gmail had only performed an SPF check which had passed because the check was performed on the envelop FROM header domain.
The email header (with identifying details redacted) looked like the following:
Delivered-To: redacted#gmail.com
Received: by 10.28.167.23 with SMTP id q23csp326872wme;
Mon, 20 Feb 2017 23:53:04 -0800 (PST)
X-Received: by 10.36.147.1 with SMTP id y1mr22192213itd.34.1487663583976;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Return-Path: <redacted#fraudulentdomain.net>
Received: from server2.fraudulentdomain.net (server2.fraudulentdomain.net. [144.X.Y.Z])
by mx.google.com with ESMTP id i196si19658513ioi.78.2017.02.20.23.53.03
for <redacted#gmail.com>;
Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Received-SPF: pass (google.com: domain of redacted#fraudulentdomain.net designates 144.X.Y.Z as permitted sender) client-ip=144.X.Y.Z;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of redacted#fraudulentdomain.net designates 144.X.Y.Z as permitted sender) smtp.mailfrom=redacted#fraudulentdomain.net
Received: by server2.fraudulentdomain.net (Postfix, from userid 330)
id 385716C165; Tue, 21 Feb 2017 08:53:03 +0100 (CET)
To: redacted#gmail.com
Subject: Some Subject
From: My Service <spoofed#mydomain.com>,
"MIME-Version:1.0"#server2.fraudulentdomain.net
Content-type: text/html; charset=iso-8859-1
Message-Id: <20170221075303.385716C165#server2.fraudulentdomain.net>
Date: Tue, 21 Feb 2017 08:53:03 +0100 (CET)
Why did Gmail not initiate a DMARC check and just performed an SPF check? Is it got to do something with the Display FROM header having 2 values?
That's a bug, I reported it to Google, they have fixed it now.
Related
We have a small company, we send sometimes few emails.
All these emails are considered as safe emails by all emails provider, only HOTMAIL.
How can i know the reason why HOTMAIL consider our emails as SPAM ?
Understand our Outlook / Hotmail / Office365 Deliverability Issues with X-Forefront-Antispam-Report ?
You can find bellow an exemple of an email classified by HOTMAIL as SPAM :
Received: from HE1EUR04HT080.eop-eur04.prod.protection.outlook.com
(2603:10b6:a03:100::41) by BYAPR17MB2341.namprd17.prod.outlook.com with HTTPS
via BYAPR08CA0028.NAMPRD08.PROD.OUTLOOK.COM; Wed, 5 Dec 2018 10:35:04 +0000
Received: from HE1EUR04FT013.eop-eur04.prod.protection.outlook.com
(10.152.26.59) by HE1EUR04HT080.eop-eur04.prod.protection.outlook.com
(10.152.26.72) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1404.13; Wed, 5 Dec
2018 10:35:03 +0000
Authentication-Results: spf=pass (sender IP is xx.xxx.xx.xx)
smtp.mailfrom=xxxxxxxxxx.com; hotmail.com; dkim=pass (signature was verified)
