Email rejections due to DMARC

[makaiguy]

Some major mail servers, notably Gmail and Yahoo, have implemented a relatively new process/protocol/whatever called DMARC. This is causing emails sent by our users via our vBulletin, currently 3.8.7 PL 4, (i.e. email to another user, [s]send link to a friend, etc.[/s]) to be rejected.

vBulletin sends such messages with the sender's email address of record in the "From" field of the message. vBulletin does it this way so that the recipient can reply directly to the original sender's email address.

Best as I can make out by examining the online DMARC info, these messages are being rejected because the sending server (i.e. our board's server) does not match the server shown in the user's "From" address.

If this is correct, I *think* this could be corrected by having those user-initiated emails sent with our board's email address in the "From" field, and the sending user's email address in a "Reply-to" field.

Does anybody know how to accomplish this?

[Solution found. See: https://vborg.vbsupport.ru/showthrea...9#post2496459]

[nhawk]

DMARC is only applied after both SPF and DKIM verifications fail.

All three of those are defined in the DNS entries for your site.

DKIM also requires both a public and private key on your server.

From Gmail about DMARC..

Quote:

If you're a domain owner, you'll first need to configure SPF records and DKIM keys on all outbound mail streams. DMARC relies upon these technologies to ensure signature integrity. A message must fail both SPF and DKIM checks to also fail DMARC. A single check failure using either technology allows the message to pass DMARC. See the corresponding SPF and DKIM sections of the DMARC specification for example messages filtered by these tools.

[makaiguy]

Thanks for the reply, but that's not been our experience.

Our normal mail (the stuff that has admin@ourbbsname.com in the From field) gets through just fine, including to Gmail and Yahoo.

It is just the messages that have our user's address in the From field that are getting rejected. When you go to the links provided in the rejection messages, they're pretty cryptic, but they seem to indicate (perhaps erroneously) DMARC failures.

Correct me if I'm wrong, but the fact that our "normal" mail is getting through okay seems to say that there is no problem with our SPF and DKIM settings (or at least one of them must be okay per what you said above), otherwise our normal mail would bounce too.

You can send a test mail to check-auth@verifier.port25.com and it will analyze your verifications and email you a report back.

I created a user with check-auth@verifier.port25.com as its email address and sent some messages to it.

Messages sent from my normal admin account, with a From address of admin@ourbbsname.com, produce the following summary (extracted from a much longer report):

Quote:

================================================== ========
Summary of Results
================================================== ========
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

In short, both SPF and DKIM checks passed.

And here's the summary for the same message sent from a user account, with a From address NOT located on our server, similar to the ones we are seeing rejected:

Quote:

================================================== ========
Summary of Results
================================================== ========
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: fail
SpamAssassin check: ham

This still passes SPF and DKIM, but fails their Sender-ID check.

So again, it seems to point to a mismatch between From address and sending server being the culprit that is causing both Gmail and Yahoo to reject the messages.

I'm just looking for some guidance on how to get our own server-based address into the From field of all outgoing messages. And for those user-generated messages that would throw the user's own address into the From field, to put it into a "Reply-to" header instead.

[kh99]

Well, emails are sent by calling the "vbmail" function, and that function has parameters for specifying the From address as well as additional headers. So you should be able to do what you want by finding the right calls to vbmail() and changing the parameters. I would figure it out for you but I don't have the time to work it all out right now. I might be able to do it later if no one else has figured it out by then.

Edit: now that I think about it a little more, I'm guessing a plugin using hook mail_send could adjust the fields as necessary so that you wouldn't have to edit any files.

[Simon Lloyd]

You need to add an "allow" or "include" to to your spf record for the domain like this:
a:vbulletin.org include:vbulletin.org
That allows the domain as a sender, i personally haven't had any issues with the email sending as i dont allow my users to use the email to a friend function or contact them by email but i'm guessing you'll have to add every domain that your users use.

[kh99]

Quote:

Originally Posted by Simon Lloyd

...i dont allow my users to use the email to a friend function or contact them by email but i'm guessing you'll have to add every domain that your users use.

Someone asked about the same thing here: https://vborg.vbsupport.ru/showthread.php?t=310799 and I didn't understand it, but after reading this thread I think he's having the same issue. If what he was told is true, then you should be able to fix it by using your own email in the "from" field, but put the user's email in reply-to.

[makaiguy]

Quote:

Originally Posted by Simon Lloyd

You need to add an "allow" or "include" to to your spf record for the domain like this:
a:vbulletin.org include:vbulletin.org
That allows the domain as a sender, i personally haven't had any issues with the email sending as i dont allow my users to use the email to a friend function or contact them by email but i'm guessing you'll have to add every domain that your users use.

No problem with sending OUR mail, with our address, via our server. Problem is sending mail originated by users with THEIR address in the From field. No way in hell I'm adding every domain used by over 50,000 registered users to our SPF record.

And btw, I misspoke earlier, and have struck out the erroneous text above. The email link to a friend option sends its message with the board's admin email address in the From field. This has caused me to have to add a bunch of boilerplate to those messages on the order of "DO NOT REPLY TO THIS MESSAGE as replies go to the BBS admins not to the person sending this message to you." Of course, nobody bothers to read the caveats...

--------------- Added 05 May 2014 at 18:16 ---------------

Quote:

Originally Posted by kh99

... If what he was told is true, then you should be able to fix it by using your own email in the "from" field, but put the user's email in reply-to.

.. which is precisely what I'm asking about doing.

[Toddling off to the referenced thread to see what's there ....]

--------------- Added 05 May 2014 at 23:22 ---------------

FURTHER RESEARCH

The vbmail() function is defined in includes/functions.php, as follows:

function vbmail($toemail, $subject, $message, $notsubscription = false, $from = '', $uheaders = '', $username = '')

The parameters are:

* @param string Destination email address
* @param string Email message subject
* @param string Email message body
* @param boolean If true, do not use the mail queue and send immediately
* @param string Optional name/email to use in 'From' header
* @param string Additional headers
* @param string Username of person sending the email

The function is called in sendmessage.php in several different places, depending on the sort of email being sent. So it looks to me that I'll need to hack sendmessage.php for my user-generated message types to add in a specified From address that utilizes my mail server as the 5th parameter, and a "Reply-to" header as the 6th parameter.

[nhawk]

Your whole problem might be solved as easily as adding this to your DNS entries...

spf2.0/pra a mx IP4:XXX.XXX.XX.XX -all

The only way to be sure is to try it.

[makaiguy]

Quote:

Originally Posted by nhawk

Your whole problem might be solved as easily as adding this to your DNS entries...

spf2.0/pra a mx IP4:XXX.XXX.XX.XX -all

The only way to be sure is to try it.

This would be, I assume, the IP assigned to our server?

Would be worth a try, although the test results above don't indicate either SPF or DKIM failure.

--------------- Added [DATE]1399380674[/DATE] at [TIME]1399380674[/TIME] ---------------

As I read for further on this, I think you've got it backwards. I think this would say that people could send mail claiming to be "From" my domain via any SMTP server they pleased. This would make it easier for me to send mail using my address on the BBS via my home cable ISP's server, for instance, but it it would also permit any spammer to make up any address he wants on my BBS domain and send mail coming "From" there with impunity via any server he has access to.

I think what I would need is for the SPF record for each of my users' email domains to have an entry allowing their mail to be sent from my server, and there's no way that can happen.

[nhawk]

Actually it means any mail coming FROM your IP address (with any email domain name in the from address) would pass. All other IP addresses claiming to be you would fail.

It's the simplest way to pass sender id verification.