User comments on ISPs
  >> Zen Internet


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User ronjohnreid
(newbie) Tue 28-May-19 11:26:40
Print Post

Rejected mail


[link to this post]
 
I have recently had a couple of folk reporting to me that an email has been rejected - one said that it was a problem with SPF (that may not be the precise error message but it is the sense of it)

In one case an email was rejected from two different mailboxes.

I continue to receive email from other users in these mailboxes.

My mail goes through redirections from my domains to the Zen mail account.

Any thoughts?

Thanks

Ron
Standard User Amjad
(learned) Tue 28-May-19 13:06:48
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
Probably SPF and sender rewriting issue, I came across the following when I had the same issue. Post 8 from "Ohmygawd".

https://forums.thinkbroadband.com/zen/f/4560666-zen-...
Standard User PhilipD
(experienced) Tue 28-May-19 13:46:16
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
Hi

Do you have SPF set up?

You can test your domains for a valid SPF here https://mxtoolbox.com/SuperTool.aspx and select SPF.

Basically an SPF defines which computers can send emails from your domain and is available for anyone to lookup from your DNS txt record. If the email was sent from a computer who's IP isn't in that list more and more email systems are flagging them as SPAM there and then. If you have no SPF record at all again some email systems assume the worst that it is SPAM.

Also one of the Zen relays might be black listed.

A good test is to send yourself an email from the affected addresses to a gmail address, then when viewing the email in a browser window you can select more options and view the original message source, here Gmail will tell if SPF is pass or fail.

Another increasingly common requirement is DKIM and DMARC. This signs an email using a private/public keys to confirm the sender is your domain, a DMARC is a published policy that says if the recipient fails DKIM how it should be dealt with.

DKIM and DMARC can be hard to set up on your own domains. The first SMTP server your email client connects to is responsible for signing the email, so it needs support of the SMTP server plus the ability to access it to set private keys etc. For example your own domains via Gmail you can't do this, but if you pay for GSuite you can. Googling those terms will get you lots of information.

Regards

Phil


Register (or login) on our website and you will not see this ad.

Standard User Sandgrounder
(knowledge is power) Tue 28-May-19 16:26:46
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
I have had this in the past. The anoying point was that it would all work for many months.

Then suddenly ............... it would fail.

If you only use your domain names for email, then the simplest solution is to move the hosting to Zen. I have had no trouble since doing this.

Edit: I still forward all the domain emails to my [email protected],.uk account



Line One:- Zen Fibre 1 - DrayTek Vigor 2860ac
Line Two:- Andrews and Arnold - DrayTek Vigor 130 Modem
Mobile:- EE PAYG - TP-Link Archer MR200

Edited by Sandgrounder (Tue 28-May-19 21:04:19)

Standard User ronjohnreid
(newbie) Tue 28-May-19 20:45:21
Print Post

Re: Rejected mail


[re: PhilipD] [link to this post]
 
Now confused! Do you have to tell the forwarder all the addresses which are allowed to transfer the email to the Zen mailbox?

I tried a Gmail and get the following among the headers (I have put in a fake domain - it is mine that is shown. I've also changed the ip which is a Zen one. I don't know if it is unique to my service)

Received-SPF: neutral (google.com: a.b.c.d is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=a.b.c.d ;
Authentication-Results: mx.google.com;
spf=neutral (google.com: a.b.c.d is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Standard User PhilipD
(experienced) Wed 29-May-19 07:50:11
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
Hi

This suggests you don't have any SPF record for your domain. If it is your domain and you have control of the DNS record, then it's usually up to the owner of the domain to set the DNS records up and add the SPF record.

SPF helps identify SPAM where someone is spoofing emails from your email address or domain, as it will be seen they are sending email from a server that isn't in the list of servers you use. Usually SPF is used to score the email for the likelihood it's SPAM, so if you have no SPF record you lose points for that, and if you have an SPF record you lose even more points if the email originates from a server not on the SPF list.

The recipient of your email (the email server) will do a DNS lookup and try to find the SPF record, so yes you are saying this is all the IP addresses I legitimately use for emails from mydomain.co.uk. If you are sending your email via Zen servers, then their SPF settings should also be the ones you require.

Zen's SPF record is:

Text
1
v=spf1 include:_spf.zen.co.uk include:_spfcoremail.zen.co.uk include:_spf.salesforce.com include:aspmx.pardot.com include:servers.mcsv.net include:amazonses.com a:smtp.insmartcloud.com ~all


This is basically all the servers Zen uses to send email, it looks like it includes servers they do mass emailing from, you probably don't need these mass emailing servers but it will do no harm just to copy the whole thing for the sake of setting something up, so here are a few pointers, this assumes you do send your email via Zen's SMTP servers:

1) Get a base mark of your domain, go to https://mxtoolbox.com/SuperTool.aspx and enter your domain name and then select SPF Record Lookup, it will most likely come back saying there isn't one.