header.d=xxxxxxxxxx.com;hotmail.com; dmarc=temperror action=none
header.from=xxxxxxxxxx.com;
Received-SPF: Pass (protection.outlook.com: domain of xxxxxxxxxx.com designates
xx.xxx.xx.xx as permitted sender) receiver=protection.outlook.com;
client-ip=xx.xxx.xx.xx; helo=xxxxxxxxxx.com;
Received: from xxxxxxxxxx.com (xx.xxx.xx.xx) by
HE1EUR04FT013.mail.protection.outlook.com (10.152.26.126) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1404.13 via Frontend Transport; Wed, 5 Dec 2018 10:35:01 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:AB1002FDAF6A587890EE7D690A8B7C0533694AA27CC8CD5DD9887E9B10F6A6AA;UpperCasedChecksum:2C9C5779BC7CA07579C2ABCCDCC6DC4EF6E1F5707AEA3F3E3B8FB9DB8A5964FE;SizeAsReceived:1060;Count:12
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP])
by xxxxxxxxxx.com (Postfix) with ESMTPA id 3042C13B6
for <prenom.nom#hotmail.com>; Wed, 5 Dec 2018 10:35:01 +0000 (UTC)
Date: Wed, 05 Dec 2018 10:35:00 +0000
Content-Type: multipart/alternative;
boundary="--=_RainLoop_184_159261189.1544006100"
From: xxxx.xxxx#xxxxxxxxxx.com
Message-ID: <1d5dbc12b0ad9f393b60bdcf281453d4#xxxxxxxxxx.com>
Reply-To: xxxx.xxxx#yahoo.fr
Subject: Mail de test
To: "prenom nom" <prenom.nom#hotmail.com>
X-Spamd-Bar: /
Authentication-Results-Original: auth=pass smtp.auth=xxxx.xxxx#xxxxxxxxxx.com
smtp.mailfrom=xxxx.xxxx#xxxxxxxxxx.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxxxxxxxxx.com;
s=dkim; t=1544006101;
h=from:reply-to:subject:date:message-id:to:mime-version:content-type;
bh=rUWyfwQa5tHrCBIwEq0ehhhrOAC/x3JYLLdxQgyDPyI=;
b=fevC4RxDsG9+KynrDFzJZtm/NreksALp7vHODFCUspUglru5PsIM0ta0JUCaNpAldMCbpo
Fp7dWa84dYFBnh85l9oV9HFpzHTgCzk/v63Hjw5ggxJJq41e46mlgr3wbdJjb8gDNcE4gc
AV9BATZpIZH8OKpXgtOk53N+laqJRZg=
X-IncomingHeaderCount: 12
Return-Path: xxxx.xxxx#xxxxxxxxxx.com
X-MS-Exchange-Organization-ExpirationStartTime: 05 Dec 2018 10:35:01.9575
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id: 4730759b-0399-41af-5552-08d65a9d5017
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Microsoft-Exchange-Diagnostics: 1;HE1EUR04FT013;1:f6d7toPjHds79kfjb8F8a92RxuOXFF60QrueiBIAci0rI6sqqY48Bzu8uaNPzyL+FT+X9g/kG7bzmFi2V3HyDeZeMuGeuUuP9oSB16V/YB9PGJWjCgb0fJhRv68sm8lk
X-Forefront-Antispam-Report: EFV:NLI;
X-MS-Exchange-Organization-AuthSource:
HE1EUR04FT013.eop-eur04.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-UserLastLogonTime: 12/5/2018 10:31:45 AM
X-MS-Office365-Filtering-Correlation-Id: 4730759b-0399-41af-5552-08d65a9d5017
X-Microsoft-Antispam:
BCL:0;PCL:0;RULEID:(2390098)(5000110)(711020)(4605076)(610169)(650170)(651021)(8291501071);SRVR:HE1EUR04HT080;
X-Microsoft-Exchange-Diagnostics:
