Community weekly digest ends up in SPAM

PeterJones

@donho,

I just had to go through the SPAM on my personal domain as well.

# dig +short notepad-plus-plus.org TXT
"v=spf1 include:spf.mx.hostinger.com include:relay.mailchannels.net ~all"
# dig -x 104.131.212.184
...
;; QUESTION SECTION:
;184.212.131.104.in-addr.arpa.  IN      PTR
;; AUTHORITY SECTION:
212.131.104.in-addr.arpa. 1773  IN      SOA     ns1.digitalocean.com. hostmaster.212.131.104.in-addr.arpa. 1639587967 10800 3600 604800 1800
...

So it appears your DNS’s TXT entry is set to include hostinger.com and mailchannels.net, but not digitalocean.com.
It might help to change your TXT record in notepad-plus-plus.org to

v=spf1 include:spf.mx.hostinger.com include:relay.mailchannels.net include:digitalocean.com ip4:104.131.212.184 ~all

For adding the missing DKIM, my ISP had already defined a DKIM entry for me, so I don’t know how to generate it. It should be under the TXT entry for the default._domainkey.notepad-plus-plus.org entry in your DNS; find out more through https://www.google.com/search?q=how+to+add+dkim+record

For the DMARC, add a TXT entry to _dmarc.notepad-plus-plus.org, with a value v=DMARC1; p=none; … if you want the DMARC system to maybe email you when there are problems, change it to v=DMARC1; p=none; rua=mailto:don.ho@..... (but give it your real email address)

addenda: commands for checking the DKIM and DMARC:

dig +short default._domainkey.notepad-plus-plus.org TXT
dig +short _dmarc.notepad-plus-plus.org TXT

—

Whoever downvoted @timint01’s message: it was a valid and reasonable report: the SPF/DKIM/DMARC settings are a real problem for outgoing emails. If Don is going to continue to allow the Forum to email users, it should have the SPF/DKIM/DMARC set correctly so that the emails will make it through. Before I fixed those settings on my domain, emails would randomly never even make it to the SPAM filter of the recipient’s email – their server would block it before it got that far. And the mail-tester web address is a valid site which is helpful for debugging such issues: they give you a dummy address to send to, then you mail that address from your server, and they issue your emails a “score”, and break down why your email got that score (including links to authoritative definitions for what those various DNS settings should be); I used it a lot when trying to get my SPF/DKIM/DMARC set up correctly.

Ekopalypse

@timint01, sorry, I downvoted it - I mistakenly assumed it was another annoying advertising fake post.

Lycan Thrope

@ekopalypse ,
To err is human, to really mess up, involve a computer. :-)

Lee

PeterJones

@ekopalypse said in Community weekly digest ends up in SPAM:

I mistakenly assumed it was another annoying advertising fake post.

Not a problem. I probably would have done the same if my last couple weeks hadn’t been intimately involved with those same settings and website – because until the holiday week, I had never heard of any of those terms. ;-)

Nicholas

I would be careful about who you allow to send as your primary domain. Any security issues and they could start impersonating admin accounts. You should be using -all at the end of your spf record.

I would be sending the emails as no-reply@community.notepad-plus-plus.org and adding the TXT record to the community sub domain so it is just this host and no one else.

I’m not sure if you need to also set the MX record if you don’t intend to receive email for the sub domain. It might affect some spam filters.

donho

@timint01

I just checked in my host, in fact, DKIM was missing and SPF was conflict.

Obviously these 2 parameters are not initialized. I just initialized them by default, it should be getting better now.

Please let me know if it’s fixed. If not, I will try to tune it up.

guy038

Hi, all,

As for me, everything seems OK

Best Regards,

guy038

Ekopalypse

@guy038

Wow - you are blacklisted, be careful as long as your pseudonym is not Raymond Reddington of course :-D

PeterJones

@donho

Please let me know if it’s fixed. If not, I will try to tune it up.

