Authenticating Email Address

Topic

New Reply

[PKCano]

Hi Helpers,

Google (which I continue to dislike) is refusing to let emails from one of our addresses go through recipients’ Gmail accounts. Here is the message:

This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for [tworg.com] did not pass with ip: [not shared but I have it]. The sender should visit https://support.google.com/mail/answer/81126#authentication for instructions on setting up authentication.

Our email is run through Cloudflare so I checked there first. Found a way to activate DMARC on the accounts and noted that DKIM was “in use”. However, that did not solve the issue.

I then checked the instructions Google linked me to, above, but cannot get into the admin account I set up for the tworg.com email address. I set that up by “adding account”, but the site just keeps sending me in a never ending loop back to the page in the screenshot below and never gets me to the promised page where I can get a code to authenticate the tworg.com addresses. AGH!

I hope this is enough information  for someone who understands this to lend a hand. Obviously I’m doing something wrong but after 2 mornings trying to figure out just what, I’m turning to you for assistance.

Our mygoforthegreen.com addresses work just fine with Gmail, but we are considering dropping that domain in the next year so I’m trying to prepare for that time.

Cloudflare email record is attached for tworg.com. mygoforthegreen.com’s is the same except DMARC is marked  “None” and SPF is “Soft Fail”.

Thanks as always for any help or suggestions you can offer!

Linda

Moderator note: Edit to remove email address. Please do not post personal information on the Forum.

• This topic was modified 4 months ago by PKCano.
• This topic was modified 4 months ago by PKCano.
• This topic was modified 4 months ago by IreneLinda.

Reply | Quote

Replies

I used https://mxtoolbox.com/spf.aspx to check the SPF record for tworg.com and it appears it’s setup improperly.

It’s currently using these IP addresses:

v=spf1 ip4:38.113.1.0/24 ip4:38.113.20.0/24 ip4:65.254.224.0/19 ?all

When it “should” use your domain name instead (which will work for all IP addresses assigned to that domain name):

v=spf1 include:tworg.com ~all

It’s also using ?all at the end when it should be ~all.

Reply | Quote

Your SPF entry is fine AFAICT.
Using Tilde (~) is a “softfail” and is used for debugging / initial testing. It should be replaced by a minus (-) when you have finished testing – all other sources should fail.

The IPs in your SPF do not seem to match the cloudflare IPs – your other domain does. This would explain the issue.

cheers, Paul

Reply | Quote

Paul T wrote:

Using Tilde (~) is a “softfail” and is used for debugging / initial testing. It should be replaced by a minus (-) when you have finished testing – all other sources should fail.

While that’s “suppose” to be how it’s used, in reality using the – fail option “can” cause legitimate e-mails to be rejected, especially if the receiving MTA doesn’t support DMARC verification, so it’s recommended to use ~ softfail instead to avoid that possibly.

• What is the difference between SPF ~all and -all?

Regardless, her tworg.com SPF shouldn’t be using the ? neutral option; which basically returns “unknown” to validation requests.

Reply | Quote

Just another Forum Poster wrote:

add a SPF record that included our mail server domain name

That won’t work if you use cloudflare for sending mail – your MX is not a cloudflare IP.

cheers, Paul

Reply | Quote

Wow, thank you both for all this information. It’s a little more technical than I am, but I can figure it out if I proceed slowly. Appreciate all the researching alejr did and the clarifications provided by Paul.

I now understand why the silly Google page didn’t work…thank you so much alejr. It was driving me mad.

I’m going to tackle this very slowly early one morning with a clear head. As soon as I do, I’ll post back with either success or more questions!

Thanks again for your help and suggestions…and for getting back to me so quickly!

Linda

Reply | Quote

IreneLinda wrote:

Cloudflare email record is attached for tworg.com. mygoforthegreen.com’s is the same except DMARC is marked “None” and SPF is “Soft Fail”.

Ran a SPF record check on your mygoforthegreen.com domain and its SPF record isn’t close to being the same as tworg.com:

v=spf1 +mx +a +ip4:198.46.81.47 +include:smtp.servconfig.com ~all

Note how, in addition to mx, a and ip4, it includes the outgoing mail server domain where the tworg.com SPF record doesn’t include any of those.

FYI, I ran a MX record check on tworg.com and it’s mail server is mail.tworg.com

I also ran a DKIM record check for tworg.com and, despite what your attachment shows, the results were No DKIM Record found!