1;HE1EUR04HT080;3:DybF6SUpFveGAxx8na3Ize3Nkt11joOtHTmP4K19riue2nfmCDbAyWtEYCFb39NFLsV0PICKRCZizik1veZYKZZAcyTwiQmwBg5eXjW0fGglhIgvt9/rQ5isFDOhdIvBHmH3ibQzaj7ZwH7Iir5xLlUh6KuQjK4wqbZ70xNx7L9xtCkl1KIZn9nyqt1CvAT8C1eCok0fU+ox4kGY8NzL87N2fRqer12pTDSEatEWoGcBosOnaKKbfJQZ8xn3738k09JlzAajuEghTgVNfAM3qpJyVk3ZD4FWpYcStFs23qSty17srM/Tayf11c8uB46uix5Y7KnAXa9rNRUfMONZBA==;25:/SJAdxq4u4Qs1hsqopWz0P0KJHrriehmS29nQXtMgNdyC/cclr2pHh4viLne8HpxsTcz6FrSKBu+mJqB84LON4ctSh+BHbxE3WmdWSndOZn+1S4dDARLgb+uzcn/JbOCCaYuIG98V+QZ8fbqqyYkamo9JsOmiGCMTQIDAQD/cJrgvbrRUfSu6gkYhzYAn4vP2SwFf5pxMZ4WrWMmc0bNrPEUOSvG6VFM5JlGO2Os6dlpTbb6TTRv2l7y9BfvANVnXEwB53LOCclUNVKFf6+2fz9bKKw+VIy5/swsy2z+h8n/WPKoqM92Mpdnoq6LFItoTKRqWwQDqvv2F3nO0OKQmA==;31:dOrm256zuEt/hE/ekHqoTmIFEXc3zHxEZayzOO42bqB36gH75boqRurWRKHauLRLvCYkTvXymjaXQsUJKVXs80ws5rCMaT7QiwMplBdg0VWdDFZvwjh/tt2Nex/4a7uaO8g5M9D8rS0CXCrpSVzTp+Jga6sxIzEMgtq3OlmJIhulvmOsoSld1HvPcOGpXMeRZZD2PsotmP2Tn9ElHF5AmGU4ViCtza4/J9FB+E4A2W0=
X-MS-TrafficTypeDiagnostic: HE1EUR04HT080:
X-MS-Exchange-EOPDirect: true
X-Sender-IP: xx.xxx.xx.xx
X-SID-PRA: xxxx.xxxx#xxxxxxxxxx.COM
X-SID-Result: PASS
X-MS-Exchange-Organization-PCL: 2
X-Exchange-Antispam-Report-CFA-Test:
BCL:0;PCL:0;RULEID:(444111751)(6300000075)(1201097)(52401380)(52601095)(52505095)(52406095)(52305095)(52206095)(88860335)(82015058);SRVR:HE1EUR04HT080;BCL:0;PCL:0;RULEID:;SRVR:HE1EUR04HT080;
X-Microsoft-Exchange-Diagnostics:
1;HE1EUR04HT080;4:bokg6rTSYvxEH9tWbCTyUYr0q5d15BPnt3b/6NKV1aU47utLwxgQ3Uen6CF95MioWJ7vvtnrkzk/fZP/MnWwvPlt2LRJsAvjCcM+DhRB4Xe2oCPUZzR/2mfZz5VsEfraEDaZ8s4GsoKPIKsJ4B6Y9xz+xUec4kc3cmIHh5SEfv+AXcHtdM1TKdA4usesZy47wEFH2rlFaKJEJxViqyBx/+26SDBbLD9PQP2hUUDWn8YbKAzJz7kR23nsBU5mvnQitvIfh5Bt3+zV2wg1zwahMA==;6:l6ijCjczte/M+2grONf/7pGyIkA1XNf4ID15Esb3yess1e9qhWDPeZwXlbH4hdWZK9DAagKkup3nQoQmaHFWM1UyZrK/yXBDWwbu2CYkI0LYD0/x2bGkNcnFXUuZvjEwhBI276G4Q9s1niDBXrLyCy6nrroKStX+XVdwQJRN+SOmn1nRBk4ve83RRKErll45NODrJ1gs+ohoPuPKKE+WsiHVqPqXc8/tAYQ2+6rDDDuSe1JW8tbwG6GPQTgmTB4VCZCmDHE+OYv/AwUI9E5/tvjDaR+AUGfmxkNEfAGy5FaGIpPyc5ooj2Ccoc78uJ1uSJSG0PaRkC9BpBqzDAyDCUMtNiYKxkmT/BX7G7izvr4YSz3/2IjYroc3BRaBgR1ysgDdJaNQxMdgvdSLf+QT7GAjoPlzHjg5kdbhboJ21LA7FUbD38w9sCeLL/quipitUon1NWPG86s5Sqvk2Dlp0A==;5:Swo0LieNeMdG7TItYBICIBs0+ruylDAdbXBR0mvw8RBGaL8cuIubr/SDBiw8BowyZ1QpMwH8zEyR1DPU0K18Po7sIcdApik4BOkjw3sVVlUr8Q0i6hFhkjWbbhCTcJLzQ2vHbiB9TubWWw5v9b1bNTvzvsYSCsmct8RLj7klb+Y=
X-Microsoft-Exchange-Diagnostics:
1;HE1EUR04HT080;7:/enTEOqI+9/YUuE8ZQ9zGk1y/OeSFzGo3DLWTFNT1Df2M9R68+jdV3s+KWz8wPKd8cpou9+NhTU/Ly60rQh2wB1nSL9Z+W+mqZLXhdfPmN+sIfwIAOXAY74iQZfUMqyY5fDb4d5X13fGQzKO8ZFERQ==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Dec 2018 10:35:01.8638
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4730759b-0399-41af-5552-08d65a9d5017
