More fun with email DNS, mail from root is blocked

I mentioned before that I’ve been having problems with my email since moving to Cloudflare, and now I’m having to go through each site one at a time to fix things.

Tonight I had an email that says:

Subject: Mail delivery failed: returning message to sender
To: [email protected]
From: [email protected]

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    (generated from root@localhost)
    host gmail-smtp-in.l.google.com [142.250.27.26]
    SMTP error from remote mail server after end of data:
    550-5.7.26 This mail has been blocked because the sender is unauthenticated.
    550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
    550-5.7.26
    550-5.7.26  Authentication results:
    550-5.7.26  DKIM = did not pass
    550-5.7.26  SPF [localhost] with ip: [123.45.67.89] = did not pass
    550-5.7.26
    550-5.7.26  To mitigate this issue, please visit Gmail's authentication guide
    550-5.7.26 for instructions on setting up authentication:
    550 5.7.26  https://support.google.com/mail/answer/81126#authentication e6-20020a170906080600b00a1a55cd350bsi1387938ejd.143 - gsmtp

The original email was from [email protected], and sent to root@localhost

The DNS for my.server.com is:

A my 123.45.67.89
TXT _dmarc.my "v=DMARC1;  p=none; rua=mailto:[email protected]"
TXT my v=spf1 +mx +a +ip4:123.45.67.89 +include:_spf.google.com ~all

All are set to DNS only.

There’s not a DKIM record on Cloudflare, but there is on my server. The SPF and DMARC records are duplicated on the server, too (well, except for the mailto address in the DMARC, of course).

Any suggestions on why the emails from [email protected] are bouncing?

I am afraid this is not a Cloudflare issue per se and better discussed in a more appropriate forum.

In a Cloudflare context, it could only be that the DNS entry in question is proxied, hence won’t resolve to the specified IP address and why the SPF validation is failing. Make sure that is set to :grey:. As for DMARC, this is something you need to clarify with your mail provider. The DKIM entry does have to be with your DNS provider however, which will be Cloudflare.

I just now set them up as TXT records. Am I right in assuming that they should not be proxied?

Right, TXT entries cannot be proxied to begin with.

2 Likes

Also note that this bounce message is from Google, which implies that mail to root@localhost is being forwarded to Gmail.

Forwarding email to Google is fraught with problems of exactly this nature, because of the mixed addresses in the headers. I’d recommend not forwarding mail to Google ever.

1 Like

Seconded. If you must forward to Gmail, I have found it best to first deliver to an intermediate mailbox and then ingest the messages into the Gmail using POP3S polling at regular intervals.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.