2) Go to whoever does your DNS on your domain name, they should give you options to add DNS settings, you need to add a TXT record, simply copy the one above that Zen uses.

3) Now run step one again, it should come back with the TXT record you entered, if not, you may need to leave it a while for the settings to go live.

4) Once you can see the SPF record coming back in step 1, try a test email again to Gmail, with any luck it now says SPF passed.

Hope that helps.

Regards

Phil

Edited by PhilipD (Wed 29-May-19 07:53:08)

Standard User caffn8me
(eat-sleep-adslguide) Wed 29-May-19 12:04:37
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
If I've read your original post correctly, it's nothing to do with SPF for your domain as it's not emails you're sending out being rejected but people trying to send email to you.

The rejections by Zen are correct and proper behaviour. Email from rejected domains has a valid SPF record which specifies that email from those domains can only come from specific email servers.

Your email server, which forwards to your Zen account, isn't authorized to send email from their domains.

The simplest way to deal with it is either to have Zen host your email domain directly or not to forward to Zen and pick up email from the mail server which hosts your domain's email. It's possible that this will offer IMAP which is very much better than Zen's POP3 offering anyway.

If your current domain hosting provider can't do this, move your domain to somewhere that can.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User PaulKirby
(knowledge is power) Thu 30-May-19 06:40:28
Print Post

Re: Rejected mail


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
If your current domain hosting provider can't do this, move your domain to somewhere that can.

Agreed, we run our own mail server and the amount of stuff we had to setup (SPF, DMARC, DKIM, SRS etc) for our emails (over several domains) to arrive at their destination without issues.

Another thing to also think about setting up is DMARC (Domain Message Authentication Reporting & Conformance) most mail providers use that along with SPF and DKIM (DomainKeys Identified Mail) and with DMARC you can set what you want the destination mail server to do if the DKIM and / or SPF fails.

But yeah, SPF needs to contain all IP's for all mail server that is allowed to send mail on your domains behalf, and DKIM is suppose to stop tampering of the actual email.

Also if having issues forwarding emails then they also might need to look up SRS (Sender Rewriting Scheme) that fixes most of those issues.

But in most cases it might be just easier to have someone run your mail services like Zen or Google etc.

Paul

BTBroadband - Ultrafast Fibre 2 Plus + FVA
Exchange Name: Ilford Central (LNILC) Cabinet: 24
TBB Speedtest IPv4 | TBB Speedtest IPv6 | Ookla Speedtest (Single Threaded) | Linksys WRT 3200 ACM (BQM)
Standard User ronjohnreid
(newbie) Fri 31-May-19 10:29:00
Print Post

Re: Rejected mail


[re: PaulKirby] [link to this post]
 
Just to clarify

Zen provides my email service and I send through Zen SMTP

I use a tld (*.org) originally registered with netnames many years ago and later taken over by speednames.uk

This is used to provide multiple email addresses ([email protected]*.org etc) which redirect to Zen

Some emails are rejected by Zen, others not. By their nature, it is not possible to know the proportion rejected.
Standard User Pipexer
(eat-sleep-adslguide) Fri 31-May-19 22:23:12
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
In my opinion caffn8me is correct. It is because when [email protected] on IP 1.1.1.1 sends to [email protected] this is then being forwarded to [email protected] by your you.org mail server on 2.2.2.2. bob.com SPF record does not contain 2.2.2.2 so it fails SPF. The mixed behaviour is dependant upon the original sender domain and what email security they have configured (spf, dkim, DMARC), and also how Zen is interpreting it.

The fault is with you for forwarding email, I am afraid.

Honestly, the best solution at this point is to migrate your email all to a single hosting provider (i.e office365, gmail, or there are loads of cheaper ones out there), and at the same time ask them to tell you what SPF and DKIM (and DMARC if you want) records should be configured.

Andrews & Arnold Home ::1 on Draytek 2862ac - Why settle for inferior?
Standard User PaulKirby
(knowledge is power) Sat 01-Jun-19 03:04:32
Print Post

Re: Rejected mail


[re: Pipexer] [link to this post]
 
SRS can fix most of the Forwarding issues, but can also cause new ones.

Also with DMARC you can have it send reports for the day before of passed and failed emails arriving at the other mail services, this can be handy when setting up.

