I'm trying to set up DNS for an email service that is hosted by a third party, and my DNS is hosted by digitalocean.
The propagation as checked by https://www.whatsmydns.net is returning Error: Token mismatch for all record types for the_domain.com
This is the domain file, what should I explore to fix it?
$ORIGIN the_domain.com.
$TTL 1800
the_domain.com. IN SOA ns1.digitalocean.com. hostmaster.the_domain.com. 1477796005 10800 3600 604800 1800
the_domain.com. 1800 IN NS ns1.digitalocean.com.
the_domain.com. 1800 IN NS ns2.digitalocean.com.
the_domain.com. 1800 IN NS ns3.digitalocean.com.
the_domain.com. 1800 IN A 104.131.137.128
the_domain.com. 1800 IN MX 100 us2.mx3.mailhostbox.com.
the_domain.com. 1800 IN MX 100 us2.mx1.mailhostbox.com.
the_domain.com. 1800 IN MX 100 us2.mx2.mailhostbox.com.
pop.the_domain.com. 1800 IN CNAME us2.pop.mailhostbox.com.
smtp.the_domain.com. 1800 IN CNAME us2.smtp.mailhostbox.com.
dav.the_domain.com. 1800 IN CNAME us2.dav.mailhostbox.com.
webmail.the_domain.com. 1800 IN CNAME us3.webmail.mailhostbox.com.
imap.the_domain.com. 1800 IN CNAME us2.imap.mailhostbox.com.
the_domain.com.the_domain.com. 1800 IN TXT "v=spf1 redirect=_spf.mailhostbox.com"
20150311._domainkey.the_domain.com.the_domain.com. 1800 IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDl+v04ZOpA1ZvAhP1lqugRETH4pSEvoQVyt9dPZ8IlhUNKGROC/tJqcbC+rSv/dbC4tCUA1tcoLL8AzuS41Gmp4ZwzHSmAa5i/iHCFzubPFWxPXUmWGYZayyRdzIdUTD3IEQaClNEAhDWcTm1kSUA1vr7VJTyKzfbnDWs+10WwwIDAQAB"
This is not an error with your DNS records, it is due to your browser visit being so long that the token the site sent to you initially times out, if you refresh the page that should fix the issue and you can continue to use it as before.
So just be wary that if you leave this website in an open tab for a while, you will need to refresh the page, this fixed the problem for me when I had this appear as I due to leaving it open for a few hours.
This problem also mentioned in https://serverfault.com/a/769330/396271
Related
I am trying to set up SMTP mail on CentOS / WHM, so far without success. Each message gets frozen in the mail queue with the error '#Diagnostic-Code: smtp; 550-Sender has no A, AAAA, or MX DNS records.' The problem appears to be with my hostname.
I understand from other answers that I need to configure reverse DNS for SMTP to work, because the receiving mail server will reject mail if it comes from an IP without a reverse DNS - so I've added a reverse DNS zone for my hostname. But this has not helped (and don't see why having no reverse DNS would cause the 550 error I am getting anyway).
In named.conf:
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
options {
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
// query-source port 53;
recursion no;
/* We no longer enable this by default as the dns posion exploit
has forced many providers to open up their firewalls a bit */
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
/* memstatistics-file "data/named_mem_stats.txt"; */
allow-transfer { "none"; };
};
zone "whm.nantinet-c36.co.uk" {
type master;
file "/var/named/whm.nantinet-c36.co.uk.db";
};
zone "8.68.77.in-addr.arpa" {
type master;
file "/var/named/8.68.77.in-addr.arpa.db";
};
This is the zone file for nantinet-c36.co.uk:
whm.nantinet-c36.co.uk. 86400 IN SOA ns1.livedns.co.uk. my.email.co.uk. (
2017012706 ;Serial Number
3600 ;refresh
7200 ;retry
1209600 ;expire
86400 ;minimum
)
whm.nantinet-c36.co.uk. 86400 IN NS ns1.livedns.co.uk.
whm.nantinet-c36.co.uk. 86400 IN NS ns2.livedns.co.uk.
whm.nantinet-c36.co.uk. 14400 IN A 77.68.8.55
whm.nantinet-c36.co.uk. 14400 IN MX 0 whm.nantinet-c36.co.uk.
mail 14400 IN CNAME whm.nantinet-c36.co.uk.
www 14400 IN CNAME whm.nantinet-c36.co.uk.
ftp 14400 IN CNAME whm.nantinet-c36.co.uk.