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
c001924d-3e68-4f40-89c2-901a49278da7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR04HT080
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.1382293
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1404.009
X-Microsoft-Exchange-Diagnostics:
1;BYAPR17MB2341;27:WzLF8uqdvJVnu4T9cEu69DvAmSYq5iH/pHwrHXwIpXlnvNE4YIOzmmcexyxApqb4mygEC4ri6vNS095zA9lD+HsJyGDlK7UPUWAaQzIxM32oVjRuf6gKM+HN6e0fSZ9Bes900pfhufceV5TD3RyFTczEgE+rYmRxjKWcWr2L9jInBXy0DsJyUbYMGn2F/rGKlTpWFbva4M2R8UtxFB5aqaTfC5eTKsCUJ4q8ICVCPBd2RmPLWm/Kg6eKH4NOhsr0Uwznp24MCk5dl9QfUrec/K4QMsSG3VLtksdTwUe0dJE5QJwo3JSv9hYocobTUxm7l57Gkj5OyKrCdguMjyfYw8P1mDhqW63zg5rCA1rMKNlSrO8fndJ+ISQ0isjRQkHrtKHcKkJu2S35Z6yzu348GbQQoKWiYsqbREclISUnkSXs1FHgGQKwE/3z9RqSQ39cAFx4yl5zDeotk2sRMJANJ48z853v+LFsNVvCik2uVDTcuz8wlBnkWQtFpWrlTBfsUxXlTYvKSqgQfGCLYUIfcQ55A3CBlTCqUpV87rLkV0rLGQzjCuXWORHZplmm6RlETzMDbhqh2yDCce9ZR1iBsOzvvJNVPVW4DZL5odgWAFTYZeH5wm0TqcGgGsG6RCWRPvWo0+8hDf6pA62rZaPQja3HGxGsKwkhfDWXMzEAdwUtRXcDjSrBaghKPmnxokg6Hc+CjPOkGqZQvZnQ4DeyHqxVugL97+ZCfzbRuFv4rxU=
X-Microsoft-Antispam-Mailbox-Delivery:
abwl:0;wl:0;pcwl:0;kl:0;iwl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:J;OFR:SpamFilterAuthJ;ENG:(5062000261)(5061607266)(5061608174)(4900095)(4920089)(6375004)(4950130)(4990090)(9140004);RF:JunkEmail;
X-Message-Info:
qoGN4b5S4yog6nY042nLw3cqoJY/BsdeIdvpFyeEToIfBWdMiTy9ohwkOjOHX/mmYDuIIXAZuntJB/jcvsI8N12HJabUBoRzEX6xvbe2KE26SyeTZwImTZfxGqX28h5yd+X+vl4xYK4JrDiB4OS5lY4EIUJKI6TMjc2520XsSe62AVW/zBal1X8WxWxQRjLLJ2OD1DdMGUwrpwctIvbXmA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Microsoft-Antispam-Message-Info:
kn8GS6I4/kPnpU/s+UZNNPbSeg3rfdTgFyHeBXLCZvoE6uXKC7trydLv9phn7DwZaRocm++y+Ifx6fakEyZGC5OF4oMZSmC8SPGjRMeIw5JRyrZGj1nnAPzRIzWBkY3knBBDPNNNCMc8tzhV8Ky/rpuMc/pCeOfv3VeRILR6ZIs6FA4hikmY6STGkXj6pwIiYwZ1EECRVO4v9pZCfEce/bYYyp9HDAwmqd9g25w7g4P5Any8jodv+LSB+sNvclLSwKtB5cd1hRqcAscvJfReflSU9Q3aPgTwSUufImnPCUiFN2HyCeKhx6qMHLY3kcTT79SSrZMIF79RU+8+rP4Qu7TfXKWeCWZf7yF9m8kw4LSWlhbN9b7nnxB+N2rggThM0fS3OJD3azvSKC9OHVq0D0sAki7UeNKaiyNx+hzNE/9gbV/HvMe0QM9zW2lP4mEJieBTCRfAl56mJJ3z0y6xSN0h8o+o3M00W7US96q4UEg9FXHA1Ei8yUpw6BlnCJSfRzMYlX1DZ7N9HKyIyoVIiIt5EeG631x9aU4bgaovXGokkqWh8jaVu6kZlr1cj8yxq2PVT4hJ1zGbDf7Yudzfcg/P2oRVijIWAwI9qrh+G7q3Z5AdkW4w2oiFV08o8BNevj5YCnWFKUD8CkpbW9U8nzMiknoahVbGLQbZTKaLsSouKh3qcRdP+9bQsKoun4Z+zQwmb+hlMltxT3ArfrT9Hwia8A9sWhd24OtCO392HhE=
Blacklisting of a sending ip or your sending domain could be a probable reason. And it is that Hotmail smtp server has only blacklisted your domain /Ip . Try changing your sending Ip or the domain and see if it lands in the spam or not.
