Re: report from google relate to failed dkim
You are still top-posting please don't... See bottom for my reply... On 29 December 2017 at 06:21, Poliman - Serwis wrote: > But "signing domain" and domain in "From" will never be matched. Server has > own domain s1.domain.net. On this server are hosted few websites. These have > another domains than the server fqdn. In report from google I see fail in > dkim row but for IP of the server. I don't know why there is IP not fqdn. > > 2017-12-28 8:44 GMT+01:00 Dominic Raferd : >> >> Please bottom post on this list (and see below) >> >> On 28 December 2017 at 07:05, Poliman - Serwis wrote: >> > For particular domain from report dkim works well. I checked it here >> > http://dkimcore.org/c/keycheck. Mails from this domain are sent by >> > s1.domain.net server. Should be dkim configured for domain name of the >> > server which corresponds to IP mentioned earlier? >> > >> > 2017-12-28 7:46 GMT+01:00 Poliman - Serwis : >> >> >> >> All is clear but how setup dmarc per IP address of the server if dmarc >> >> is >> >> based on spf and dkim which are based on particular domain? >> >> >> >> 2017-12-27 10:37 GMT+01:00 Dominic Raferd : >> >>> >> >>> On 27 December 2017 at 07:22, Poliman - Serwis >> >>> wrote: >> >>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got >> >>> > report >> >>> > in xml on my mailbox. Attached. One from addresses has dkim failed - >> >>> > marked >> >>> > in orange... >> >> Setting spf should not be necessary if you are setting a dkim header >> correctly in all the outgoing emails for the domain in question. >> Indeed I would go further and say that setting an spf DNS record for >> your domain is inadvisable when testing dmarc because it can mask >> underlying dkim problems. >> >> In order to pass dmarc alignment testing, opendkim needs to insert >> into the outgoing email a dkim header with a signing domain (d=) >> matching the domain in the internal 'From:' header. The server name or >> ip that it has come from is irrelevant for dkim. >> >> If your mail passes dkim check-summing and dkim alignment when tested >> at its destination for dmarc, it will pass overall regardless of any >> spf (and vice versa). There is no connection between ip/fqdn of the server and the signing domain for DKIM - see man opendkim. You set all the domains for which you want emails signed rather than verified in the 'Domain' setting in /etc/opendkim.conf e.g. Domain mydomain1.tld,mydomain2.tld,mydomain3.tld Use KeyFile to give the location of the file containing the private key to be used with all domains - and the matching public key must be published in their DNS. If you want to have different keys for different domains, use KeyTable/SigningTable rather than Domain/KeyFile - I haven't tried this. Refer to man opendkim.conf for more information. (Apologies to anyone who feels that the postfix mailing list is not the appropriate place to try to answer (or ask) these questions, there doesn't seem to be an opendkim mailing list...)
Re: report from google relate to failed dkim
But "signing domain" and domain in "From" will never be matched. Server has own domain s1.domain.net. On this server are hosted few websites. These have another domains than the server fqdn. In report from google I see fail in dkim row but for IP of the server. I don't know why there is IP not fqdn. 2017-12-28 8:44 GMT+01:00 Dominic Raferd : > Please bottom post on this list (and see below) > > On 28 December 2017 at 07:05, Poliman - Serwis wrote: > > For particular domain from report dkim works well. I checked it here > > http://dkimcore.org/c/keycheck. Mails from this domain are sent by > > s1.domain.net server. Should be dkim configured for domain name of the > > server which corresponds to IP mentioned earlier? > > > > 2017-12-28 7:46 GMT+01:00 Poliman - Serwis : > >> > >> All is clear but how setup dmarc per IP address of the server if dmarc > is > >> based on spf and dkim which are based on particular domain? > >> > >> 2017-12-27 10:37 GMT+01:00 Dominic Raferd : > >>> > >>> On 27 December 2017 at 07:22, Poliman - Serwis > wrote: > >>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got > >>> > report > >>> > in xml on my mailbox. Attached. One from addresses has dkim failed - > >>> > marked > >>> > in orange... > > Setting spf should not be necessary if you are setting a dkim header > correctly in all the outgoing emails for the domain in question. > Indeed I would go further and say that setting an spf DNS record for > your domain is inadvisable when testing dmarc because it can mask > underlying dkim problems. > > In order to pass dmarc alignment testing, opendkim needs to insert > into the outgoing email a dkim header with a signing domain (d=) > matching the domain in the internal 'From:' header. The server name or > ip that it has come from is irrelevant for dkim. > > If your mail passes dkim check-summing and dkim alignment when tested > at its destination for dmarc, it will pass overall regardless of any > spf (and vice versa). > -- *Pozdrawiam / Best Regards* *Piotr Bracha*
Re: report from google relate to failed dkim