This is the zone file for the reverse dns entry:
8.68.77.in-addr.arpa. 86400 IN SOA ns1.livedns.co.uk. my.email.co.uk. (
2017020204 ;Serial Number
3600 ;refresh
7200 ;retry
1209600 ;expire
86400 ;minimum
)
8.68.77.in-addr.arpa. 86400 IN NS ns1.livedns.co.uk.
8.68.77.in-addr.arpa. 86400 IN NS ns2.livedns.co.uk.
8.68.77.in-addr.arpa. 14400 IN A 77.68.8.55
8.68.77.in-addr.arpa. 14400 IN MX 0 8.68.77.in-addr.arpa.
8.68.77.in-addr.arpa. 14400 IN PTR nantinet-c36.co.uk.
8.68.77.in-addr.arpa. 14400 IN PTR whm.nantinet-c36.co.uk.
The nameservers work, I have an accessible web site running on the server. I am puzzled by this: if I dig +nssearch 8.68.77.in-addr.arpa, I get the error 'no servers could be reached'
Is there an error in my dns setup, or am I doing something else wrong here?
Thanks.
Yes, there is a problem with your DNS setup. The parent of whm.nantinet-c36.co.uk does not know about it, so it can't delegate to it, so nobody can look up any information about it. You can see a test of this here.
Puzzling problem sending emails from one server to another.
Sending from Server-01 pr#example.camp TO Server-02 eman#example.edu.au
Server 02 bounces with sender verify fail for <pr#example.camp>: Unrouteable address
On Server-02 running dig MX example.camp resolves fine with:
;; ANSWER SECTION:
mus.camp. 2869 IN MX 10 server01-aus.emanwebdesign.com.
mus.camp. 2869 IN MX 0 server01-aus.emanwebdesign.com.
;; AUTHORITY SECTION:
mus.camp. 2869 IN NS ns10.domaincontrol.com.
mus.camp. 2869 IN NS ns09.domaincontrol.com.
Also from Server-02 I can telnet into port 25 of mus.camp and verify the existence of the email address (pr#...).
Any clues as to why Exim's sender verify is failing?
Edit
exim -bvs pr#example.camp returns
pr#example.camp failed to verify: Unrouteable address
Worked out the problem was that the mus.camp domain was originally hosted on Server-02 but then moved to Server-01. Server-02 however was still trying to lookup the email address within itself instead of going to Server-01.
To solve the problem I deleted the mail and dns records from Server-02. (using VestaCP).
I have a domain set up on AWS Route53 and I use the GoogleApps for the administration of email accounts. I'm having trouble sending invite (Google Calendar/Hangout) to other domains. These invites are going in the SPAM box.
My DNS Configuration
$ dig -t any matheuscarino.com.br
;; ANSWER SECTION:
matheuscarino.com.br. 27 IN A 54.88.183.99
matheuscarino.com.br. 27 IN A 54.86.206.71
matheuscarino.com.br. 21567 IN NS ns-1324.awsdns-37.org.
matheuscarino.com.br. 21567 IN NS ns-1966.awsdns-53.co.uk.
matheuscarino.com.br. 21567 IN NS ns-691.awsdns-22.net.
matheuscarino.com.br. 21567 IN NS ns-7.awsdns-00.com.
matheuscarino.com.br. 867 IN SOA ns-1966.awsdns-53.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
matheuscarino.com.br. 267 IN MX 1 aspmx.l.google.com.
matheuscarino.com.br. 267 IN MX 10 alt3.aspmx.l.google.com.
matheuscarino.com.br. 267 IN MX 10 alt4.aspmx.l.google.com.