I would start with something like checking my domain's send reputation on a site like Sender Score. That will tell you if you've been blacklisted. Then I would reach out to the Outlook postmaster to see what I can do to fix my errors. I also would really double check how my emails look in Hotmail, user engagement counts in many spam scores, and if the content doesn't look good it, users could be deleting it or marking it as spam.
I have configured DKIM, SPF and DMARC correct and from the email headers it seems to be working fine but the emails I sent from my SMTP server are marked as spam. Here is my email headers
Received: from SG2APC01HT253.eop-APC01.prod.protection.outlook.com
(10.163.105.24) by SG2PR03MB1582.apcprd03.prod.outlook.com with HTTPS via
SG2PR06CA0014.APCPRD06.PROD.OUTLOOK.COM; Tue, 7 Feb 2017 02:03:11 +0000
Received: from SG2APC01FT015.eop-APC01.prod.protection.outlook.com
(10.152.250.60) by SG2APC01HT253.eop-APC01.prod.protection.outlook.com
(10.152.251.100) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.874.2; Tue, 7 Feb
2017 02:03:09 +0000
Authentication-Results: spf=pass (sender IP is 191.101.230.42)
smtp.mailfrom=ezpc.com.my; hotmail.com; dkim=pass (signature was verified)
header.d=ezpc.com.my;hotmail.com; dmarc=bestguesspass action=none
header.from=ezpc.com.my;
Received-SPF: Pass (protection.outlook.com: domain of ezpc.com.my designates
191.101.230.42 as permitted sender) receiver=protection.outlook.com;
client-ip=191.101.230.42; helo= mail.ezpc.com.my;
Received: from BAY004-MC1F48.hotmail.com (10.152.250.55) by
SG2APC01FT015.mail.protection.outlook.com (10.152.250.181) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.874.2 via Frontend
Transport; Tue, 7 Feb 2017 02:03:06 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:B3C91582F4E1A8BEB3081753A75091AB6E10F9554C8EB64EF3F4DBAEBFBBCCAD;UpperCasedChecksum:FDA1A8FF432113AA359CED44F62CC1B29335E24D01725A791958063140028963;SizeAsReceived:1267;Count:16
Received: from mail.ezpc.com.my ([191.101.230.42]) by BAY004-MC1F48.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Mon, 6 Feb 2017 18:03:04 -0800
Received: by mail.ezpc.com.my (Postfix, from userid 48)
id AB46E2213CB; Mon, 6 Feb 2017 21:03:03 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ezpc.com.my AB46E2213CB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ezpc.com.my;
s=default; t=1486432983;
bh=9v0acwudeB20jRA3DCLi3/n8gPxEJUSqP+DRE97Rs/8=;
h=To:Subject:From:Date:From;
b=Pr71KmBKnlBDX6KEY3PNzaRVqj1njANZe4fVyDI/3a+uNDCqE933329nhyoaeyS2U
c5pbo1szpI2lI5Io9AV5q33w/HeIYnsGvstpM9e/mtpBUeNoYk7ajIeJldSyI1kbGv
AtYp7oGy2ltmDcO4nkwqEBRpkPJr3jwcKhY6Ucys=
Any idea on fixing the problem?
Your ip reputation is neutral (which is good but can be improved)
http://www.senderbase.org/lookup/?search_string=191.101.230.42
As long as all those settings are configured correct, then you should use this form from Microsoft!