Please bottom post on this list (and see below) On 28 December 2017 at 07:05, Poliman - Serwis wrote: > For particular domain from report dkim works well. I checked it here > http://dkimcore.org/c/keycheck. Mails from this domain are sent by > s1.domain.net server. Should be dkim configured for domain name of the > server which corresponds to IP mentioned earlier? > > 2017-12-28 7:46 GMT+01:00 Poliman - Serwis : >> >> All is clear but how setup dmarc per IP address of the server if dmarc is >> based on spf and dkim which are based on particular domain? >> >> 2017-12-27 10:37 GMT+01:00 Dominic Raferd : >>> >>> On 27 December 2017 at 07:22, Poliman - Serwis wrote: >>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got >>> > report >>> > in xml on my mailbox. Attached. One from addresses has dkim failed - >>> > marked >>> > in orange... Setting spf should not be necessary if you are setting a dkim header correctly in all the outgoing emails for the domain in question. Indeed I would go further and say that setting an spf DNS record for your domain is inadvisable when testing dmarc because it can mask underlying dkim problems. In order to pass dmarc alignment testing, opendkim needs to insert into the outgoing email a dkim header with a signing domain (d=) matching the domain in the internal 'From:' header. The server name or ip that it has come from is irrelevant for dkim. If your mail passes dkim check-summing and dkim alignment when tested at its destination for dmarc, it will pass overall regardless of any spf (and vice versa).
Re: report from google relate to failed dkim
For particular domain from report dkim works well. I checked it here http://dkimcore.org/c/keycheck. Mails from this domain are sent by s1.domain.net server. Should be dkim configured for domain name of the server which corresponds to IP mentioned earlier? 2017-12-28 7:46 GMT+01:00 Poliman - Serwis : > All is clear but how setup dmarc per IP address of the server if dmarc is > based on spf and dkim which are based on particular domain? > > 2017-12-27 10:37 GMT+01:00 Dominic Raferd : > >> On 27 December 2017 at 07:22, Poliman - Serwis wrote: >> > I configured yesterday spf, dkim, dmarc for example.com. Today I got >> report >> > in xml on my mailbox. Attached. One from addresses has dkim failed - >> marked >> > in orange... >> >> This is a DMARC report from Gmail and so a more appropriate place to >> ask about it is the opendmarc mailing list >> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The >> google link within the report that you attached gives a bit more >> information. The report says that Gmail received one email purporting >> to be from your domain, it passed the spf test and failed the dkim >> test. If you are confident that this was a legitimate email (it came >> from or via 200.150.100.50, unless you obfuscated this), then either >> there is a problem with your dkim setup or this email bypassed it >> entirely. >> >> DMARC reports from mail providers are very useful in checking for >> problems with spf/dkim/dmarc before one moves to p=reject. Consider >> using one of the services that receive and collate these reports for >> you, it makes them easier to understand. >> > > > > -- > > *Pozdrawiam / Best Regards* > *Piotr Bracha* > -- *Pozdrawiam / Best Regards* *Piotr Bracha*
Re: report from google relate to failed dkim
All is clear but how setup dmarc per IP address of the server if dmarc is based on spf and dkim which are based on particular domain? 2017-12-27 10:37 GMT+01:00 Dominic Raferd : > On 27 December 2017 at 07:22, Poliman - Serwis wrote: > > I configured yesterday spf, dkim, dmarc for example.com. Today I got > report > > in xml on my mailbox. Attached. One from addresses has dkim failed - > marked > > in orange... > > This is a DMARC report from Gmail and so a more appropriate place to > ask about it is the opendmarc mailing list > http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The > google link within the report that you attached gives a bit more > information. The report says that Gmail received one email purporting > to be from your domain, it passed the spf test and failed the dkim > test. If you are confident that this was a legitimate email (it came > from or via 200.150.100.50, unless you obfuscated this), then either > there is a problem with your dkim setup or this email bypassed it > entirely. > > DMARC reports from mail providers are very useful in checking for > problems with spf/dkim/dmarc before one moves to p=reject. Consider > using one of the services that receive and collate these reports for > you, it makes them easier to understand. > -- *Pozdrawiam / Best Regards* *Piotr Bracha*
Re: report from google relate to failed dkim
On 27 December 2017 at 10:06, li...@lazygranch.com wrote: > On Wed, 27 Dec 2017 09:37:24 + > Dominic Raferd wrote: >> ... DMARC reports from mail providers are very useful in checking for >> problems with spf/dkim/dmarc before one moves to p=reject. Consider >> using one of the services that receive and collate these reports for >> you, it makes them easier to understand. > > I decided not to set up DMARC on my new server since the logs are > pretty overwhelming. What service would you suggest? I currently use http://dmarc.postmarkapp.com/ - you receive weekly emails summarising the data, and it's free.