Paul

BTBroadband - Ultrafast Fibre 2 Plus + FVA
Exchange Name: Ilford Central (LNILC) Cabinet: 24
TBB Speedtest IPv4 | TBB Speedtest IPv6 | Ookla Speedtest (Single Threaded) | Linksys WRT 3200 ACM (BQM)
Standard User ronjohnreid
(newbie) Mon 03-Jun-19 10:12:10
Print Post

Re: Rejected mail


[re: Pipexer] [link to this post]
 
The fault is with you for forwarding email, I am afraid.


Thanks - it usually is.
It's just that this has worked well for years and now sudddenly goes wrong.

It will be a lot of work for me if I migrate the domain but may have to be faced. What I would need to be sure of though is if I do migrate to Zen as the domian host and keep my email service there that this particular problem will be removed.

Can anyone assure me that tis should be the case?

Regards
Standard User Sandgrounder
(knowledge is power) Mon 03-Jun-19 10:51:48
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
In reply to a post by ronjohnreid:
It's just that this has worked well for years and now sudddenly goes wrong.
Just what happened with me.

In reply to a post by ronjohnreid:
What I would need to be sure of though is if I do migrate to Zen as the domain host and keep my email service there that this particular problem will be removed. Can anyone assure me that this should be the case?
No. But I can tell you that it worked for me with two domains.



Line One:- Zen Fibre 1 - DrayTek Vigor 2860ac
Line Two:- Andrews and Arnold - DrayTek Vigor 130 Modem
Mobile:- EE PAYG - TP-Link Archer MR200
Standard User ronjohnreid
(newbie) Mon 03-Jun-19 15:57:25
Print Post

Re: Rejected mail


[re: Sandgrounder] [link to this post]
 
Thanks

I'll bite the bullet and try doing it when I have a couple of clear days

Ron
Standard User caffn8me
(eat-sleep-adslguide) Tue 04-Jun-19 16:32:07
Print Post

Re: Rejected mail


[re: ronjohnreid] [link to this post]
 
In reply to a post by ronjohnreid:
Just to clarify

Zen provides my email service and I send through Zen SMTP

I use a tld (*.org) originally registered with netnames many years ago and later taken over by speednames.uk

This is used to provide multiple email addresses ([email protected]*.org etc) which redirect to Zen

Some emails are rejected by Zen, others not. By their nature, it is not possible to know the proportion rejected.
Speednames hosts email as well as just forwarding it. Why not host email fully on Speednames rather than forwarding to Zen accounts? I suppose it may be a question of cost.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User PhilipD
(experienced) Tue 04-Jun-19 16:46:12
Print Post

Re: Rejected mail


[re: caffn8me] [link to this post]
 
Hi

It is not the hosting that is the problem.

The domain owner needs to set up an SPF record to say which servers can legitimately send email for that domain, simple as that. https://postmarkapp.com/guides/spf

You can move the domain or change servers all you like, but until the person who administers the domain adds a SPF TXT record, nothing changes, as emails still leave with no SPF in place and so will more likely got flagged as SPAM.

Regards

Phil
Standard User caffn8me
(eat-sleep-adslguide) Tue 04-Jun-19 17:21:12
Print Post

Re: Rejected mail


[re: PhilipD] [link to this post]
 
In reply to a post by PhilipD:
It is not the hosting that is the problem.

The domain owner needs to set up an SPF record to say which servers can legitimately send email for that domain, simple as that. https://postmarkapp.com/guides/spf

You can move the domain or change servers all you like, but until the person who administers the domain adds a SPF TXT record, nothing changes, as emails still leave with no SPF in place and so will more likely got flagged as SPAM.
With all due respect, you've misinterpreted the problem. The problem that the OP has is with incoming email from external domains he does not own because it is forwarded to his Zen email account from speednames.uk (the MX hosts for his domain).

Speednames.uk isn't using Sender Rewriting Scheme so emails forwarded to the Zen account have server headers which don't match the originating domain's SPF record. Zen quite correctly rejects these if the originating domain has a DMARC record requiring this - which is, in my opinion, good practice.

So, yes, it's a hosting problem. If the MX host (speednames.uk) is the same as the IMAP/POP3/Webmail host where the email is picked up from, then there's no forwarding and nothing breaks SPF/DMARC policy.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(eat-sleep-adslguide) Tue 04-Jun-19 17:32:50
Print Post

Re: Rejected mail


[re: PaulKirby] [link to this post]
 
In reply to a post by PaulKirby:
SRS can fix most of the Forwarding issues, but can also cause new ones.
I agree entirely. It's best to avoid forwarding these days if at all possible.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to