https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&locale=en-us&ccsid=636225696037961710
My website, all written in PHP, has an automatic system to notify users via email. Everything worked perfectly until i moved everything on a new less expensive dedicated server (new IP, also). Now, from the new server, all the emails are sent to the spam folder. Why? What happened? Gmail says it's marked as spam because it violates these guidelines about the sender. Here is the message header of one of the emails
Delivered-To: fontanavideostudios#gmail.com
Received: by 10.64.224.200 with SMTP id re8csp1701580iec;
Sun, 1 Feb 2015 07:30:19 -0800 (PST)
X-Received: by 10.140.22.5 with SMTP id 5mr1380826qgm.72.1422804619177;
Sun, 01 Feb 2015 07:30:19 -0800 (PST)
Return-Path: <noreply#racebooking.net>
Received: from ns362512.ip-91-121-174.eu ([2001:41d0:1:ef28::1])
by mx.google.com with ESMTP id e3si21772874qaf.113.2015.02.01.07.30.18
for <fontanavideostudios#gmail.com>;
Sun, 01 Feb 2015 07:30:19 -0800 (PST)
Received-SPF: none (google.com: noreply#racebooking.net does not designate permitted sender hosts) client-ip=2001:41d0:1:ef28::1;
Authentication-Results: mx.google.com;
spf=none (google.com: noreply#racebooking.net does not designate permitted sender hosts) smtp.mail=noreply#racebooking.net
Received: by ns362512.ip-91-121-174.eu (Postfix, from userid 504)
id DFE0916074; Sun, 1 Feb 2015 16:28:52 +0100 (CET)
To: fontanavideostudios#gmail.com
Subject: Qualcuno ha commentato il tuo post
X-PHP-Originating-Script: 504:new_notification.php
From: Racebooking <noreply#racebooking.net>
Reply-To: no-reply
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Message-Id: <20150201152852.DFE0916074#ns362512.ip-91-121-174.eu>
Date: Sun, 1 Feb 2015 16:28:52 +0100 (CET)
The domain, racebooking.net, has a good reputation and MX, mail, smtp point to the same ip: 91.121.174.40 which is the same IP of racebooking.net (here is a test)
Any idea?
Check this line in the header:
Received-SPF: none (google.com: noreply#racebooking.net does not designate permitted sender hosts) client-ip=2001:41d0:1:ef28::1;
Authentication-Results: mx.google.com;
spf=none (google.com: noreply#racebooking.net does not designate permitted sender hosts) smtp.mail=noreply#racebooking.net
I think you have not correctly configured the SPF entries in your DNS.
See this Google Products thread about this: https://productforums.google.com/forum/#!topic/apps/nvGcYDjONfc
I can see that you have no SPF entries defined for "racebooking.net":
$ dig +short racebooking.net txt
"1|www.racebooking.net"
You need to define an SPF entry like:
"v=spf1 mx a:mail0.racebooking.net -all"
You also need to include any other host from which you might be sending email (ie web applications sending email from #racebooking.net).
More info about what SPF is: http://en.wikipedia.org/wiki/Sender_Policy_Framework
My mails that I send from my vps keeps going to the spam folder of Google mail (gmail), only gmail, all other receivers get the mail!
I've been struggling with the following problem for a couple of hours now.
First of all the mail went straight to the spam, with a soft fail on the SPF records. After some googling and adjusting the dns and everything is correct on all the tests I do on internet.
What am I doing wrong, see the email headers below:
Delivered-To: info#MYWEBSITE.nl
Received: by 10.140.49.2 with SMTP id p2csp254884qga;
Wed, 18 Dec 2013 05:09:01 -0800 (PST)
X-Received: by 10.180.103.193 with SMTP id fy1mr8266239wib.10.1387372141146;
Wed, 18 Dec 2013 05:09:01 -0800 (PST)
Return-Path: <info#SENDINGWEBSITE.nl>
Received: from www.SENDINGVPS.nl ([2a02:1234::777:3eff:fed6:7ef6])
by mx.google.com with ESMTPS id s9si717710wiw.41.2013.12.18.05.09.00
for <info#MYWEBSITE.nl>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Wed, 18 Dec 2013 05:09:01 -0800 (PST)
Received-SPF: pass (google.com: domain of info#SENDINGWEBSITE.nl designates 2a02:1234::777:3eff:fed6:7ef6 as permitted sender) client-ip=2a02:1234::777:3eff:fed6:7ef6;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of info#SENDINGWEBSITE.nl designates 2a02:1234::777:3eff:fed6:7ef6 as permitted sender) smtp.mail=info#SENDINGWEBSITE.nl
Received: from i12345.upc-i.chello.nl ([62.195.XX.XXX] helo=[192.168.1.12])
by www.SENDINGVPS.nl with esmtpsa (TLSv1:AES128-SHA:128)
(Exim 4.76)
(envelope-from <info#SENDINGWEBSITE.nl>)
id 1VtGrz-0004Rq-8k; Wed, 18 Dec 2013 14:08:59 +0100
Subject: Mail gmail hotmail
Mime-Version: 1.0 (1.0)
From: "info#SENDINGWEBSITE.nl" <info#SENDINGWEBSITE.nl>
Content-Type: text/plain;
charset=us-ascii
X-Mailer: iPhone Mail (11B554a)
Message-Id: <62D8B201-8243-43A5-B15D-6371DD208D23#SENDINGWEBSITE.nl>
Date: Wed, 18 Dec 2013 14:08:58 +0100
Content-Transfer-Encoding: 7bit
To: "info#MYWEBSITE.nl" <info#MYWEBSITE.nl>
Hi
Verstuurd vanaf mijn iPhone
Everyone knows changing mail address in address bar and pretending to send mail from someone else's accout is easy..
