Why is my email failing Gmail's DKIM test?
I have a message that was rejected by Gmail, I don't know why. It passes SPF. We aren't using DKIM. Do I need to set up DKIM?
I am in control of "example.com". Our mail server is "server.example.com" (hosted at bluehost)
Our SPF record is
v=spf1 +a +mx ?include:bluehost.com -all
However Gmail rejected a message with:
550-5.7.1 Unauthenticated email from example.com is not accepted due to 550-5.7.1 domain's DMARC policy. Please contact administrator of example.com ...
The message headers:
Return-path: <[email protected]>
Received: from [99.127.228.246] (port=61813 helo=[192.168.1.66])
by server.example.com with esmtpsa (TLSv1:AES128-SHA:128)
(Exim 4.80.1)
(envelope-from <[email protected]>)
id 1VMLM8-0007ok-5c; Wed, 18 Sep 2013 17:16:03 +0000
From: Sabrina <[email protected]>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2FE0763D-B160-49C4-8202-B8258851AFAD"
Subject: positive self thoughts/talk
Date: Wed, 18 Sep 2013 10:15:24 -0700
Message-Id: <[email protected]>
To: Tanja Schulte-Irwin <[email protected]>,
Zachary Bloom <[email protected]>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Solution 1:
Your SPF record isn't affecting this.
By the looks of it, you have a DMARC record set up, and you are not signing outgoing mail with DKIM. To remedy the problem, either sign the outgoing mail, or remove the DMARC policy.
The DMARC record is a TXT record like the SPF record, but it is at _dmarc.example.net
where example.net is your domain. If you don't think you have one or you don't want to remove it, change it to v=DMARC1; p=none
to null it out.
Alternatively, since you are using SPF, I see you may not want to do this. In this case, leave your _dmarc record as it is, but you will have to get rid of or change your _domainkeys record.
DKIM specifies that for a domain example.net, the DKIM record will be queried IN TXT _domainkeys.example.net
. You must find this record and either remove it, or add the t=y
flag to specify that (as you are ostensibly testing DKIM) the results of DKIM verification should be ignored. Also, ensure your _dmarc record does not contain the adkim tag, and particularly not adkim=s
.
Solution 2:
Your data is obfuscated which makes helping you difficult. I see a number of problems:
- If you haven't obfuscated your IP address, your DNS passes rDNS validation but looks very much like a spambot. Try getting server.example.com setup as the PTR for your address and add server.example.com to your DNS. Getting the PTR record setup requires support of your IP address provider (usually your ISP). You need a fixed IP address for this.
- Your server doesn't seem to know who it is. It should give server.example.com as its name in the HELO or ELHO request.
- You mail isn't DKIM signed. DMARC does not require DKIM, but your policy must match your practice.
Try sending an email to [email protected] (reported no longer in service) to see how well your server is configured. Other options are listed in my article on Detecting Email Server Forgery.
Solution 3:
If your domain does not have DKIM set, you definitely do not need DKIM set up. Its absence would not cause GMail to throw your e-mail to SPAM. Its presence might increase its SPAM rating so it would not be rejected.
To check your SPF, you need to tell us your domain and IP addresses of your SMTP server. Or, you can use online check tools on http://www.openspf.org/.
To understand DMARC, check this: http://support.google.com/a/bin/answer.py?hl=en&answer=2466580.