matheuscarino.com.br. 267 IN MX 5 alt1.aspmx.l.google.com.
matheuscarino.com.br. 267 IN MX 5 alt2.aspmx.l.google.com.
matheuscarino.com.br. 267 IN TXT "v=spf1 include:_spf.google.com ~all"
$ dig -t TXT _dmarc.matheuscarino.com.br
;; ANSWER SECTION:
_dmarc.matheuscarino.com.br. 299 IN TXT "v=DMARC1\; p=quarantine\; pct=100\; rua=mailto:webmaster#matheuscarino.com.br"
See how the messages are delivered.
spf=pass (google.com: domain of 3J4q7VQIUDdwCSK8RFCSQA8PGLM.AMK.9PK8RFCSQ.P8KMQL8RSC.AMK.9P#calendar-server.bounces.google.com designates 2607:f8b0:4002:c07::24a as permitted sender) smtp.mail=3J4q7VQIUDdwCSK8RFCSQA8PGLM.AMK.9PK8RFCSQ.P8KMQL8RSC.AMK.9P#calendar-server.bounces.google.com;
dkim=pass header.i=#google.com;
dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=matheuscarino.com.br
Received: by ykdv124 with SMTP id v124so3562561ykd.1
for <matheus#XXXXX.com.br>; Fri, 31 Jul 2015 07:46:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
Thanks in advance.
So getting a Google Apps email system to be DMARC compliant requires that you enable domain-specific DKIM. Right now your email is being DKIM signed with a google.com signature, but the FROM header is an matheuscarino.com.br address. So the DKIM signature cannot be used for DMARC authentication, because the domains are not the same.
For most emails sent from your Google Apps account, this isn't a problem, because SPF authentication matches the FROM header domain. These emails have a Return Path address with a domain of matheuscarino.com.br, and your SPF record above authenticates them.
BUT, Calendar and Hangout messages use a different Return Path domain. So for these messages to authenticate you must enable DKIM for your Google Apps account. You can find instructions here - https://support.google.com/a/answer/174124?hl=en
As i am trying to open my site(posting.ly) but its not working rather it shows blank page for a while than error of "could not load posting.ly"
I have updated the namespace and tested it,updated A recoord,but cannot figure out the problem.I have already worked with DNS and i know this should work plus its more than 24 hrs so this should work or show me a proper error.
Hosting is rackspace and i have added A record of the ip address.
This appears to be fine now. No www or wildcard, but main domain resolves.
$ checksoa posting.ly
Serial # RTT(ms) Nameservers (name, IP, SOA mname field) for posting.ly
1403808455 50 dns1.stabletransit.com 69.20.95.4 SOA: ns.rackspace.com
1403808455 80 dns2.stabletransit.com 65.61.188.4 SOA: ns.rackspace.com
$ dig +noall +answer +authority posting.ly
posting.ly. 300 IN A 162.13.143.172
$ dig +noall +answer +authority www.posting.ly
posting.ly. 300 IN SOA ns.rackspace.com. azm.dar.gmail.com. 1403808455 21600 3600 1814400 300
I've got a problem with Gmail.
It started after one of our trojan infected PCs sent spam for one day from our IP address.
We've fixed the problem, but we got into 3 black lists. We've fixed that, too. But still every time we send an email to Gmail the message is rejected:
So I've checked Google Bulk Sender's guide once again and found an error in our SPF record and fixed it. Google says everything should become fine after some time, but this doesn't happen. 3 weeks already passed but we still can't send emails to Gmail.
Our mail setup is a bit complex, but not too much. We have a domain name delo-company.com, it has it's own mail #delo-company.com (this one is fine, but the problems are with sub-domain name corp.delo-company.com).
Delo-company.com domain has several DNS records fro its subdomain:
corp A 82.209.198.147
corp MX 20 corp.delo-company.com
corp.delo-company.com TXT "v=spf1 ip4:82.209.198.147 ~all"
(I set ~all for testing purposes only, it was -all before that)
These records are for our corporate Exchange 2003 server at 82.209.198.147. Its LAN name is s2.corp.delo-company.com so its HELO/EHLO greetings are also s2.corp.delo-company.com.
