Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 05 May 2014, 15:34
makaiguy's Avatar
makaiguy makaiguy is offline
 
Join Date: May 2004
Email rejections due to DMARC

Some major mail servers, notably Gmail and Yahoo, have implemented a relatively new process/protocol/whatever called DMARC. This is causing emails sent by our users via our vBulletin, currently 3.8.7 PL 4, (i.e. email to another user, send link to a friend, etc.) to be rejected.

vBulletin sends such messages with the sender's email address of record in the "From" field of the message. vBulletin does it this way so that the recipient can reply directly to the original sender's email address.

Best as I can make out by examining the online DMARC info, these messages are being rejected because the sending server (i.e. our board's server) does not match the server shown in the user's "From" address.

If this is correct, I *think* this could be corrected by having those user-initiated emails sent with our board's email address in the "From" field, and the sending user's email address in a "Reply-to" field.

Does anybody know how to accomplish this?

[Solution found. See: http://www.vbulletin.org/forum/showt...9#post2496459]

Last edited by makaiguy; 07 May 2014 at 15:02. Reason: add link to solution
Reply With Quote
  #2  
Old 05 May 2014, 18:29
nhawk nhawk is offline
 
Join Date: Jan 2011
DMARC is only applied after both SPF and DKIM verifications fail.

All three of those are defined in the DNS entries for your site.

DKIM also requires both a public and private key on your server.

From Gmail about DMARC..
If you're a domain owner, you'll first need to configure SPF records and DKIM keys on all outbound mail streams. DMARC relies upon these technologies to ensure signature integrity. A message must fail both SPF and DKIM checks to also fail DMARC. A single check failure using either technology allows the message to pass DMARC. See the corresponding SPF and DKIM sections of the DMARC specification for example messages filtered by these tools.

Last edited by nhawk; 05 May 2014 at 18:40.
Reply With Quote
  #3  
Old 05 May 2014, 22:16
makaiguy's Avatar
makaiguy makaiguy is offline
 
Join Date: May 2004
Thanks for the reply, but that's not been our experience.

Our normal mail (the stuff that has admin@ourbbsname.com in the From field) gets through just fine, including to Gmail and Yahoo.

It is just the messages that have our user's address in the From field that are getting rejected. When you go to the links provided in the rejection messages, they're pretty cryptic, but they seem to indicate (perhaps erroneously) DMARC failures.

Correct me if I'm wrong, but the fact that our "normal" mail is getting through okay seems to say that there is no problem with our SPF and DKIM settings (or at least one of them must be okay per what you said above), otherwise our normal mail would bounce too.

You can send a test mail to check-auth@verifier.port25.com and it will analyze your verifications and email you a report back.

I created a user with check-auth@verifier.port25.com as its email address and sent some messages to it.

Messages sent from my normal admin account, with a From address of admin@ourbbsname.com, produce the following summary (extracted from a much longer report):
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
In short, both SPF and DKIM checks passed.

And here's the summary for the same message sent from a user account, with a From address NOT located on our server, similar to the ones we are seeing rejected:
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: fail
SpamAssassin check: ham
This still passes SPF and DKIM, but fails their Sender-ID check.

So again, it seems to point to a mismatch between From address and sending server being the culprit that is causing both Gmail and Yahoo to reject the messages.

I'm just looking for some guidance on how to get our own server-based address into the From field of all outgoing messages. And for those user-generated messages that would throw the user's own address into the From field, to put it into a "Reply-to" header instead.

Last edited by makaiguy; 05 May 2014 at 22:21. Reason: repair formatting
Reply With Quote
  #4  
Old 05 May 2014, 22:49
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Well, emails are sent by calling the "vbmail" function, and that function has parameters for specifying the From address as well as additional headers. So you should be able to do what you want by finding the right calls to vbmail() and changing the parameters. I would figure it out for you but I don't have the time to work it all out right now. I might be able to do it later if no one else has figured it out by then.

Edit: now that I think about it a little more, I'm guessing a plugin using hook mail_send could adjust the fields as necessary so that you wouldn't have to edit any files.

