Hi,

Can you send a mail from your account to check-auth@verifier.port25.com ?

Hi Sébastien,

thanks for your quick reply. The only issue is de DKIM check, might this be the cause of the problems? I thought this check was optional? I have also a bank that rejects my messages...

Thanks for your reply

Serge

This message is an automatic response from Port25's authentication verifier service at verifier.port25.com.  The service allows email senders to perform a simple check of various sender authentication mechanisms.  It is provided free of charge, in the hope that it is useful to the email community.  While it is not officially supported, we welcome any feedback you may have at <verifier-feedback@port25.com>.

 

Thank you for using the verifier,

 

The Port25 Solutions, Inc. team

 

==========================================================

Summary of Results

==========================================================

SPF check:          pass

"iprev" check:      pass

DKIM check:         permerror

 

==========================================================

Details:

==========================================================

 

HELO hostname:  mail.actilus.com

Source IP:      84.247.10.228

mail-from:      serge@settels.com

 

----------------------------------------------------------

SPF check details:

----------------------------------------------------------

Result:         pass

ID(s) verified: smtp.mailfrom=serge@settels.com

 

DNS record(s):

    settels.com. 300 IN TXT "MS=ms75982630"

    settels.com. 300 IN TXT "v=spf1 mx include:actilus.nl include:actilus.com ip4:84.247.10.228 ~all"

    settels.com. 300 IN MX 10 mail.settels.com.

    mail.settels.com. 300 IN A 84.247.10.228

 

 

----------------------------------------------------------

"iprev" check details:

----------------------------------------------------------

Result:         pass (matches 84-247-10-228.colo.transip.net)

ID(s) verified: policy.iprev=84.247.10.228

 

DNS record(s):

    228.10.247.84.in-addr.arpa. 300 IN PTR 84-247-10-228.colo.transip.net.

    84-247-10-228.colo.transip.net. 300 IN A 84.247.10.228

 

 

----------------------------------------------------------

DKIM check details:

----------------------------------------------------------

Result:         permerror (no usable key records)

ID(s) verified:

 

Canonicalized Headers:

    x-mailer:iPhone'20'Mail'20'(18C66)'0D''0A'

    to:check-auth@verifier.port25.com'0D''0A'

    message-id:<C394B821-C827-4125-BD66-308AD4811E86@settels.com>'0D''0A'

    subject:Test'0D''0A'

    date:Thu,'20'4'20'Feb'20'2021'20'20:16:42'20'+0100'0D''0A'

    mime-version:1.0'20'(1.0)'0D''0A'

    from:Serge'20'Settels'20'<serge@settels.com>'0D''0A'

    content-transfer-encoding:7bit'0D''0A'

    content-type:text/plain;'20'charset=us-ascii'0D''0A'

    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/relaxed;'20'd=settels.com;'20's=actilus.com;'20'h=x-mailer:to:message-id:subject:date:mime-version:from'20':content-transfer-encoding:content-type;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=

 

Canonicalized Body:

 

DNS record(s):

    actilus.com._domainkey.settels.com. TXT (no records)

 

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions.  If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.

 

==============================================================

Explanation of the possible results (based on RFCs 7601, 7208) ==============================================================

 

 

DKIM Results

============

 

none:  The message was not signed.

 

pass:  The message was signed, the signature or signatures were

    acceptable to the ADMD, and the signature(s) passed verification

    tests.

 

fail:  The message was signed and the signature or signatures were

    acceptable to the ADMD, but they failed the verification test(s).

 

policy:  The message was signed, but some aspect of the signature or

    signatures was not acceptable to the ADMD.

 

neutral:  The message was signed, but the signature or signatures

    contained syntax errors or were not otherwise able to be

    processed.  This result is also used for other failures not

    covered elsewhere in this list.

 

temperror:  The message could not be verified due to some error that

    is likely transient in nature, such as a temporary inability to

    retrieve a public key.  A later attempt may produce a final

    result.

 

permerror:  The message could not be verified due to some error that

    is unrecoverable, such as a required header field being absent.  A

    later attempt is unlikely to produce a final result.

 

 

SPF Results

===========

 

none:  Either (a) no syntactically valid DNS domain name was extracted from

    the SMTP session that could be used as the one to be authorized, or

    (b) no SPF records were retrieved from the DNS.

 

neutral:  The ADMD has explicitly stated that it is not asserting whether

    the IP address is authorized.

 

pass:  An explicit statement that the client is authorized to inject mail

    with the given identity.

 

fail:  An explicit statement that the client is not authorized to use the

    domain in the given identity.

 

softfail:  A weak statement by the publishing ADMD that the host is probably

    not authorized.  It has not published a stronger, more definitive policy

    that results in a "fail".

 

temperror:  The SPF verifier encountered a transient (generally DNS) error

    while performing the check.  A later retry may succeed without further

    DNS operator action.

 

permerror: The domain's published records could not be correctly interpreted.

    This signals an error condition that definitely requires DNS operator

    intervention to be resolved.

 

 

"iprev" Results

===============

 

pass:  The DNS evaluation succeeded, i.e., the "reverse" and

    "forward" lookup results were returned and were in agreement.