Finally, as pointed out by Paul T, the IP addresses in the SPF record for tworg.com do not match what a DNS record check shows:

104.21.60.216 and 172.67.201.204.

So it’s pretty clear the problem is the SPF record for tworg.org isn’t setup correctly which is what’s causing your problem.

BTW, I ran into the same issue where Gmail wouldn’t accept e-mail from my Uncle’s web site and the fix was to add a SPF record that included our mail server domain name.

That link you keep trying to use at Google is for domains “hosted” by Google which is why it’s not working (BTDT!)

Reply | Quote

Hi again,

Okay, I’ve reread and assimilated (mostly!) what you’ve both said. When it comes to DNS records, I’m not terribly conversant. 🙁

I found TXT records for each domain, clicked “edit” beside each and saw the attached. I can see they definitely have different IP addresses. The 198 is the correct one.

Can I just copy the content from gftg to tworg? Or …?

Thanks for your further direction!

Linda

Reply | Quote

Only if they both use the exact same mail server!

The easiest way to check that is to have a user from each domain send you a message and then check the “header info” to see if both messages originated from the same mail server.

If they don’t, the header for the message from the tworg.com user “should” have the info you need to update it’s SPF record.

Reply | Quote

That’s great, alejr! You’ve explained it so clearly that I can understand exactly what to do… except for one dumb question: where do I find the “header info” in an email? I’m using Thunderbird for email.

Many thanks!

Reply | Quote

1- Open Thunderbird

2- Open the e-mail message

3- In the menu bar select View > Headers > All

You’ll see multiple Received: From entries but the one you need will be the last entry immediately before the From: address.

The relevant info will be:

Received: from domain name ([ IP address ])

If they’re the same for both the gftg & tworg e-mails, then copying the settings from gftg to tworg should work.

If the entry for the tworg e-mail is different, then use that domain name and IP address for its SPF record instead.

Reply | Quote

Wonderful! Thank you so much, alejr. Back to you soon with results…and, hopefully, success!

Linda

Reply | Quote

Well, phooey! I’m sorry, alejr, but I don’t seem to find the correct line in the header. I may be doing something wrong.

Couple of questions:

• Can I send to and from our own email addresses (i.e., send a test from my partner’s gftg to my tworg? They don’t have your “Received: from IP address” line.
• Should I use one of the “from tworg” emails that failed to go through in Gmail? I can’t find the line like yours anywhere in the header info. The emails “pass” from our host server but fail at Gmail’s, according to all the header info.
• Would it help to send one of the emails to you via Private Message? I assume there is too much personal info in them to post here.

Or maybe the copy and paste idea needs to be replaced with just correcting the data at the Cloudflare end? If so – and if you haven’t run out of patience – how would I do that?

Apologies for all the time I’m taking up!

Linda

P.S. The content for tworg and gftg in TXT are sure different! When you say “exact same server” is that at my end or the sender’s? All our emails are on our host’s server.

Reply | Quote

IreneLinda wrote:

When you say “exact same server” is that at my end or the sender’s?

It means the mail servers that actually “send” the e-mails are the same (specifically, the outgoing SMTP server’s domain name & IP address.)

IreneLinda wrote:

Can I send to and from our own email addresses (i.e., send a test from my partner’s gftg to my tworg? They don’t have your “Received: from IP address” line.

That “most likely” means you’re both using the same mail server as there won’t be a Received: From entry if a message is send from one user to another user on the same server.

Anyway, I used another link to a site that generates an SPF record for the input domain (using the existing DNS A and MX records for that domain) and here’s what it created for your tworg.com domain.

v=spf1 a mx -all

Which will allow the following IP addresses to send e-mail (4 Cloudflare and 1 InMotion Hosting.)

Note: InMotion Hosting also owns the IP address specified in your mygoforthegreen.com SPF record.

I’d suggest you update the SPF record for tworg.com with these new settings and see if it fixes your gmail problem. If it doesn’t work, you can always put it back like it was; although we already know that’s not the correct settings.

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
I also ran the same check on the SPF record for your mygoforthegreen.com site and discovered there’s 2 major problems with it!

1- the +include:smtp.servconfig.com entry allows 158 different IP addresses to “send” email thru your server.

2- the ?all at the end wasn’t an acceptable setting.

