Vacation Autoresponses: recipients shown warning: "failing its domain's authentication requirements"

Discussion in 'Installation/Configuration' started by Esbeeb, Feb 27, 2019.

  1. Esbeeb

    Esbeeb New Member

    I'm running ISPConfig 3.1.13, in the latest Debian 9.
    Despite me setting up SPF (the TXT record is "v=spf1 mx a ~all" which merely warns on errors), DKIM and DNSSEC the very best I could on my DNS servers, when vacation autoresponses get sent by my ISPconfig-controlled email server, then recipients will get a warning shown as follows:
    [​IMG]
    Note: My vacation autoresponses are set up within the ISPConfig Web Admin interface, not from the Roundcube plugin for Vacation autoresponses.

    I think I know why these Warnings get shown. The headers on outgoing email are a little different for normal outgoing mail, and vacation autoresponses, underlined in red here in this comparison of the headers using "meld":
    [​IMG]
    Note that on proper outgoing mail (shown on the left), the header says: "Authenticated Sender:", but in the Vacation Autoresponses (shown on the right), which get flagged, it instead merely says: "from userid 5000".
    This makes SPF's fur stand on end, as it were. How do I get the vacation autoresponses on the right to have headers just like on the left hand side, saying "Authenticated Sender:"?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    SPF has nothing to do with authenticated sending nor what is in Received headers, the difference as it relates to SPF is in the Return-Path. On a normal email, the Return-Path is set to your sender's address, and the SPF check is performed on the domain from that address (sampledomain.com above). In the vacation example there is a null sender, so the SPF check would be performed on the helo hostname (mail.sampledomain.com above). Checking SPF for the helo hostname is normally done anyways, so I would expect it to pass, but do see what the mail.sampledomain.com SPF record is. If it is passing, there's something more than just SPF involved (eg. a DMARC policy could require SPF alignment, which would fail). If you post unredacted headers, other folks could take a look at what's actually going on, save time and provide better answers.
     
    Esbeeb and till like this.
  3. Esbeeb

    Esbeeb New Member

    What an awesome response, thanks.
    Here's what I needed to do, to fix my problem. First of all, my MX record needed to be for "mail.sampledomain.com", not just "sampledomain.com". Note that I already had an "A" record for mail.sampledomain.com, with the same IP address for sampledomain.com (both are the same server).

    Secondly, my SPF record had to look like:
    mail.sampledomain.com. 86400 IN TXT "v=spf1 mx a ~all"
    ...and not:
    sampledomain.com. 86400 IN TXT "v=spf1 mx a ~all"

    Thirdly, my DMARC record had to look like:
    _dmarc.mail.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
    ...and not:
    _dmarc.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Glad you got things setup to work there. One note, you should have an SPF record for both your domain itself as well as each hostname/subdomain in it; for DMARC records, each subdomain will inherit a policy from the domain (see sp= ), and you can specify additional DMARC records for a hostname/subdomain as needed if the policy is different.
     
  5. Esbeeb

    Esbeeb New Member

    After learning more about how "sp=" works, I finally grokked that the subdomain inheritance (for a DMARC policy) happens automatically (which you said, but I didn't get it right away). Therefore I don't need to specify any "sp=" argument. The "sp=" is for when you want something other than straightforward inheritance for the subdomains.

    But none the less, I appreciate you pointing out that my DMARC record needs to be done for:
    _dmarc.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
    ...rather than:
    _dmarc.mail.sampledomain.com. 86400 IN TXT "v=DMARC1; p=none;"
    ...only.
     
    Last edited: Mar 10, 2019
  6. Esbeeb

    Esbeeb New Member

    @Jesse Norell, you were right, I just needed to use mxtoolbox.com several times until everything passed in the green.

    In the end, here is what my 2 SPF TXT records looked like:
    mail.sampledomain.com. 86400 IN TXT "v=spf1 a -all"
    sampledomain.com. 86400 IN TXT "v=spf1 mx a -all"

    ...and here is what my DMARC TXT record looked like:
    _dmarc.sampledomain.com. 86400 IN TXT "v=DMARC1; p=quarantine;"
     
    Last edited: Mar 10, 2019

Share This Page