To pass EHLO check we've also created some records in delo-company.com's DNS:
s2.corp A 82.209.198.147
s2.corp.delo-company.com TXT "v=spf1 ip4:82.209.198.147 ~all"
As I understand SPF verifications should be passed in this way:
Out server s2 connects to MX of the recepient (Rcp.MX): EHLO s2.corp.delo-company.com
Rcp.MX says Ok, and makes SPF check of HELO/EHLO. It does NSlookup for s2.corp.delo-company.com and gets the above DNS-records. TXT records says that s2.corp.delo-company.com should be only from IP 82.209.198.147. So it should be passed.
Then our s2 server says RCPT FROM: <supruniuk-p#corp.delo-company.com>
Rcp.MX` server checks it, too. The values are the same so they should also be positive.
Maybe there is also a rDNS check, but I'm not sure what is checked HELO or RCPT FROM.
Our PTR record for 82.209.198.147 is:
147.198.209.82.in-addr.arpa. 86400 IN PTR s2.corp.delo-company.com.
To me everything looks fine, but anyway all emails are rejected by Gmail.
So, I've checked MXtoolbox.com - it says everything is fine, I passed http://www.kitterman.com/spf/validate.html Python check, I did 25port.com email test. It's fine, too:
Return-Path: <supruniuk-p#corp.delo-company.com>
Received: from s2.corp.delo-company.com (82.209.198.147) by verifier.port25.com id ha45na11u9cs for <check-auth#verifier.port25.com>; Fri, 2 Mar 2012 13:03:21 -0500 (envelope-from <supruniuk-p#corp.delo-company.com>)
Authentication-Results: verifier.port25.com; spf=pass smtp.mailfrom=supruniuk-p#corp.delo-company.com
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=supruniuk-p#corp.delo-company.com
Authentication-Results: verifier.port25.com; dkim=neutral (message not signed)
Authentication-Results: verifier.port25.com; sender-id=pass header.From=supruniuk-p#corp.delo-company.com
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CCF89E.BE02A069"
Subject: test
Date: Fri, 2 Mar 2012 21:03:15 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: <4C9EB1DB67831A428B2E14052F4A418707E1FF#s2.corp.delo-company.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: test
Thread-Index: Acz4jS34oznvbyFQR4S5rXsNQFvTdg==
From: =?koi8-r?B?89XQ0tXOwMsg8MHXxcw=?= <supruniuk-p#corp.delo-company.com>
To: <check-auth#verifier.port25.com>
I also checked with spf-test#openspf.net, but it FAILs all the time, no matter which SPF records I make:
<s2.corp.delo-company.com #5.7.1 smtp;550 5.7.1 <spf-test#openspf.net>: Recipient address rejected: SPF Tests: Mail-From Result="softfail": Mail From="supruniuk-p#corp.delo-company.com" HELO name="s2.corp.delo-company.com" HELO Result="softfail" Remote IP="82.209.198.147">
I've filled Gmail form twice, but nothing happens.
We do not send spam, only emails for our clients. 2 or 3 times we did mass emails (like New Year Greetings and sales promos) from corp.delo-company.com addresses, but they where all complying to Gmail Bulk Sender's Guide (I mean SPF, Open Relays, Precedence: Bulk and Unsubscribe tags). So, this should be not a problem.
Please, help me. What am I doing wrong?
I've been having serious problems with gmail rejecting legitimate mail. Somewhere I read a suggestion to delete URLs from your signature file. To my amazement, this worked. (My mail client is Eudora, which some of you may dimly remember.)
Hope it helps.
Gmail have now a postmaster tool you can check your domain/ip reputation, spam rate and in the "Authentication" area you can check DKIM/SPF/DMARC works correctly.
https://gmail.com/postmaster/
I recommend to use the CNAME record for authentication, if you are using the default TXT record also on SPF query this entry return.