You're Not Fully Authenticated DKIM issue

fullfatdesigns

• May 05, 2018 04:21

Hi I've got client who's emails we think are getting lost in peoples SPAM folder, so I asked her to send it to mail-tester.com to test it. It scored a 9/10 with the message; You're not fully authenticated We were not able to check your DKIM signature So I added the following to domain zone; _dmarc TXT and I thought (v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ri=86400), but just re-checking now, it just has the v=DMARC1 part) After re-checking on mail-tester it scored 6.7/10, with the message; You're not fully authenticated Your message failed the DMARC verification A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC. You are not allowed to send a message with this address DMARC DNS entry found for the domain _dmarc.example.co.uk: "v=DMARC1" Verification details: mail-tester.com; dkim=pass (2048-bit key; unprotected) header.d=example.co.uk header.i=@example.co.uk header.b=kywEEQrq; dkim-atps=neutral mail-tester.com; dmarc=permerror header.from=example.co.uk mail-tester.com; dkim=pass (2048-bit key; unprotected) header.d=example.co.uk header.i=@example.co.uk header.b=kywEEQrq; dkim-atps=neutral From Domain: example.co.uk DKIM Domain: example.co.uk I noticed other TXT records where is speech marks, should I have entered; "v=DMARC1; p=reject; sp=none; rf=afrf; pct=100; ri=86400" Or something else? Or am I doing this incorrectly? Regards Wayne

• 

  24x7server

  • May 05, 2018 16:00

  Hi, You have problem in DKIM record. Try resetting the DKIM record for the domain through the modify account section.

  0
• 

  fullfatdesigns

  • May 05, 2018 19:29

  Hi Thanks for the reply. I resaved in the modify account section and re-added the original DKIM record in speech marks and on re-testing, the score was 9.7. I'm getting the message; SpamAssassin thinks you can improve -0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid This negative score will become positive if the signature is validated. See immediately below. 0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Great! Your signature is valid 0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Great! Your signature is valid and it's coming from your domain name -0.001 HTML_MESSAGE HTML included in message No worry, that's expected if you send HTML emails -0.363 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.001 SPF_PASS SPF: sender matches SPF record Great! Your SPF is valid -0.01 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
  I think if I get these final bits sorted I should get a 10/10. But I'm not sure what to change to achieve these. Does anyone have any suggestions? Regards Wayne

  0
• 

  cPanelLauren

  • May 07, 2018 14:53

  Looking at the score report from mail-tester it doesn't appear any of the issues are related to DKIM: The negative score here:

  -0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid This negative score will become positive if the signature is validated. See immediately below.

  
  Is canceled out by the positives here as indicated in the message:

  .1 DKIM_VALID Message has at least one valid DKIM or DK signature Great! Your signature is valid 0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Great! Your signature is valid and it's coming from your domain name

  
  The only negative you're getting is because of the following:

  -0.001 HTML_MESSAGE HTML included in message No worry, that's expected if you send HTML emails -0.363 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 0.001 SPF_PASS SPF: sender matches SPF record Great! Your SPF is valid -0.01 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information

  
  

  0
• 

  fullfatdesigns

  • May 07, 2018 18:20

  Yes, thank you. The rDNS is the biggest down score. I will contact my host to see if they can assist. Thank you for your reply.

  0
• 

  cPanelLauren

  • May 07, 2018 18:24

  Hi @fullfatdesigns You're right and this is because it appears that the rDNS is dynamic - an explanation of SpamAssassin's RDNS_DYNAMIC rule is here: Rules/RDNS_DYNAMIC - Spamassassin Wiki It is expecting a static allocation (meaning the IP doesn't change) - Your provider would most likely be the one that can address this. Thanks!

  0
• 

  Rich Banton

  • November 14, 2019 11:31

  I'm having a similar issue show up on mail-tester, any ideas? I'm sending from Mailwhizz via elastic email, this error is costing me 3 points according to Mail-tester. A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC. You are not allowed to send a message with this address DMARC DNS entry found for the domain _dmarc.opportunities.domain.co.uk: "v=DMARC1;p=quarantine;sp=reject;adkim=s;aspf=s;pct=100;fo=1;rf=afrf;ri=86400;rua=mailto:reply@opportunities.domain.co.uk;ruf=mailto:forensic@opportunities.domain.co.uk" Verification details:

  • mail-tester.com; dkim=temperror (0-bit key; unprotected) header.d=opportunities.domain.co.uk header.i=@opportunities.domain.co.uk header.b=NnCHuer/; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=elasticemail.com header.i=@elasticemail.com header.b=CRAw2JsM; dkim-atps=neutral
  • mail-tester.com; dmarc=fail header.from=opportunities.domain.co.uk
  • mail-tester.com; dkim=temperror (0-bit key; unprotected) header.d=opportunities.domain.co.uk header.i=@opportunities.domain.co.uk header.b=NnCHuer/; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=elasticemail.com header.i=@elasticemail.com header.b=CRAw2JsM; dkim-atps=neutral
  • From Domain: opportunities.domain.co.uk
  • DKIM Domain: opportunities.domain.co.uk

  Whats confusing is it has passed the DKIM Signature and the SPF record I look forward to your suggestions.

  0
• 

  cPanelLauren

  • November 14, 2019 18:26

  Does the domain opportunities.domain.co.uk have its own DKIM signature? Based on this output it doesn't seem to be seeing it: mail-tester.com; dkim=temperror (0-bit key; unprotected) header.d=opportunities.domain.co.uk header.i=@opportunities.domain.co.uk header.b=NnCHuer/; dkim=fail reason="signature verification failed"
  What's the output of the following? If you used the auto-generated DKIM from cPanel the selector should be default so you'd run: dig txt default._domainkey.opportunities.domain.co.uk
  

  0
• 

  Rich Banton

  • November 15, 2019 09:10

  Yeah there is a default._domainkey.opportunities.domain.co.uk key for that domain it seems to be the same domain key for the parent domain. should they be set to the same as api.domainkey.opportunities.domain.co.uk supplied by elastic email? or it there another issue, we're missing?

  0
• 

  cPanelLauren

  • November 15, 2019 16:33

  Hello @Rich Banton Based on their configuration and discussions in their forums I believe you'll need to add their DKIM to your domain's DNS What tracking and sending domains actually are? - MailWizz KB

  0
• 

  Rich Banton

  • November 19, 2019 10:40

  Thank you all for your help, turns out it was a conflict between there bounce servers and the dns, they are currently working on a fix, as we have temporarily had to disable the their bounce servers

  0

Please sign in to leave a comment.