When I have the forum send the mail to the tester, it still shows up with the errors:

And when I poll the DNS using dig for windows (or equivalently with the builtin dig on a linux host I have access to), I still don’t see DKIM (_domainkey) or DMARC (_dmarc) entries for notepad-plus-plus.org’s DNS

C:\Users\Peter>dig +short notepad-plus-plus.org TXT
"v=spf1 include:_spf.mail.hostinger.com ~all"

C:\Users\Peter>dig +short default._domainkey.notepad-plus-plus.org TXT

C:\Users\Peter>dig +short _dmarc.notepad-plus-plus.org TXT

Or doing the equivalent with Windows’ built-in nslookup:

C:\Users\Peter>nslookup -type=txt notepad-plus-plus.org
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
notepad-plus-plus.org   text =

        "v=spf1 include:_spf.mail.hostinger.com ~all"

C:\Users\Peter>nslookup -type=txt _dmarc.notepad-plus-plus.org
Server:  dns.google
Address:  8.8.8.8

*** dns.google can't find _dmarc.notepad-plus-plus.org: Non-existent domain

C:\Users\Peter>nslookup -type=txt default._domainkey.notepad-plus-plus.org
Server:  dns.google
Address:  8.8.8.8

*** dns.google can't find default._domainkey.notepad-plus-plus.org: Non-existent domain

So @donho, if you made changes to the DNS entry for notepad-plus-plus.org, they haven’t propagated to the outside world yet. (Normally the changes only take a few hours; it’s been 23 hours since the message above.)

Polling to find out the DNS server:

C:\Users\Peter>nslookup -type=ns notepad-plus-plus.org
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
notepad-plus-plus.org   nameserver = ns2.dns-parking.com
notepad-plus-plus.org   nameserver = ns1.dns-parking.com

If I then tell nslookup to use ns1.dns-parking.com as the server for doing the query:

C:\Users\Peter>nslookup -type=txt notepad-plus-plus.org ns1.dns-parking.com
Server:  UnKnown
Address:  162.159.24.201

notepad-plus-plus.org   text =

        "v=spf1 include:_spf.mail.hostinger.com ~all"
C:\Users\Peter>nslookup -type=txt default._domainkey.notepad-plus-plus.org ns1.dns-parking.com
Server:  UnKnown
Address:  162.159.24.201

*** UnKnown can't find default._domainkey.notepad-plus-plus.org: Non-existent domain

C:\Users\Peter>nslookup -type=txt _dmarc.notepad-plus-plus.org ns1.dns-parking.com
Server:  UnKnown
Address:  162.159.24.201

*** UnKnown can't find _dmarc.notepad-plus-plus.org: Non-existent domain

… I got the same answers as with the public DNS server.

There shouldn’t be any propagation delay on the “home” DNS servers, since that’s the entry that is being edited. So it looks like whatever changes you made didn’t get saved properly.

donho

@PeterJones said in Community weekly digest ends up in SPAM:

So it looks like whatever changes you made didn’t get saved properly.

Thank you for your help.

Just checked again, it’s saved :

As I said, DKIM was missing and SPF was conflict (instead of Active).
I guess what I have done is not enough.
However, it seems that I cannot change the default settings.

On which part I should configure exactly?

PeterJones

@donho ,

I don’t know hostinger’s interface. All I can tell you for sure is that your public SPF record looks like v=spf1 include:_spf.mail.hostinger.com ~all … and if you want the forum emails to properly have the SPF, it will have to be more like what I showed in January (edited for the new hostinger-default text): v=spf1 include:_spf.mail.hostinger.com include:relay.mailchannels.net include:digitalocean.com ip4:104.131.212.184 ~all – the extra includes, and the ip4, will allow addresses associated with the emails from the Community Forum to also be allowed.

For the DKIM, I would be curious if the down arrow at least showed the key name and value, even if it doesn’t ;let you edit… that would at least let me probe externally.

