DKIM and canonicalization

Discussion in 'General' started by Pedro A., Mar 20, 2025.

Tags:
Page 1 of 2
  1. Pedro A.

    Pedro A. Member

    Hi.
    Recently I noticed my emails were refused by Google.
    Damn Google and his rectrictions!!
    The message I recieved is: Your email has been blocked because DKIM authentication didn't pass 550-5.7.30 for this message. Gmail requires all email bulk senders to 550-5.7.30 authenticate their email with DKIM. 550-5.7.30 550-5.7.30 Authentication results: 550-5.7.30 DKIM = did not pass 550-5.7.30 To set up DKIM for your sending domains, visit 550-5.7.30...
    I've checked SFF, DKIM, DMARC... all is ok, but using certain tool (Red Sift) said: The Canonicalization for the body is set to "simple". This can lead to problems when verifying the email signature. We recommend setting it to "relaxed" for header and body.
    Then, how I set up this parameter?? I believe this must be set up on the DKIM record but I can't modify it at ispconfig (but yes where I've configured the domain DNS records. Note: I don't use ispconfig like DNS server).
    Thanks.
     
    Pedro A., Mar 20, 2025
    #1
  2. remkoh

    remkoh Active Member HowtoForge Supporter

    It doesn't matter what dns server you use, as long as the records are correct.

    I always test SPF, DKIM and DMARC using mail-tester.com
    If all dns records are ok then I will score 10/10 or very close to that (high 9) and I never had any problems with Google afterwards.
     
    remkoh, Mar 20, 2025
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no need to alter that parameter, the tool you used for testing led you in a wrong direction. What Google complains about is that either DKIM or SPF is not set in DNS for this domain.
     
    till, Mar 21, 2025
    #3
  4. Pedro A.

    Pedro A. Member

    I've used mail-tester.com and I obtain 9.5 score.
    I've used Mxtoolbox and other tools to check SPF and DKIM and all is ok.
    This is frustating. I'm turning crazy.
    While Microsoft or Yahoo have contact support, Google doesn't.
     
    Pedro A., Mar 21, 2025
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You could try to add an SPF record for the server's hostname (not the email-sending domain) in addition to what you have already.
     
    till, Mar 21, 2025
    #5
  6. Pedro A.

    Pedro A. Member

    Sorry about my ignorance.
    What do you mean about SPF for the hostname? Where I've to add and what syntax is??
    My only SPF record is configured where I've my DNS records, this is my hosting provider.
    The syntax is:
    Code:
    v=spf1 mx a ip4:xxx.xxx.xxx.xxx/32 ~all
    Thanks.
     
    Pedro A., Mar 21, 2025
    #6
  7. remkoh

    remkoh Active Member HowtoForge Supporter

    If ip4: contains the public ip your server is using to send mail from you should be ok.
    Though /32 is obsolete. It's only usefull for larger subnets, not single ip's.

    Your mx record resolves to the same hostname as your server is using to talk to other mailservers?
    Then mx and ip4: is double (but shouldn't matter in any way).
     
    remkoh, Mar 21, 2025
    #7
  8. Pedro A.

    Pedro A. Member

    Yes, ip4: contains my server public ip and the mx record resolves the hostname of my server (I've configured MX10 pinting to mail.mydomain.com and mail.mydomain.com with A register pointig to the public ip)
     
    Pedro A., Mar 21, 2025
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Your server has a hostname. You can see the server hostname by running the command:

    hostname -f

    You must then create an SPF record for that hostname on the DNS server that is authoritative for this hostname. The syntax is the same as that of any other SPF record. The difference is that you create the SPF record for the server's hostname and not the email address's domain.
     
    till, Mar 21, 2025
    #9
  10. Pedro A.

    Pedro A. Member

    Then I'll have two SPF records like these:
    mydomain v=spf1 mx a ip4:xxx.xxx.xxx.xxx/32 ~all
    myhostname v=spf1 mx a ip4:xxx.xxx.xxx.xxx/32 ~all
    This is ok?
     
