Issue EXTREMELY frustrating, emails keep being kicked back, DKIM, DMARC, and SPF setup

[jayplesk2015]

Server operating system version

Linux Ubuntu 20.04 (64 Bit)

Plesk version and microupdate number

Obsidian 18.0.51 Web Admin Edition

Hey everyone,

according to my username its been some time since I have been here.

I have my email domains hosted on a server that is NOT serving the website, and those reside on plesk.

I have created all records and on my domain registrar I have also put in the proper records, but EVERY email send to anything public (gmail, etc) gets kicked back automatically.

I will provide a screenshot of the DNS settings, the domain in question is whynotgus.info, but keep in mind this is happening to ALL domains on the server.

Any help would be greatly appreciated by those more knowledgable, I know the almighty G controls the universe, but sometimes I think they overreach in these things.

thanks again!

 

[jayplesk2015]

Forgot to add what Gmail says

 

[scsa20]

You don't have any TXT records in your current DNS settings. Since you're using name.com's DNS for the name servers and not the plesk web server, the records you have in plesk will not work since the records will not come back. Here's the proof:

╭─ pwsh      羽8m 12s 441ms⠀                                                                                                                                                                                                      21,22:47 
╰─ff dig -t txt whynotgus.info

; <<>> DiG 9.16.28 <<>> -t txt whynotgus.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62128
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whynotgus.info.                        IN      TXT

;; AUTHORITY SECTION:
whynotgus.info.         3600    IN      SOA     ns1.name.com. hostmaster.nsone.net. 1679007811 43200 7200 1209600 3600

;; Query time: 106 msec
;; SERVER: 192.168.2.51#53(192.168.2.51)
;; WHEN: Wed Mar 22 00:12:26 US Mountain Standard Time 2023
;; MSG SIZE  rcvd: 111

╭─ pwsh      羽247ms⠀                                                                                                                                                                                                             22,00:12 
╰─ff dig -t ns whynotgus.info

; <<>> DiG 9.16.28 <<>> -t ns whynotgus.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43003
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whynotgus.info.                        IN      NS

;; ANSWER SECTION:
whynotgus.info.         300     IN      NS      ns1qsy.name.com.
whynotgus.info.         300     IN      NS      ns2glx.name.com.
whynotgus.info.         300     IN      NS      ns3jkl.name.com.
whynotgus.info.         300     IN      NS      ns4bfy.name.com.

;; Query time: 308 msec
;; SERVER: 192.168.2.51#53(192.168.2.51)
;; WHEN: Wed Mar 22 00:12:41 US Mountain Standard Time 2023
;; MSG SIZE  rcvd: 135

This is basically showing me what the records are currently set.

Since you're using name.com for the name server, you're going to need to create those same records TXT records on name.com side.

 

[scsa20]

Alternatively you can update the name server on your registrar to point to the plesk server instead so you can use the dns server built into plesk. This usually involved making glue records.

 

[jayplesk2015]

Alternatively you can update the name server on your registrar to point to the plesk server instead so you can use the dns server built into plesk. This usually involved making glue records.

You the man, I must confess in all my years of IT, this stuff always confuses me the most. I suspected the SOA probably came from name.com,

To be clear if I continue using name.coms name servers, I am to add the identical DKIM, DMARC, and SPF TXT records, won’t the DKIM key be different on the different server?

Again thanks and I do remember glue records sorta

Full disclosure in IT school maaaaaany years ago I totally failed the DNS exams twice, again I can learn it, I just never understood it.

I appreciate the help and I’m truly looking for the path of least resistance here.

If I copy the records as is, do I delete the ones in plesk,

 

[scsa20]

To be clear if I continue using name.coms name servers, I am to add the identical DKIM, DMARC, and SPF TXT records, won’t the DKIM key be different on the different server?

Just copy and paste the entries you see from Plesk into name.com and it'll work just fine since it's the web server itself that's going to be including the DKIM info and the other email server will be looking at the DNS record to see if it matches.

If I copy the records as is, do I delete the ones in plesk,

Nah you can keep the records there in plesk if you want, it won't hurt anything. If you want you can disable the DNS for the domain once you copied the records to name.com but keeping it running won't harm anything either.

I use Cloudflare for my DNS so I have the DNS server turned off on a few domains that uses Cloudflare but I also have a good number with it still running with no issues.