The suggested fix was:

v=spf1 a mx ip4:198.46.81.47 -all

Which limits the allowed IP addresses to only 6 (4 Cloudflare & 2 InMotion Hosting – 199.250.194.198 being the same as the tworg.com) and changing ?all (neutral) to -all (fail)

BTW, you’ll notice none of the suggestions include the + qualifier in front of the items like your existing records do.

That’s because + (Pass) is the default qualifier for all items and, unless overridden with ~ (SoftFail), – (Fail) or ? (Neutral), doesn’t “need” to be specified.

IMPORTANT

It’ll take 24-48 hrs for any changes you make to your SPF record to propagate out to the whole internet.

You can check to see if your local DNS has received the changes by running the following command from a cmd prompt.

nslookup -q=TXT tworg.com

Replace “tworg.com” with “mygoforthegreen.com” to check your other domain.

Reply | Quote

Hi again, alejr, and HUGE thanks (sorry for yelling, but your response is so fantastically helpful and instructive)!!

I read through each step and your excellent explanations. I’ve now changed both TXT content fields by copying and pasting what you gave me. Checking with the cmd prompt, I received “Non-authoritative answers” to both txt entries with the new edited content listed.

So that looks like my local DNS (Comcast, it seems) has received both edits. Am I correct?

Last question: on both domain DNS records I have a notice:

The A record that’s incorrect is the same for both:

However, when I turn on proxy for both, email no longer works.

Is this tied to what we’ve been working on? Should I just ignore Cloudflare’s notice?

Thanks again so much for all your help. It is such a relief to be able to follow a step by step fix complete with explanations of the rationale behind each one. I’ll report back on outcome once it all takes effect. Sometimes it happens faster so I’ll check in tonight and tomorrow as well.

 

 

Reply | Quote

Just checked my own local DNS and it also shows the changes for both domains so it looks like it’s propagating pretty quickly.

FYI, that 24-48 hr estimate is because “some” DNS servers ignore the default 15 min TTL sent when you change a record that’s “suppose” to force a quick update, and instead keep the older version for the longer period before updating it!

BTW, I actually wondered why the site that generated those SPF records included the A record because that’s not typical!

SPF records are used to validate “mail servers” while A records are used to validate “domain names” so I’d expect the SPF record to only reference MX records (which define a site’s mail server) and possibly a specific mail server IP address (like your mygoforthegreen.com record) or an include:???? for a specific mail server like your mygoforthegreen.com record use to (but it wasn’t set correctly since it validated way too many different mail server IPs.)

I’d suggest either removing A record from both SPF records like this (ensuring your mail still works after doing so):

v=spf1 mx -all
v=spf1 mx ip4:198.46.81.47 -all

Or simply ignore the error.

Reply | Quote

Wow, thanks for the fast response! I can’t figure out where to add your code. Does it go beneath the other in the TXT content box? There is nowhere to put it in the A record Edit drop down screen.

My current plan (for now) is:

• send an email to a Gmail address that caused the issue and see what happens; then, post results.

After that:

• add your code to see what happens (once I know where it should go)
• remove the A record from Cloudflare’s DNS records and see what happens (once I figure out how to put it back if mail stops working!)

However, if you think the A record issue isn’t a major one, maybe I should just ignore the Cloudflare message and stop fiddling with things I’m not terribly knowledgeable about!!

Thanks so much again, alejr. Back soon with results.

Reply | Quote

Update: well, heck, the test email was refused by Gmail. Here’s what they said:

“The MAIL FROM domain [tworg.com] has an SPF record with a hard fail policy (-all) but it fails to pass SPF checks with the ip: [144.208.77.49]. To best protect our users from spam and phishing, the message has been blocked.”

I checked and that 144 IP address is InMotion Hosting. Don’t understand why it is blocking the SPF check. It doesn’t appear on the list of okay IPs you provided in post 2564318.

Not quite sure where to go from here. Should I add it to the TXT content kind of like “+include:ip.144.208.77.49″? Or…?
Sorry to bug you again. Really thought we had this licked!

P.S. More info: sending gmail test via gftg worked; sending it to recipient’s Comcast email from tworg also worked. Weirder and weirder!

 

Reply | Quote

IreneLinda wrote:

Does it go beneath the other in the TXT content box? There is nowhere to put it in the A record Edit drop down screen.

The update I suggested was not to remove the “A record” for your site (doing that would cause the whole site to stop working) but to remove the a reference from the “SPF record” (which causes it to use the A record’s info as part of the mail server verification process.)

