Vacation Autoresponses: recipients shown warning: "failing its domain's authentication requirements"

Discussion in 'Installation/Configuration' started by Esbeeb, Feb 27, 2019.

  1. Esbeeb

    Esbeeb New Member

    I'm running ISPConfig 3.1.13, in the latest Debian 9.
    Despite me setting up SPF (the TXT record is "v=spf1 mx a ~all" which merely warns on errors), DKIM and DNSSEC the very best I could on my DNS servers, when vacation autoresponses get sent by my ISPconfig-controlled email server, then recipients will get a warning shown as follows:
    [​IMG]
    Note: My vacation autoresponses are set up within the ISPConfig Web Admin interface, not from the Roundcube plugin for Vacation autoresponses.

    I think I know why these Warnings get shown. The headers on outgoing email are a little different for normal outgoing mail, and vacation autoresponses, underlined in red here in this comparison of the headers using "meld":
    [​IMG]
    Note that on proper outgoing mail (shown on the left), the header says: "Authenticated Sender:", but in the Vacation Autoresponses (shown on the right), which get flagged, it instead merely says: "from userid 5000".
    This makes SPF's fur stand on end, as it were. How do I get the vacation autoresponses on the right to have headers just like on the left hand side, saying "Authenticated Sender:"?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    SPF has nothing to do with authenticated sending nor what is in Received headers, the difference as it relates to SPF is in the Return-Path. On a normal email, the Return-Path is set to your sender's address, and the SPF check is performed on the domain from that address (sampledomain.com above). In the vacation example there is a null sender, so the SPF check would be performed on the helo hostname (mail.sampledomain.com above). Checking SPF for the helo hostname is normally done anyways, so I would expect it to pass, but do see what the mail.sampledomain.com SPF record is. If it is passing, there's something more than just SPF involved (eg. a DMARC policy could require SPF alignment, which would fail). If you post unredacted headers, other folks could take a look at what's actually going on, save time and provide better answers.
     
    Esbeeb and till like this.
  3. Esbeeb

    Esbeeb New Member

    What an awesome response, thanks.
    Here's what I needed to do, to fix my problem. First of all, my MX record needed to be for "mail.sampledomain.com", not just "sampledomain.com". Note that I already had an "A" record for mail.sampledomain.com, with the same IP address for sampledomain.com (both are the same server).

    Secondly, my SPF record had to look like:
    mail.sampledomain.com. 86400 IN TXT "v=spf1 mx a ~all"
    ...and not:
    sampledomain.com. 86400 IN TXT "v=spf1 mx a ~all"

    Thirdly, my DMARC record had to look like:
    _dmarc.mail.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
    ...and not:
    _dmarc.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Glad you got things setup to work there. One note, you should have an SPF record for both your domain itself as well as each hostname/subdomain in it; for DMARC records, each subdomain will inherit a policy from the domain (see sp= ), and you can specify additional DMARC records for a hostname/subdomain as needed if the policy is different.
     
  5. Esbeeb

    Esbeeb New Member

    After learning more about how "sp=" works, I finally grokked that the subdomain inheritance (for a DMARC policy) happens automatically (which you said, but I didn't get it right away). Therefore I don't need to specify any "sp=" argument. The "sp=" is for when you want something other than straightforward inheritance for the subdomains.

    But none the less, I appreciate you pointing out that my DMARC record needs to be done for:
    _dmarc.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
    ...rather than:
    _dmarc.mail.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
    ...only.
     
    Last edited: Mar 10, 2019
  6. Esbeeb

    Esbeeb New Member

    @Jesse Norell, you were right, I just needed to use mxtoolbox.com several times until everything passed in the green.

    In the end, here is what my 2 SPF TXT records looked like:
    mail.sampledomain.com. 86400 IN TXT "v=spf1 a -all"
    sampledomain.com. 86400 IN TXT "v=spf1 mx a -all"

    ...and here is what my DMARC TXT record looked like:
    _dmarc.sampledomain.com. 86400 IN TXT "v=DMARC1; p=quarantine;"
     
    Last edited: Mar 10, 2019

Share This Page