Last edited by kh99; 05 May 2014 at 23:14.
Reply With Quote
  #5  
Old 05 May 2014, 22:59
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Real name: Simon
You need to add an "allow" or "include" to to your spf record for the domain like this:
a:vbulletin.org include:vbulletin.org
That allows the domain as a sender, i personally haven't had any issues with the email sending as i dont allow my users to use the email to a friend function or contact them by email but i'm guessing you'll have to add every domain that your users use.
__________________
Kind regards,
Simon Microsoft Office Help
My Mods: Find my modifications here
Please do not pm me for support unless i have invited you to!
Reply With Quote
  #6  
Old 05 May 2014, 23:02
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
Originally Posted by Simon Lloyd View Post
...i dont allow my users to use the email to a friend function or contact them by email but i'm guessing you'll have to add every domain that your users use.
Someone asked about the same thing here: http://www.vbulletin.org/forum/showthread.php?t=310799 and I didn't understand it, but after reading this thread I think he's having the same issue. If what he was told is true, then you should be able to fix it by using your own email in the "from" field, but put the user's email in reply-to.
Reply With Quote
  #7  
Old 05 May 2014, 23:14
makaiguy's Avatar
makaiguy makaiguy is offline
 
Join Date: May 2004
Originally Posted by Simon Lloyd View Post
You need to add an "allow" or "include" to to your spf record for the domain like this:
a:vbulletin.org include:vbulletin.org
That allows the domain as a sender, i personally haven't had any issues with the email sending as i dont allow my users to use the email to a friend function or contact them by email but i'm guessing you'll have to add every domain that your users use.
No problem with sending OUR mail, with our address, via our server. Problem is sending mail originated by users with THEIR address in the From field. No way in hell I'm adding every domain used by over 50,000 registered users to our SPF record.

And btw, I misspoke earlier, and have struck out the erroneous text above. The email link to a friend option sends its message with the board's admin email address in the From field. This has caused me to have to add a bunch of boilerplate to those messages on the order of "DO NOT REPLY TO THIS MESSAGE as replies go to the BBS admins not to the person sending this message to you." Of course, nobody bothers to read the caveats...

--------------- Added 05 May 2014 at 18:16 ---------------

Originally Posted by kh99 View Post
... If what he was told is true, then you should be able to fix it by using your own email in the "from" field, but put the user's email in reply-to.
.. which is precisely what I'm asking about doing.

[Toddling off to the referenced thread to see what's there ....]

--------------- Added 05 May 2014 at 23:22 ---------------

FURTHER RESEARCH

The vbmail() function is defined in includes/functions.php, as follows:

function vbmail($toemail, $subject, $message, $notsubscription = false, $from = '', $uheaders = '', $username = '')

The parameters are:

* @param string Destination email address
* @param string Email message subject
* @param string Email message body
* @param boolean If true, do not use the mail queue and send immediately
* @param string Optional name/email to use in 'From' header
* @param string Additional headers
* @param string Username of person sending the email

The function is called in sendmessage.php in several different places, depending on the sort of email being sent. So it looks to me that I'll need to hack sendmessage.php for my user-generated message types to add in a specified From address that utilizes my mail server as the 5th parameter, and a "Reply-to" header as the 6th parameter.

Last edited by makaiguy; 06 May 2014 at 04:22.
Reply With Quote
  #8  
Old 06 May 2014, 12:14
nhawk nhawk is offline
 
Join Date: Jan 2011
Your whole problem might be solved as easily as adding this to your DNS entries...

spf2.0/pra a mx IP4:XXX.XXX.XX.XX -all

The only way to be sure is to try it.
Reply With Quote
  #9  
Old 06 May 2014, 13:17
makaiguy's Avatar
makaiguy makaiguy is offline
 
Join Date: May 2004
Originally Posted by nhawk View Post
Your whole problem might be solved as easily as adding this to your DNS entries...

spf2.0/pra a mx IP4:XXX.XXX.XX.XX -all

The only way to be sure is to try it.
This would be, I assume, the IP assigned to our server?

Would be worth a try, although the test results above don't indicate either SPF or DKIM failure.

--------------- Added 06 May 2014 at 13:51 ---------------

As I read for further on this, I think you've got it backwards. I think this would say that people could send mail claiming to be "From" my domain via any SMTP server they pleased. This would make it easier for me to send mail using my address on the BBS via my home cable ISP's server, for instance, but it it would also permit any spammer to make up any address he wants on my BBS domain and send mail coming "From" there with impunity via any server he has access to.

I think what I would need is for the SPF record for each of my users' email domains to have an entry allowing their mail to be sent from my server, and there's no way that can happen.
Reply With Quote
  #10  
Old 06 May 2014, 14:54
nhawk nhawk is offline
 
Join Date: Jan 2011
Actually it means any mail coming FROM your IP address (with any email domain name in the from address) would pass. All other IP addresses claiming to be you would fail.

It's the simplest way to pass sender id verification.