 

fail:  The DNS evaluation failed.  In particular, the "reverse" and

    "forward" lookups each produced results, but they were not in

    agreement, or the "forward" query completed but produced no

    result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an

    RCODE of 0 (NOERROR) in a reply containing no answers, was

    returned.

 

temperror:  The DNS evaluation could not be completed due to some

    error that is likely transient in nature, such as a temporary DNS

    error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or

    other error condition resulted.  A later attempt may produce a

    final result.

 

permerror:  The DNS evaluation could not be completed because no PTR

    data are published for the connecting IP address, e.g., a DNS

    RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)

    in a reply containing no answers, was returned.  This prevented

    completion of the evaluation.  A later attempt is unlikely to

    produce a final result.

 

 

 

 

==========================================================

Original Email

==========================================================

 

Return-Path: <serge@settels.com>

Received: from mail.actilus.com (84.247.10.228) by verifier.port25.com id h3h42c2p2tol for <check-auth@verifier.port25.com>; Thu, 4 Feb 2021 19:16:54 +0000 (envelope-from <serge@settels.com>)

Authentication-Results: verifier.port25.com; spf=pass  smtp.mailfrom=serge@settels.com;  iprev=pass (matches 84-247-10-228.colo.transip.net)  policy.iprev=84.247.10.228;  dkim=permerror reason="no usable key records"  

X-SmarterMail-Authenticated-As: serge@settels.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=settels.com; s=actilus.com;

        h=x-mailer:to:message-id:subject:date:mime-version:from

          :content-transfer-encoding:content-type;

        bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;

        b=PBH2YXBgswkG4uXzlBFGfTA+nggekXjXgqGkitXJgOd/f71XFHPR2yK7hofHv1j6z

          7O1y32bMizjUaFhpJKmTT1JNtG+hhfFW4uwdQ9UTPgoVYINhwC3Nh6sZqufGm2HYV

          GtTlxCdmp/b9ZIKImANSIWiNoayPVX3R/dfn/+R/0=

Received: from [192.168.178.59] (84-104-144-243.cable.dynamic.v4.ziggo.nl [84.104.144.243]) by mail.actilus.com with SMTP

              (version=Tls12

              cipher=Aes256 bits=256);

   Thu, 4 Feb 2021 20:16:43 +0100

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

From: Serge Settels <serge@settels.com>

Mime-Version: 1.0 (1.0)

Date: Thu, 4 Feb 2021 20:16:42 +0100

Subject: Test

Message-Id: <C394B821-C827-4125-BD66-308AD4811E86@settels.com>

To: check-auth@verifier.port25.com

X-Mailer: iPhone Mail (18C66)

X-Exim-Id: C394B821-C827-4125-BD66-308AD4811E86

 

 

 

 

Hi,

Okay I would say I see two possible issues here:

1) Your mail server IP has a reverse DNS that doesn't match the server HELO and MX record.

You should change it from 84-247-10-228.colo.transip.net to mail.actilus.com. Probably your hoster/ISP have an option to change this.

Also the MX for settels.com is mail.settels.com. I would suggest to change it to the main name of your mail server which is mail.actilus.com I guess.

2) You seems to have DKIM enabled in SmarterMail because the mail is signed but you don't publish the DKIM record in the sender domain.

Two possibilities here, disable DKIM or set the DNS record in your domain. For better deliverability I would suggest you to add the corresponding DKIM record to your domain.

Also I would suggest you to add to your DNS a TXT record:

 _dmarc.settels.com

  with the value

v=DMARC1; p=none; sp=none; rua=mailto:dmarc@settels.com; ruf=mailto:dmarc@settels.com;

dmarc@settels.com should be a mailbox where you can receive dmarc reports about received mails originating from the domain that failed the auth verifications.

Dmarc is an additional mechanism that requires SPF and DKIM.

This should help a bit increasing the deliverability of the domain mails.

Dear Sébastien,

thank you for your recommendations. I have implemented most of them, the DKIM check is passed. Only the DNS name I cannot change (without support). The ipref check says it is OK so hopefully it is sufficient, otherwise I will have to change more. I have asked the customer to test the new settings.

Kind regards

Serge

Hello. Okay, but I would still go ahead with changing the iprev because having matching increases the chance do be delivered.

They especially don't like when the reverse looks like just the ip address with a domain name as usually it's the style used for reverse DNS gy ISPs for home links.

There are several pattern matching that detects this and lower the core of your mail.

(click on SMTP test)

For example this check is showing a warning about the reverse name mismatch.

Also it shows you did not enable TLS on your SMTP ports. You should enable it (and also for outgoing mails).

This checker shows another issue: The DNS checker uses too much includes and it generates too much DNS queries to verify it. So some receiver will skip your SPF record and can assume it as failed.

More info about this here:

After fixing all this you should be in the best conditions to deliver mails

Dear Sébastien,

thanks again, today I have used your links to optimize my TLS settings and the SPF issue! You have tought me a lot!

Kind regards

Serge

Thanks for the feedback. Happy to help :)

Kind regards