Preventing Rejected Emails with DMARC

Posted on by

Gmail accounts have begun rejecting Emails without DMARC

Gmail accounts have begun rejecting emails from hosts that do not have a DMARC authentication mechanism. It may just be the beginning, as other mail servers may follow suit. DMARC (Domain-based Message Authentication Reporting & Conformance) shows that that mail server is allowed to send emails on behalf of the domain. There are two types of mechanisms, SPF and DKIM. On IONOS shared accounts only SPF is supported which is sufficient.

In this post we will walkthrough how to fix this on IONOS hosting site, but the general idea can be used at any hosting provider.

What does a rejected email look like?

FROM: Mail Delivery System mailer-daemon@perfora.net
BODY: 
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error.

The following address failed:

   example@gmail.com:

    SMTP error from remote server for TEXT command, host: gmail-smtp-in.l.google.com (142.250.112.27) reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not pass). SPF check for [wassam.com] does not pass with 550-5.7.26 ip: [74.208.4.194].To best protect our users from spam, the message 550-5.7.26 has been blocked. Please visit https://support.google.com/mail/answer/81126#authentication for more information. m2-20020a056870194200b001726951d683si12281173oak.313 - gsmtp

The Fix

These instructions are for IONOS hosting, however the strategy is the same for others.

  1. Login and go to https://my.ionos.com/domains
  2. Select the Domain you are sending emails under
  3. Select DNS
  4. Add Record and select IONOS SPF (TXT)
Add a SPF Record

5 . Select Save

This will use the default server.

6 . For good measure you can change this and add other IONOS mail servers

v=spf1 include:_spf.perfora.net include:_spf-us.ionos.com include:_spf.kundenserver.de ~all

If you are adding a custom mail server and not IONOS, change the include: <mailer domain> with the mail server you allow to send messages.

7 . Now add a DMARC record by select TXT

Add a DMARC Record

8 . Set the values as follows:

host: @

value: v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-reports@yourdomain.com; fo=1:s;

Change the email address to appropriate account you need.

Here is some information on what these settings mean:

v= DMARC version
p= policy to use
rua= Where to send the DMARC aggregate reports
ruf= Where to send the DMARC failure reports

For more details on how DMARC works and other parameters available, visit the following site.

What does a DMARC Report Email Report Look like?

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
 <report_metadata>
   <org_name>google.com</org_name>
   <email>noreply-dmarc-support@google.com</email>

<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
   <report_id>17590210846965541147</report_id>
   <date_range>
     <begin>1679961600</begin>
     <end>1680047999</end>
   </date_range>
 </report_metadata>
 <policy_published>
   <domain>wassam.com</domain>
   <adkim>r</adkim>
   <aspf>r</aspf>
   <p>quarantine</p>
   <sp>quarantine</sp>
   <pct>100</pct>
 </policy_published>
 <record>
   <row>
     <source_ip>74.208.4.197</source_ip>
     <count>1</count>
     <policy_evaluated>
       <disposition>none</disposition>
       <dkim>fail</dkim>
       <spf>pass</spf>
     </policy_evaluated>
   </row>
   <identifiers>
     <header_from>wassam.com</header_from>
   </identifiers>
   <auth_results>
     <spf>
       <domain>wassam.com</domain>
       <result>pass</result>
     </spf>
   </auth_results>
 </record>
 <record>
   <row>
     <source_ip>74.208.4.196</source_ip>
     <count>2</count>
     <policy_evaluated>
       <disposition>none</disposition>
       <dkim>fail</dkim>
       <spf>pass</spf>
     </policy_evaluated>
   </row>
   <identifiers>
     <header_from>wassam.com</header_from>
   </identifiers>
   <auth_results>
     <spf>
       <domain>wassam.com</domain>
       <result>pass</result>
     </spf>
   </auth_results>
 </record>
</feedback>

What does the report tell us?

  • Source IP is the IONOS mail server
  • DKIM test fails
  • SPF test passes
  • Google even provides helpful information on how to address the issue

DKIM Failing is not an issue. You can only install a DKIM private key on a server hosted account with IONOS. The SPF is allowed for shared IONOS servers, and is sufficient to prevent email blocking.

Conclusion

Although IONOS shared server accounts do not support DKIM, these instructions walk you through adding an SPF record. A similar solution can be used at other hosting providers outside of IONOS.