Last edited by nhawk; 06 May 2014 at 15:01.
Reply With Quote
  #11  
Old 06 May 2014, 16:15
pattycake pattycake is offline
 
Join Date: Jan 2009
I have done a LOT of researching on this. The problem is on the vbulletin side.
Look at this header from my site - it is the result of one member sending another a message. And yes, the actual emails have been changed.
Return-path: <ktmtalk_XXXX@ktmtalk.com>
Received: from localhost ([::1]:38730)
by server.ktmtalk.com with esmtp (Exim 4.82)
(envelope-from <ktmtalk_XXXX@ktmtalk.com>)
id 1WhKcS-0003zK-LQ
for copeXXXX@aol.com; Mon, 05 May 2014 11:15:52 -0400
Date: Mon, 05 May 2014 15:15:52 +0000
To: copeXXXX@aol.com
From: "ridenazi @ KTMTalk.com - The Absolute BEST KTM resource on the planet" <ktmXXX@yahoo.com>
Sender: ktmtalk_XXXX@ktmtalk.com
Message-ID: <20140505151548.74e58578d1e4@ktmtalk.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Subject: ktm300 4 sale
Ok, now look at the FROM. It shows:
"ridenazi @ KTMTalk.com - The Absolute BEST KTM resource on the planet" <ktmXXX@yahoo.com>

It's [SAYS] that it's FROM ktmXXX@yahoo.com when in reality, it is from MY server. vBulletin does the "from" this way so that the "receiver" of the message can hit reply and have it go to the original "sender".

So THAT is the problem... the header says it is from ktmXXX@yahoo.com when it's actually from my server (ktmtalk.com).

To confirm, on your next "bounced email", go look at the headers, specifically the FROM. If the entire "from" shows ANYTHING except your mail server, it will fail DMARC.

btw: AOL and gmail have both started using this "standard".

-pat-
Reply With Quote
  #12  
Old 06 May 2014, 16:26
MGO_TOM MGO_TOM is offline
 
Join Date: Nov 2009
I have been having the exact same problem for about a month now.

We have the "secure email" option enabled (if not, this wouldn't be a problem).

Originally, it was ONLY when a member having a yahoo.com email address attempted to send an email to another user. It doesn't matter what the receiver's email address is...what makes it bounce back is when the SENDER'S email address is a yahoo.com email address.

More info on why can be found here:
http://marketingland.com/email-sende...emailmarketing

For about the past week or so, I have started to see aol.com email addresses (SENDER) get rejected for the same reason.

I too am hoping for a good solution to this...if nothing else, simply reject the email attempt at the "send" stage so the member knows immediately their email didn't go though (I already have a bold red large text notification in the email interface, but again...many users seem to overlook it (somehow) and submit their email anyway...
Reply With Quote
  #13  
Old 06 May 2014, 16:39
pattycake pattycake is offline
 
Join Date: Jan 2009
For about the past week or so, I have started to see aol.com email addresses (SENDER) get rejected for the same reason.
it's going to start happening more and more.... with more an more providers (aol, gmail, etc).

if the SENDER (ie, the FROM) contains ANYTHING except YOUR SERVER, it will fail DMARC.

I'll post a solution in a bit - I want to confirm a few other things first.
Reply With Quote
  #14  
Old 06 May 2014, 16:41
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
We also have this issue on my vB3 forum, Ive been trying to figure out whats going on for 3 weeks (on and off) all our e-mails to Gmail are just getting bounced.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
  #15  
Old 06 May 2014, 16:47
makaiguy's Avatar
makaiguy makaiguy is offline
 
Join Date: May 2004
Originally Posted by pattycake View Post
I have done a LOT of researching on this.

...

To confirm, on your next "bounced email", go look at the headers, specifically the FROM. If the entire "from" shows ANYTHING except your mail server, it will fail DMARC.

btw: AOL and gmail have both started using this "standard".

-pat-
Thanks, Pat, I've found the same. It may not exactly be DMARC causing the rejection, but an additional Sender-ID check being run by more and more servers -- not sure if this is part of DMARC or something separate, but no matter, it causes rejections either way.

I'm testing a hack of sendmessage.php right now that sends these user-generated messages with the default bbs address in the "From" field, and with the sending user's email address in an additional "Reply-to" header. This way the message should pass the Sender-ID test (the From address is on the sending server) but the recipient can still reply to the actual sender thanks to the Reply-to header.

Test messages I've sent via my test board to one of my other email addresses show the headers to be getting sent the way I want. Don't know yet if this really solves the problem when sending to gmail, yahoo, etc.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Administrative and Maintenance Tools Email Rules - Require that users' email addresses match a regular expression Analogpoint vBulletin 3.8 Add-ons 15 03 May 2013 14:26
vBulletin POP3 / IMAP Email Client for vB3 - Web-based access to POP email accounts! Erwin vBulletin 3.0 Full Releases 309 09 May 2008 13:31



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 09:20.

Layout Options | Width: Wide Color: