My emails blocked for gmail recipients, need help with SPF etc
I have a DNS on linode: adonax.com. I have been using a Postfix/Dovecot email server for two years. I use a Thunderbird client for email management. At some point, gmail emails started being blocked.
I'm trying to go through the instructions provided by google, but their explanations are proving difficult to navigate.
Maybe before getting into specifics, I'll just ask if others with linode-based email servers have had this problem and can provide something of a roadmap on how they fixed it the situation.
✓ Best Answer
To recap, the main solution to reducing bounces appears to start with implementing some protections that are being more commonly required: SPF, DKIM, DMARC. Doing so appears to be necessary but may not be sufficient for eliminating the bounces.
Some good resources for learning more about these services are posted in the thread. I particularly recommend the wikipedia link on SPF, the diagnostics at mailhardener.com and the tutorial by linuxbabe.
The tools provided by google, which one might link to if follow links on the bounce replies appear to not be germane. Rather, they are for admins of sites that employ gmail.
This might help you out:
Mine is as follows:
v=spf1 +a +mx ~all
It works with Gmail just fine… This page:
will aid you in evaluating it.
Important points to remember:
- An SPF record cannot exceed the 255-character limit.
- An SPF record cannot exceed 10 DNS lookup queries.
I've tried using the above suggested SPF settings, and am getting unclear results. I've sent emails to my wife's gmail address, a destination address which sometimes bounces. On the latest test, of two emails sent a couple days ago, neither bounced, but only one made it to her inbox. (Yes we checked the spam folder.)
Google has the following site to check MX and SPF records. https://toolbox.googleapps.com/apps/checkmx/check
For the suggested SPF, I get the following response:
SPF must allow Google servers to send email on behalf of your domain
I also have warnings that "DKIM is not set up" and "DMARC is not set up".
I will have to research to understand more about SPF, DKIM and DMARC. As far as this message about SPF, it seems to me to suggest that somehow Google servers can be involved in the delivery of email, even though I am not using Google servers at my end.
I am hesitant about implementing their request to add specific allowances for their servers on the SPF record. I do not understand the why nor what exactly I am "unlocking" for them. So, the path forward at this point requires getting more background info on SPF, (and then with DKIM and DMARC). The links you (@stevewi) provided about SPF should be helpful, thank you!
I'll make an effort to follow up here with what I learn.
The Google check utility you posted is designed for companies that are using google as their mail server infrastructure. This is why you got the error message from them. When you use google to send email for you, you have to use their SPF entries in your DNS, but when you are sending your own email that is not relevant. Here is a better set of tools for you to use to test your configuration. https://www.mailhardener.com/tools/
Thank you! In the last few hours I was finally coming to that conclusion. Nice to have it confirmed. I was attempting to follow links from google on the bounced email, and ended up at that site.
I will check out your link tomorrow. Am currently pretty far along on the following tutorial. How to Set up SPF and DKIM with Postfix on Ubuntu Server. Have to take a break. Will report soon on how things work out.
The wikipedia entry on spf is quite helpful for background info, I'll add.
The tutorial from linuxbabe is impressive. It's well written, with lots of timely explanation. There are still places that amount to incantations (for my knowledge level), but I think some of that is inevitable.
Testing SPF with the MailHardener tool shows success.
Testing the DKIM record with the MailHardener DKIM Validator tool shows success.
The "view source" of an email received from my service now indicates both SPF and DKIM checks are being performed and are passing!
For a while in the process, I was getting the same error with the service as users in the post Failed to start OpenDKIM DomainKeys Identified Mail. The service would fail to start, giving error diagnostics such as
opendkim.service: Start request repeated too quickly.
My error turned out to have inadvertently deleted the very first "#" of the /etc/opendkim.conf file, turning the first line comment into gibberish to be executed. It was embarrassingly hard to figure this out. The error became apparent via a meaningful error message from a test given in the linuxbabe tutorial.
sudo opendkim-testkey -d adonax.com -s default -vvv
The error message received pointed directly to line 1 of opendkim.conf.
I've not tested my success rate with sending to gmail yet. There may be more to do. Also, I see that it's advised to implement DMARC. But I do feel the initial problems which prompted this thread are solved. Thanks to all for the help!