Issue DKIM and DMARC issue, emails not sending

[andrejkona]

Please help me. I red all articles, tried ChatGPT 4 and Copilot Pro. But I had no luck.
My issue is with sending emails. They are not sending.


But reality is different


All settings are just as knowledge base and threats with this topic are showing us to be.


The output from the

dig +trace +nocmd _dmarc.rashori.com TXT @a.root-servers.net

command (Plesk is running on Plesk Obsidian v18.0.59_build1800240229.10 os_Ubuntu 22.04) provided shows the recursive path your query takes through the DNS infrastructure, starting from the root servers down to the authoritative nameservers for rashori.com, which are managed by Forpsi (ns.forpsi.net, ns.forpsi.cz, ns.forpsi.it).

This is how Forpsi (they host my domain) DNS is setup:


Here is DNS setting for all of my domains managed by Plesk under IP (194.182.91.54):


DNS setup for Rashori.com domain managed by Plesk


I am using Plesk Email Security, and when I run Config check, result is:


Please help me. I cannot sent emails.

The mail system error:
<asdf>: host gmail-smtp-in.l.google.com[173.194.69.27] said:
550-5.7.26 This mail has been blocked because the sender is
unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with
either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results:
550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [rashori.com] with ip:
[194.182.91.54] = did not pass 550-5.7.26 550-5.7.26 For instructions on
setting up authentication, go to 550 5.7.26
Email sender guidelines - Google Workspace Admin Help
d18-20020a17090648d200b00a46634571dbsi1962727ejt.111 - gsmtp (in reply to
end of DATA command)
Reporting-MTA: dns; rashori.com
X-Postfix-Queue-ID: 809C113C4CB
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Fri, 15 Mar 2024 19:57:28 +0000 (UTC)

Final-Recipient: rfc822; asdf
Original-Recipient: rfc822;asdf
Action: failed
Status: 5.7.26
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.26 This mail has been blocked because the sender
is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate
with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results:
550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [rashori.com] with ip:
[194.182.91.54] = did not pass 550-5.7.26 550-5.7.26 For instructions on
setting up authentication, go to 550 5.7.26
Email sender guidelines - Google Workspace Admin Help
d18-20020a17090648d200b00a46634571dbsi1962727ejt.111 - gsmtp

 

[Peter Debik]

You say emails are not sending. But your content shows that they are sent but GMail does not accept them for delivery due to this error:

Gmail requires all senders to authenticate with either SPF or DKIM.

Your hostname from where you send mails needs at least an SPF record in the nameserver. DKIM is optional, but SPF is a requirement.

 

[andrejkona]

Thank you @Peter Debik, that mail for gmail is only one from many.
By this https://support.plesk.com/hc/en-us/...SPF-and-how-to-configure-it-on-a-Plesk-server I have same setup (MX for all, tick for SPF in Settings).

But mails are not sending. Here is mail qeue

And for non gmail I have this error:

Received: from rashori.com (localhost.localdomain [127.0.0.1])
    by rashori.com (Postfix) with ESMTP id 97B6813C87E
    for <[email protected]>; Sun, 17 Mar 2024 06:37:49 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rashori.com;
    s=default; t=1710657469;
    bh=RHI91NDg1Go8f6isolS2HCe2tXiflhd+gsgHAECfFTU=;
    h=Received:Received:From:To:Subject;
    b=OzO9WqhdeVjl4P0a3lHevnooIJSqSjcL8FNWSgyg9FM/Ck5WBp4hfccPjB154ZI5i
     tDCSE5bKfqykWKJjui2tiMuf8QdfAzmIoRR6F8575qGv3OY+Vj+8N3AgC6qtA7HkcU
     QvPdjNilO5BLymQyTq+5VVGh9bBouSRNbTP9JU+gMqjmMjAMy/0cjKrmfwt1yZV2Xf
     buak+DvoniIBcLlDYPGezstWoveO+ppSJb4zg6sPPoGmUF1j2HP2h27JNSnW0F3Iz5
     QwjjODHb3fjKfIrBKBVlkrU6vhWBUGi02YyHAl3s31hn99SDiBycmazFQINCwZkRnf
     sSj4nBBY16OFQ==
Authentication-Results: rashori.com;
    spf=pass (sender IP is 127.0.0.1) [email protected] smtp.helo=rashori.com
Received-SPF: pass (rashori.com: localhost is always allowed.) client-ip=127.0.0.1; [email protected]; helo=rashori.com;
X-Spam-Flag: NO
X-Spam-Score: -2.708
X-Spam-Level:
X-Spam-Status: No, score=-2.708 tagged_above=-9999 required=5
    tests=[ALL_TRUSTED=-1, BAYES_00=-1.9, DKIM_INVALID=0.1,
    DKIM_SIGNED=0.1, SCC_BODY_SINGLE_WORD=0.001, SPF_PASS=-0.001,
    SURBL_BLOCKED=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
    autolearn=no autolearn_force=no
Authentication-Results: rashori.com (amavisd-new); dkim=neutral
    reason="invalid (public key: unsupported version)"
    header.d=rashori.com
Received: from rashori.com ([127.0.0.1])
    by rashori.com (rashori.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 6IieHAjtxmcp for <[email protected]>;
    Sun, 17 Mar 2024 06:37:49 +0000 (UTC)
Received: from webmail.rashori.com (localhost.localdomain [127.0.0.1])
    by rashori.com (Postfix) with ESMTPSA id 19BBE13C462
    for <[email protected]>; Sun, 17 Mar 2024 06:37:49 +0000 (UTC)
Received-SPF: pass (rashori.com: connection is authenticated)
MIME-Version: 1.0
Date: Sun, 17 Mar 2024 07:37:49 +0100
From: "Rashori.com" <[email protected]>
To: Andrej <[email protected]>
Subject: hi
Message-ID: <[email protected]>
X-Sender: [email protected]
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit

 

[Peter Debik]

Regarding SPF: I don't see what a screenshot of a mail queue proofs. Did you check that the SPF record is set correctly? You could for example use mail-tester.com to verify it. Also check the DNS record of your hostname (that is the main domain of your server that you use to login into Plesk). It must have a valid SPF record and so should the sending domain.

Regarding the "public key: unsupported version": I have no information on that. It could be an issue with the Warden Anti Spam extension. While you should definitely check though is that "myhostname" in /etc/postfix/main.cf is set to the hostname of your server.

 

[danami]

I also recommend using DMARC Domain Checker - dmarcian to test that all your DNS records are added properly and have no errors.