Re: report from google relate to failed dkim
On 27.12.2017 08:22, Poliman - Serwis wrote: > I configured yesterday spf, dkim, dmarc for example.com. Today I got report > in xml on my mailbox. Attached. One from addresses has dkim failed - marked > in orange. What that means and how to fix it? I use ubuntu 16.04 lts and > postfix: Judging from the Google DMARC report I'd say that the server at 200.150.100.50 does not add a DKIM signature the outgoing mails - you need to fix this. Juri
Re: report from google relate to failed dkim
On Wed, 27 Dec 2017 09:37:24 + Dominic Raferd wrote: > On 27 December 2017 at 07:22, Poliman - Serwis > wrote: > > I configured yesterday spf, dkim, dmarc for example.com. Today I > > got report in xml on my mailbox. Attached. One from addresses has > > dkim failed - marked in orange... > > This is a DMARC report from Gmail and so a more appropriate place to > ask about it is the opendmarc mailing list > http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The > google link within the report that you attached gives a bit more > information. The report says that Gmail received one email purporting > to be from your domain, it passed the spf test and failed the dkim > test. If you are confident that this was a legitimate email (it came > from or via 200.150.100.50, unless you obfuscated this), then either > there is a problem with your dkim setup or this email bypassed it > entirely. > > DMARC reports from mail providers are very useful in checking for > problems with spf/dkim/dmarc before one moves to p=reject. Consider > using one of the services that receive and collate these reports for > you, it makes them easier to understand. I decided not to set up DMARC on my new server since the logs are pretty overwhelming. What service would you suggest? BTW the OP should use this to verify the setup: http://dkimvalidator.com/ There are a bunch of similar services, but I like the output on this one. I had some spammer try to spoof my email address and got a bounced message because my they used my email address in the return. That was a SPF rejection, but still nice to see the system working.
Re: report from google relate to failed dkim
On 27 December 2017 at 07:22, Poliman - Serwis wrote: > I configured yesterday spf, dkim, dmarc for example.com. Today I got report > in xml on my mailbox. Attached. One from addresses has dkim failed - marked > in orange... This is a DMARC report from Gmail and so a more appropriate place to ask about it is the opendmarc mailing list http://www.trusteddomain.org/mailman/listinfo/opendmarc-users. The google link within the report that you attached gives a bit more information. The report says that Gmail received one email purporting to be from your domain, it passed the spf test and failed the dkim test. If you are confident that this was a legitimate email (it came from or via 200.150.100.50, unless you obfuscated this), then either there is a problem with your dkim setup or this email bypassed it entirely. DMARC reports from mail providers are very useful in checking for problems with spf/dkim/dmarc before one moves to p=reject. Consider using one of the services that receive and collate these reports for you, it makes them easier to understand.
report from google relate to failed dkim
I configured yesterday spf, dkim, dmarc for example.com. Today I got report in xml on my mailbox. Attached. One from addresses has dkim failed - marked in orange. What that means and how to fix it? I use ubuntu 16.04 lts and postfix: root@s1:~# postconf | grep version disable_mime_output_conversion = no mail_version = 3.1.0 -- *Pozdrawiam / Best Regards* *Piotr Bracha* google.com noreply-dmarc-supp...@google.com https://support.google.com/a/answer/2466580 4940630445217488767 1513987200 1514073599 example.com r r none none 100 200.150.100.50 1 none fail pass example.com example.com pass
