DMARC Logo

Preventing Rejected Emails with DMARC

Posted on by

Gmail accounts have begun rejecting Emails without DMARC

The Problem

Gmail accounts have begun rejecting emails from hosts that do not have a DMARC authentication mechanism. It may just be the beginning, as other mail servers may follow suit. DMARC (Domain-based Message Authentication Reporting & Conformance) shows that that mail server is allowed to send emails on behalf of the domain. There are two types of mechanisms, SPF and DKIM. On IONOS shared accounts only SPF is supported which is sufficient.

In this post we will walkthrough how to fix this on IONOS hosting site, but the general idea can be used at any hosting provider.

What does a rejected email look like?

Below is a sample email you can expect to receive from google explaining why your email was rejected. In this case we don't have DMARC set up with an SPF or DKIM record on our domain.

FROM: Mail Delivery System mailer-daemon@perfora.net

BODY:

This message was created automatically by mail delivery software.


A message that you sent could not be delivered to one or more of

its recipients. This is a permanent error.


The following address failed:


   example@gmail.com:

    SMTP error from remote server for TEXT command, host: gmail-smtp-in.l.google.com (142.250.112.27) reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM

both

550-5.7.26 do not pass). SPF check for [wassam.com] does not pass w

ith

550-5.7.26 ip: [74.208.4.194].To best protect our users from spam, the mes

sage

550-5.7.26 has been blocked. Please visit

550-5.7.26  https://support.google.com/mail/answer/81126#authentication fo

r more

550 5.7.26 information. m2-20020a056870194200b001726951d683si12281173oak.3

13 - gsmtp

How to fix it on IONOS
  1. Login and go to https://my.ionos.com/domains
  2. Select the Domain you are sending emails under
  3. Select DNS
  4. Add Record and select IONOS SPF (TXT)
Add DNS Record at IONOS.com

5 . Select Save

This will use the default server.

Add SPF record

6 . For good measure you can change this and add other IONOS mail servers

v=spf1 include:_spf.perfora.net include:_spf-us.ionos.com include:_spf.kundenserver.de ~all

If you are adding a custom mail server and not IONOS, change the include: <mailer domain> with the mail server you allow to send messages.

7 . Now add a DMARC record by select TXT

Add DNS Record at IONOS.com

8 . Set the values as follows:

host: @

value: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1:s;


Change the email address to appropriate account you need.

Here is some information on what these settings mean:

v= DMARC version

p= policy to use

rua= Where to send the DMARC aggregate reports

ruf= Where to send the DMARC failure reports


For more details on how DMARC works and other parameters available, visit the following site.

What does a DMARC Report Email Report Look like?

<?xml version="1.0" encoding="UTF-8" ?>

<feedback>

 <report_metadata>

   <org_name>google.com</org_name>

   <email>noreply-dmarc-support@google.com</email>

   <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>

   <report_id>17590210846965541147</report_id>

   <date_range>

     <begin>1679961600</begin>

     <end>1680047999</end>

   </date_range>

 </report_metadata>

 <policy_published>

   <domain>wassam.com</domain>

   <adkim>r</adkim>

   <aspf>r</aspf>

   <p>quarantine</p>

   <sp>quarantine</sp>

   <pct>100</pct>

 </policy_published>

 <record>

   <row>

     <source_ip>74.208.4.197</source_ip>

     <count>1</count>

     <policy_evaluated>

       <disposition>none</disposition>

       <dkim>fail</dkim>

       <spf>pass</spf>

     </policy_evaluated>

   </row>

   <identifiers>

     <header_from>wassam.com</header_from>

   </identifiers>

   <auth_results>

     <spf>

       <domain>wassam.com</domain>

       <result>pass</result>

     </spf>

   </auth_results>

 </record>

 <record>

   <row>

     <source_ip>74.208.4.196</source_ip>

     <count>2</count>

     <policy_evaluated>

       <disposition>none</disposition>

       <dkim>fail</dkim>

       <spf>pass</spf>

     </policy_evaluated>

   </row>

   <identifiers>

     <header_from>wassam.com</header_from>

   </identifiers>

   <auth_results>

     <spf>

       <domain>wassam.com</domain>

       <result>pass</result>

     </spf>

   </auth_results>

 </record>

</feedback>


What does the report tell us?

  • Source IP is the IONOS mail server
  • DKIM test fails
  • SPF test passes
  • Google even provides helpful information on how to address the issue

DKIM Failing is not an issue. You can only install a DKIM private key on a server hosted account with IONOS. The SPF is allowed for shared IONOS servers, and is sufficient to prevent email blocking.

Conclusion

Although IONOS shared server accounts do not support DKIM, these instructions walk you through adding an SPF record. A similar solution can be used at other hosting providers outside of IONOS.