 

[jayplesk2015]

Just copy and paste the entries you see from Plesk into name.com and it'll work just fine since it's the web server itself that's going to be including the DKIM info and the other email server will be looking at the DNS record to see if it matches.

Nah you can keep the records there in plesk if you want, it won't hurt anything. If you want you can disable the DNS for the domain once you copied the records to name.com but keeping it running won't harm anything either.

I use Cloudflare for my DNS so I have the DNS server turned off on a few domains that uses Cloudflare but I also have a good number with it still running with no issues.

And I know it’s redundant to ask, but it’s just the DKIM, DMARC, and SPF records I’m duplicating, not EVERY entry?

 

[jayplesk2015]

Just copy and paste the entries you see from Plesk into name.com and it'll work just fine since it's the web server itself that's going to be including the DKIM info and the other email server will be looking at the DNS record to see if it matches.

Nah you can keep the records there in plesk if you want, it won't hurt anything. If you want you can disable the DNS for the domain once you copied the records to name.com but keeping it running won't harm anything either.

I use Cloudflare for my DNS so I have the DNS server turned off on a few domains that uses Cloudflare but I also have a good number with it still running with no issues.

Like this


?

 

[scsa20]

Only the records you need you copy over. Which would primary be the TXT records for:

whynotgus.info
_dmarc.whynotgus.info
default_domainkey.whynotgus.info
_domainkey.whynotgus.info

You would only need webmail.whynotgus.info if you're sending emails that's, say, [email protected], but otherwise that record is not needed.

And I'm pretty sure the remaining records is primary used for auto discovery but those should be SRV records and not TXT records. If you don't plan on using auto discovery then you can safely delete those remaining entries, otherwise you'll need to change it to be SRV records.

 

[jayplesk2015]

Only the records you need you copy over. Which would primary be the TXT records for:

whynotgus.info
_dmarc.whynotgus.info
default_domainkey.whynotgus.info
_domainkey.whynotgus.info

You would only need webmail.whynotgus.info if you're sending emails that's, say, [email protected], but otherwise that record is not needed.

And I'm pretty sure the remaining records is primary used for auto discovery but those should be SRV records and not TXT records. If you don't plan on using auto discovery then you can safely delete those remaining entries, otherwise you'll need to change it to be SRV records.

You have been so helpful,

Now stay with me here this part is going to be the tough one, btw the emails are landing in GMAIL now!!!!! But they are in SPAM guess that is the almighty G's way of saying that if we do not want to pay for their service they will make our life a living (Well you know), incidentally we also got kicked off Google My Business despite having a legit company and doing everything right, and after they did it they REFUSED to tell us what we had done wrong.

I digress

so Why Not Gus (Digital Marketing Agency) Phoenix Arizona - Home is also registered with name.com, now whynotgus.agency the WEBSITE is pointed (using A and CNAME record) to the HOST, which for the time being is a company called SNAPPS, however the EMAIL is on the plesk server, would i just have to add the same records from the PLESK server into the Name.com DNS, or would there be additional steps because the actual sites files are not on the PLESK server, I would think that HTTP and MX are two separate entities (if my failed college courses serve me right)

We Ideally want to be able to use the .agency for the @emails, but we had a heckuva time just getting .info to work (which has no hosted site, its just an extra TLD we bought)

 

[scsa20]

Now stay with me here this part is going to be the tough one, btw the emails are landing in GMAIL now!!!!! But they are in SPAM guess that is the almighty G's way of saying that if we do not want to pay for their service they will make our life a living (Well you know), incidentally we also got kicked off Google My Business despite having a legit company and doing everything right, and after they did it they REFUSED to tell us what we had done wrong.

GMail is a weird beast where your headers and what not can all pass and google will still route the email to spam, but that's usually because gmail doesn't know the IP address of the address in question usually and would stop doing that over time, but that's the catch, it takes time. This is also the reason why I decided to use Microsoft 365 for my emails lol

so Why Not Gus (Digital Marketing Agency) Phoenix Arizona - Home is also registered with name.com, now whynotgus.agency the WEBSITE is pointed (using A and CNAME record) to the HOST, which for the time being is a company called SNAPPS, however the EMAIL is on the plesk server, would i just have to add the same records from the PLESK server into the Name.com DNS, or would there be additional steps because the actual sites files are not on the PLESK server, I would think that HTTP and MX are two separate entities (if my failed college courses serve me right)

You can have the web hosting done by one server and email by another. You just need to make sure your MX and A records are configured properly.