so i looked up on google "find out where email came from"
some of the links suggest-- 1. Log into your account and open the email in question.
Click on the down arrow that’s to the right of the Reply link. Choose Show Original from the list.
Now here’s the technical part that I was telling you about earlier! You need to look for the lines of text that start with “Received: from“.
I did all above steps but found out that gmail uses mail client ip as sender ip and not the ip of that particular PC(For security purpose they say...) It has sender's IP as mr. google.com and some private netwk IP(10.43.103.195)
so now my problem is -- is there any damn way in the world to trace where the hell did this mail come from??!!(at least IP of sender)?
This is the header i got when i followed above 3 steps which is of no use...--
Delivered-To: xxxxxxxx#gmail.com
Received: by 10.204.40.79 with SMTP id j15csp110512bke;
Fri, 22 Mar 2013 01:55:20 -0700 (PDT)
Return-Path: <xxxxxxxxxxx#gmail.com>
Received-SPF: pass (google.com: domain of xxxxxxxxxxx#gmail.com designates 10.43.103.195 as permitted sender) client-ip=10.43.103.195
Authentication-Results: mr.google.com;
spf=pass (google.com: domain of xxxxxxxxxxxx#gmail.com designates 10.43.103.195 as permitted sender) smtp.mail=xxxxxxxxxxxx#gmail.com;
dkim=pass header.i=#gmail.com
X-Received: from mr.google.com ([10.43.103.195])
by 10.43.103.195 with SMTP id dj3mr548753icc.3.1363942518977 (num_hops = 1);
Fri, 22 Mar 2013 01:55:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=x-received:mime-version:from:date:message-id:subject:to
:content-type;
bh=Vi/MI39WKoec07maKoVjz5/ZzUxhO1k+BoeRUkBbWOc=;
b=kZ/EniFvV15mZ9iBeKNiKsJsQvWHL5N8zqrazVxeKmAARQLotyAAIDU7Or9Xc1OBwY
cwuPqSKmVX1RV7tX5wwcdYyzEA/gmskzgGteimv0BInTzVO7dwgi4gU5cZYdm6Qj/GMo
rJfGs5ty6VjidYMFwyn0K5Z0frh2NX2e7RXP0R6da6U5WMU2bQ9epOD4ZhKF+bSdUvb9
WGu3/HWJNTgwrFivspsA6q0M6JkQWYFM6J83h62kIgU897gsXkRlwPacn63tHySC6CNm
DJZGzRJryQZEJTI4owOImP6XDrK+uxPDFAiTnIG5xFR8PBXsQp+FP+XcsqIHqXSjCtl1
xXdQ==
X-Received: by 10.43.103.195 with SMTP id dj3mr548753icc.3.1363942518971; Fri,
22 Mar 2013 01:55:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.134.164 with HTTP; Fri, 22 Mar 2013 01:54:58 -0700 (PDT)
From: xxxxxxxxxxxx#gmail.com
Date: Fri, 22 Mar 2013 14:24:58 +0530
Message-ID: <CACD4ahHmkbNCj9G5taUkXYC=K=n4qVvxY75SSSv3hUG00r6dkQ#mail.gmail.com>
Subject:
To: xxxxxxxx#gmail.com
Content-Type: multipart/alternative; boundary=bcaec5171a235666e504d87f9dd8
--bcaec5171a235666e504d87f9dd8
Content-Type: text/plain; charset=ISO-8859-1
If the sender uses gmail/yahoo/hotmail etc. to send an email (ie. if they don't use a third-party software like Outlook or Thunderbird), there is no way to find out the "PC IP address" because it's hidden for 'privacy reasons.' Probably the only legitimate way (other than through legal means) is to ask the sender to reveal their IP address (using such tools like https://verifyyourip.com).