But looking at your screenshot of the hostinger entry, I would try clicking on the SPF’s down-arrow, and see if that allows you to edit the raw contents. Otherwise, this page may show you different ways to dig into the raw DNS records rather than their top-level GUI, or another page here – It looks like they are both talking about the “zone editor” feature at Hostinger. It looks like Zone Editor gives you access to all of the entries, so you can maybe see what “selector._domainkey” the DKIM is used with (I was suggesting default._domainkey, but maybe hostinger uses another selector). And from that page, you should be able to edit the TXT for the SPF and add a new TXT entry for _dmarc (and give it the value I suggested in January)

donho

@PeterJones

I just created don.ho@notepad-plus-plus.org (and it’s the only one account on notepad-plus-plus.org so far.

And here is the log of email:

I’m wondering if I should create the account like admin and news-noreply ?

donho

@PeterJones said in Community weekly digest ends up in SPAM:

and if you want the forum emails to properly have the SPF, it will have to be more like what I showed in January (edited for the new hostinger-default text): v=spf1 include:_spf.mail.hostinger.com include:relay.mailchannels.net include:digitalocean.com ip4:104.131.212.184 ~all – the extra includes, and the ip4, will allow addresses associated with the emails from the Community Forum to also be allowed.

So should I edit it to the value you suggested?

donho

@donho said in Community weekly digest ends up in SPAM:

So should I edit it to the value you suggested?

I’ve just edited the entry I showed you on the screenshot above to the value you suggested, and back to the email section:

PeterJones

@donho ,

Yes, I would say to Edit the one you have highlighted to the value I supplied.

And if there’s an Add or New button not shown, I would use that to create a new TXT record with the name _dmarc and the value v=DMARC1; p=none; rua=mailto:don.ho@notepad-plus-plus.org

Also, if you could send me an email (I believe you can look at my profile and see my configured email) from the don.ho@notepad-plus-plus.org address, it should put useful information in the headers, which I can use to help you confirm whether that’s gotten set up right or not.

PeterJones

@donho said in Community weekly digest ends up in SPAM:

I’ve just edited the entry

and I can already confirm that change has propagated:

C:\>nslookup -type=TXT notepad-plus-plus.org
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
notepad-plus-plus.org   text =

        "v=spf1 include:_spf.mail.hostinger.com include:relay.mailchannels.net include:digitalocean.com ip4:104.131.212.184 ~all"

that alone should help. And I think if you can add the _dmarc entry, that will help also.

donho

@PeterJones said in Community weekly digest ends up in SPAM:

that alone should help. And I think if you can add the _dmarc entry, that will help also.

There’s control for adding entry:

But what kind of info should I provide to the 3 first case?

PeterJones

@donho ,

TYPE should be TXT
NAME should be _dmarc or _dmarc. (different interfaces differ on whether or not they want the . after the name)
POINTS TO should be the value v=DMARC1; p=none; rua=mailto:don.ho@notepad-plus-plus.org

donho

Done:

Could you check now?

PeterJones

@PeterJones said in Community weekly digest ends up in SPAM:

if you could send me an email (…, it should put useful information in the headers, which I can use to help you confirm whether that’s gotten set up right or not.

I can confirm that the email arrived and had a valid DKIM signature. (It also told me that it’s under hostingermail-a._domainkey.notepad-plus-plus.org, so it is using a different selector than I was looking for.)

C:\Users\peter.jones\Downloads\TempData\nppCommunity\garden>nslookup -type=TXT hostingermail-a._domainkey.notepad-plus-plus.org
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
hostingermail-a._domainkey.notepad-plus-plus.org        canonical name = hostingermail-a.dkim.mail.hostinger.com
hostingermail-a.dkim.mail.hostinger.com text =

        "v=DKIM1;k=rsa;p=MIIBIjANB...."

So yes, DKIM is now set up correctly on those.

I will give a bit of time to allow more propagation of DNS (it’s not instant all over), and then try to get the Community to send me another confirmation email, and see if it’s now doing the DKIM correctly from the forum as well.