Note: I found “numerous” references on the Cloudflare support forum that indicate Cloudflare SPF records should never reference their A records as it can cause problems with mail delivery!

IreneLinda wrote:

“The MAIL FROM domain [tworg.com] has an SPF record with a hard fail policy (-all) but it fails to pass SPF checks with the ip: [144.208.77.49]. To best protect our users from spam and phishing, the message has been blocked.”

Ok, I went back and checked the 158 IP addresses the include:smtp.servconfig.com entry allowed and found:

Four of those IP’s belong to Cloudflare and are the same IP’s listed in your Cloudflare A record so, removing the a reference in the SPF, will remove them from the pool of IP’s that get used for mail verification.

The other 154 IP’s all belong to InMotion Hosting and 144.208.77.49 is one of those addresses.

Strangely, even though it’s also an Inmotion Hosting IP, the 198.46.81.47 specified in your gftg SPF record isn’t one of those 154 IP’s??

To get to the bottom of why your original gftg SPF record had that include:smtp.servconfig.com entry, I googled it and discovered it’s Inmotion Hosting’s SpamExperts checker used to detect/block spam and should always be it in your SPF records if you use Inmotion Hosting.

So, your SPF records need to be changed as follows to account for those two things:

For tworg.com:

v=spf1 mx include:smtp.servconfig.com -all

For mygoforthegreen.com:

v=spf1 mx ip4:198.46.81.47 include:smtp.servconfig.com -all

⇒ Still don’t understand why there’s a reference to that Inmotion IP when it’s not one of the 154 listed in smtp.servconfig.com.

Anyway…

Maybe these changes will fix your gmail rejection problem.

BTW, I never encountered this much trouble getting an SPF record setup and working before. It’s usually as simply as just adding a reference to the MX record for the domain (and possibly the outgoing mail server’s domain name) and it works.

Strange thing is, doing that for your tworg.com domain did work… except gmail still refused to accept mail from tworg.

Reply | Quote

Love your emojis…and appreciate your plowing through despite the numerous twists and turns this issue is providing you!

Strangely, even though it’s also an Inmotion Hosting IP, the 198.46.81.47 specified in your gftg SPF record isn’t one of those 154 IP’s??

That truly is strange. It is the IP for our site so you’d think it would be in the InMotion Hosting list. If things work with the new code I’ve just copied we just won’t worry about it!

The update I suggested was not to remove the “A record” for your site (doing that would cause the whole site to stop working) but to remove the a reference from the “SPF record” (which causes it to use the A record’s info as part of the mail server verification process.)

Thanks for clarifying this. More proof that “a little knowledge is a dangerous thing”! I hadn’t done anything to that record so no problem.

Appreciate your researching that “include” issue and discovering it’s an InMotion thing and so should be included after all.

I’ve now added your edited code to both DNS records and will send test emails. Once I have, I’ll post back results.

Many thanks, alejr, for all the research and time you have put into getting this fixed for me. I hope it’s been a learning experience (albeit a rather dragged out one) for you … it sure has been for me!

Back soon…

Reply | Quote

I think you’ve done it! My original Gmail tester hasn’t replied yet, but a second Gmail tester just did. My tworg email went through to her and none have come back as rejected!

Until the original tester replies I won’t feel 100% certain, but that’s just me. If none of the test emails came back I think we’re there. Wonderful!!

You have been so patient and so helpful, alejr, I just can’t thank you enough. All the testing you did and additional research to find out what was causing the problem and how to fix it was way above and beyond and I sure appreciate it…and you for doing it all.

Thanks so much. I’ll post back again when I hear back from the original tester…a final proof! 😉

Linda

Reply | Quote

Always willing to help were I can and glad to hear things appear to have finally been resolved!

1 user thanked author for this post.

IreneLinda

Reply | Quote

Am waiting until tomorrow to be sure final testers have replied (but I’m feeling pretty good about its having been fixed). And I’m really glad you are (and were) willing to help! 🙂

Reply | Quote

It’s half way through tomorrow now…all tester gmail emails went out and were replied to from both gftg and tworg addresses.

The problem is resolved (at last, given all the time and effort you put into it, alejr). Thanks again and thank goodness for this Lounge and all you generous Loungers! 🙂

Now to reread all the posts for more learning…

Linda

Reply | Quote

P.S. Forgot to click “resolved” so am doing so now.

Reply | Quote