    Pedro A., Mar 21, 2025
    #10
  11. remkoh

    remkoh Active Member HowtoForge Supporter

    Care to explain?
    Things like domains, dns, spf etc is my almost daily work.
    I don't see the purpose of the 2nd spf record. It's only usefull when the sender is misterx@hostname
     
    remkoh, Mar 21, 2025
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    I can only say that Google likes it; it does not make much sense at first sight, but it has been proven beneficial. I have seen this on several systems in the past. I can only guess that Google might also verify all hostnames in the received headers against spf.
     
    till, Mar 21, 2025
    #12
  13. remkoh

    remkoh Active Member HowtoForge Supporter

    Google being Google :rolleyes:
    Did some checking and all my mailserver's hostnames have spf records too. Forgot all about it :oops:
    It should read
    Code:
    myhostname v=spf1 a -all
     
    remkoh, Mar 21, 2025
    #13
  14. MarvinFreeman

    MarvinFreeman New Member

    I am afraid I don't know how to add an spf record to host.server.com. If I try to add it to the DNS zone for host.server.com using the ispconfig interface, the record ends up in the server.com zone. If I add it as a text record to the host.server.com zone, the record is not recognized as existing by outside tools or by the ispconfig tool when I attempt to add a dmarc record.
     
    MarvinFreeman, Apr 25, 2025
    #14
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    All you do is to add a SPF (TXT) record for host.server.com in the DNS zone server.com on the DNS server that is authoritative for the zone server.com. Do not add a new zone for host.server.com, if you have done that, delete it. Also, your ISPConfig server is not necessarily the right server to add the TXT record, you must do that on the DNS server that is the primary DNS server for the zone server.com.
     
    till, Apr 25, 2025
    #15
  16. Jim Locke

    Jim Locke Member

    so on godaddy i put as a second spf record
    Type Name Value
    TXT MX1 v=spf1 a -all

    Correct?
     
    Jim Locke, Nov 17, 2025
    #16
  17. remkoh

    remkoh Active Member HowtoForge Supporter

    Seems good.
     
    remkoh, Nov 17, 2025
    #17
  18. Jim Locke

    Jim Locke Member

    sending outbound to gmail (google)
    turns out to be a negative with a second spf at godaddy: (spf info from header)
    spf=none (google.com: [email protected] does not designate permitted sender hosts) [email protected]
    then with a combined spf at godaddy: (TXT @ v=spf1 a mx ip4:xxx.xxx.xxx.xxx include:mx1.mycompanya.net ~all)
    Received-SPF: pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
     
    Last edited: Nov 17, 2025
    Jim Locke, Nov 17, 2025
    #18
  19. remkoh

    remkoh Active Member HowtoForge Supporter

    "TXT MX1 v=spf1 a -all" is not for @mycompanya.net addresses.
    For that is record "TXT @ v=spf1 xxx -all" (or "TXT mycompanya.net. v=spf1 xxx -all" which is the same).
    Where "xxx" can be a, mx, ip4:xxx, ip6:xxx, include:xxx (and more parameters).
    All depending on which server(s) you want to permit to send mail from @mycompanya.net.

    Btw, don't you have tripled the same server in your spf now?
    If mx, ip4:xxx and include:xxx are all the same server then just one of them is enough.
    You should keep the number of record types and includes as low as posible since there is a limit of 10 dns lookups in a spf record.
    (ip4 and ip6 are not dns lookups so they don't count)
     
    Last edited: Nov 18, 2025
    remkoh, Nov 18, 2025
    #19
  20. Jim Locke

    Jim Locke Member

    it was a strange thing, and yes it looks tripled, the mx & ip and hostname are all the same but google likes it and i only need 1 spf record
     
    Jim Locke, Nov 18, 2025
    #20
Page 1 of 2

Share This Page