ElasticEmail dns record problem... i guess?

DanTheMan

Hi everyone,

Can somebody point me into the right direction, to solve my last error i get when i check my mail-score at mail-tester.com.
The score gives me a big 10, so i should be happy with that, but....

When i look at the Dmarc-test details i discovered the line that says:
"mail-tester.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=example.com header.i=@example.com header.b=PbG0+owL; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=elasticemail.com header.i=@elasticemail.com header.b=WSscCazF; dkim-atps=neutral"

For dns setup i used the following records:

SPF: "v=spf1 a:my.example.com a mx include:_spf.elasticemail.com ~all" ( I edited this record)

DKIM: TXT record for api._domainkey.example.com with value: k=rsa;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbmGbQMzYeMvxwtNQoXN0waGYaciuKx8mtMh5czguT4EZlJXuCt6V+l56mmt3t68FEX5JJ0q4ijG71BGoFRkl87uJi7LrQt1ZZmZCvrEII0YO4mp8sDLXC8g1aUAoi8TJgxq2MJqCaMyj5kAm3Fdy2tzftPCV/lbdiJqmBnWKjtwIDAQAB

Tracking: CNAME record for tracking.example.com to api.elasticemail.com

Bounces: CNAME record for bounces.example.com to bounces.elasticemail.net

DMARC: TXT record for _dmarc with "v=DMARC1;p=none;rua=mailto:webmaster@domain.com;pct=100;ruf=mailto:webmaster@domain.com;fo=0:d:s;aspf=r;adkim=r;"

MX: MX record for my.example.com (this was already in place)

Where example.com is my actual domain, removed it for privacy reasons.

Do i overlook something or is it a dns-resolving problem somewhere, or maybe it's mail-tester.com that shows a problem that i don't have?
This thing keeps me busy now for days and normally i solve things on my own, but this time i can't

marcusquinn

@dantheman Odd, if you've followed everything with EE instructions, it should all be good.

One caveat, don't use Cloudflare DNS proxy on the bounces and tracking CNAME records.

You could try wrapping the DKIM TXT value with quotes, so:

"k=rsa;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbmGbQMzYeMvxwtNQoXN0waGYaciuKx8mtMh5czguT4EZlJXuCt6V+l56mmt3t68FEX5JJ0q4ijG71BGoFRkl87uJi7LrQt1ZZmZCvrEII0YO4mp8sDLXC8g1aUAoi8TJgxq2MJqCaMyj5kAm3Fdy2tzftPCV/lbdiJqmBnWKjtwIDAQAB"

Here's my related working Cloudflare records on one domain using EE for reference:

DanTheMan

@marcusquinn said in ElasticEmail dns record problem... i guess?:

"

Thanks for helping me out and sharing your config..

I did tried it the first time, wrapping the DKIM TXT with quotes .. but that doesn't seem to change it also...
I just rolled it back now just to be sure, so it's wrapped with double quotes again at this point.

I did another test at appmaildev.com to see what they are saying about my records...
funny
Because now the output of every record passed the test with a full green text "Passed" and no Fails at all...

this is the output of that test:
_dmarc.example.com: v=DMARC1;p=none;rua=mailto:webmaster@domain.com;pct=100;ruf=mailto:webmaster@domain.com;fo=0:d:s;aspf=r;adkim=r;
Received-SPF: pass (appmaildev.com: domain of my-name=example.com@bounces.example.com designates 54.36.22.222 as permitted sender) client-ip=54.36.22.222
Authentication-Results: appmaildev.com;
dkim=pass header.d=example.com;
spf=pass (appmaildev.com: domain of my-name=example.com@bounces.example.com designates 54.36.22.222 as permitted sender) client-ip=54.36.22.222;
dmarc=pass (adkim=r aspf=r p=none) header.from=example.com;

Where "example.com" is my actual domain redacted for privacy

SPF: Pass
DKIM: pass
DMARC: pass
DomainKey-Result: none (no signature)
If DKIM result is passed, you can ignore DomainKey result: none
Notice: DomainKey is obsoleted standard, the new standard is DKIM.

PTR: ExistsRecord
RBL: NotListed

marcusquinn

@dantheman Strange, sounds like you're doing all the right things.

I guess the real test is just straight-up real user delivery tests.

Maybe more relevant reading in this thread:

https://forum.cloudron.io/topic/2851/seeking-recommendations-based-on-experience-for-sendmail-relays/24?_=1613154358418

girish

@dantheman Your second result atleast shows that the DKIM signing is working fine. Maybe try again with mail-tester in a week or so to check if they fixed some bug on their side?

DanTheMan

@girish @marcusquinn
Thanks a lot guys for the input. This is exactly why i just love Cloudron so much!!
Helpfull community and Staff, you guys helped me so much already, just by reading the forums and mostly finding my answers over there, normally... but this time i had to ask about this one, and the help again was there really quickly, really appreciate it!!

I'll wait for another week, to throw out another test @mail-tester.com.
In the meantime i also got some Dmarc_reports delivered to my mailbox and everything is evaluated with <check>passed<, so i also think it has to be some kind of bug at the mail-tester end.
I also keep an eye open on my Dmarc_reports in the meantime.....

marcusquinn

@dantheman https://mxtoolbox.com/emailhealth is another good one.