For example, let's say your hosting with a host that has your server's IP address at 127.15.5.69. Now let's say you have your email server (the one with plesk) hosted with another host at IP 69.5.15.127. So with that said, you would have something like this (note that a standard @ simply means the host name, so in your example would be whynotgus.agency).

@ IN A 127.15.5.69
mail IN A 69.5.15.127
@ IN MX mail.whynotgus.agency

Of course you'll want to make sure your TXT record that has your SPF record configured to accept the mx record entry which would be the 69.5.15.127

We Ideally want to be able to use the .agency for the @emails, but we had a heckuva time just getting .info to work (which has no hosted site, its just an extra TLD we bought)

Not sure what you mean by getting the .info to work, but it's just a matter of making sure that the domain is added in the server so you can make the mailboxes.

 

[jayplesk2015]

He

GMail is a weird beast where your headers and what not can all pass and google will still route the email to spam, but that's usually because gmail doesn't know the IP address of the address in question usually and would stop doing that over time, but that's the catch, it takes time. This is also the reason why I decided to use Microsoft 365 for my emails lol

You can have the web hosting done by one server and email by another. You just need to make sure your MX and A records are configured properly.

For example, let's say your hosting with a host that has your server's IP address at 127.15.5.69. Now let's say you have your email server (the one with plesk) hosted with another host at IP 69.5.15.127. So with that said, you would have something like this (note that a standard @ simply means the host name, so in your example would be whynotgus.agency).

@ IN A 127.15.5.69
mail IN A 69.5.15.127
@ IN MX mail.whynotgus.agency

Of course you'll want to make sure your TXT record that has your SPF record configured to accept the mx record entry which would be the 69.5.15.127

Not sure what you mean by getting the .info to work, but it's just a matter of making sure that the domain is added in the server so you can make the mailboxes.

Hey There, thanks for all the help last night.

We got emails sending and receiving on all domains, the ISSUE now which may be beyond the scope of this is

The iphones (And ONLY the iphones) will not ADD the email from ANY domain on the server, I have included a screenshot of a typical config, it does not matter if its mail.domain or just .domain in the incoming and outgoing server field. What is strange is the plesk mail logs show no activity when these accounts try to "verify" , they all fail when its not SSL (first run) and then they Verify "Without SSL" and after forever we get a message the IMAP server is not responding, funny thing is the domain shows no activity of it ever being queried to add the box from the phone

I know we have been plugging away at this, but it seems were so close, doesnt help that all of our filed reps (95%) use iphones!

Screenshot attached (keep in mind since we are using the same IP for all domains, it doesnt matter what is placed in these fields) I suspect this has something to do with I dont know....

 

[scsa20]

One of the errors shows it's not able to connect to the imap server which means you have port 993 blocked. Make sure you have port 993 open to the server. If you use a cloud provider like AWS or Azure, make sure that it's also unblocked in the security setting (in Azure it's called a Network Security Gateway (NSG), I don't remember what it's called in AWS).

 

[jayplesk2015]

Ok Ill check that, here are a few more photos, I added A records for smtp., pop.,and IMAP. They all show valid records but still the same errors no matter how we put it in.

 

[jayplesk2015]

Ports are open, that has been verified.

 

[scsa20]

I see that imap and smtp.whynotgus.agency is open now, but now the question is do you have SSL configured for the mail? (You can confirm under Domains > Domain > Mail > Mail Settings and make sure the SSL/TLS certificate for mail is set). And also confirm that the username and password is correct.

 

[jayplesk2015]

Just another update, I tried a test using Mail for windows on Win 10, as well as Outlook for mobile on the iphone

outlook on phone failed saying imap credentials were bad, Mail on windows added the account but wont fetch mail or send it

 

[jayplesk2015]

I see that imap and smtp.whynotgus.agency is open now, but now the question is do you have SSL configured for the mail? (You can confirm under Domains > Domain > Mail > Mail Settings and make sure the SSL/TLS certificate for mail is set). And also confirm that the username and password is correct.

I do not think we can have a certificate for this domain, the certificate for the .agency domain is activated on the web server side, can we have two? Keep in mind that the website itself https protocol is not on this server, My thought is if we secure the mail for .agency we would have a certificate hostname mismatch

 

[jayplesk2015]

An Attempt to secure the webmail failed, here is a screenshot

 

[scsa20]

If you have a wild card certificate already on the main server then just copy that over to the plesk server via the advanced option