MX and SPF records not working when using DNS service

dash-dns
#1

Hi,

Recently I started using the DNS service for Cloudflare CDN, but it seems I’m having problems with the mail server. The costumers aren’t receiving a confirmation email.

Mail test result: https://www.mail-tester.com/test-gpjk9

The server I use is running cPanel
I attached a screenshot of my current DNS settings in my CloudFlare account.

I am the admin who is managing Taxi 053’s website, but I can’t seem to get rid of this issue.

When I remove the A-record, the website (obviously) stops working, but the mail score increases:
https://www.mail-tester.com/test-rbnxa

Hope someone can help me out with this.

Best Regards

#2

The site works, so that’s one good sign. Outbound mail shouldn’t be affected from what I see in your DNS settings.

And it’s WordPress. Do you have some sort of SMTP plugin that’s setting the mail gateway?

1 Like
#3

Try changing your SPF TXT entry to this
v=spf1 mx a a:149.210.235.210 include:webserver.risingmedia.nl ~all

~all is a softfail, If planets do not align and there is still something misconfigured, mail should still arrive but marked as spam.
If that works and email is not flagged as spam, switch to -all which is hardfail and will reject emails not sent by your allowed hosts.
You can also use https://dkimvalidator.com/ since the other tool only allows two test/day.
Let us know how this works out!

1 Like
#4

All of the + were missed in your SPF record…

PS: the ~/- was a good discovery, saw that difference many times, but never investigated!

1 Like
#5

As well as the malformed SPF record which has been highlighted, your DKIM is also bad - remove the quotation marks from around the value. Your signing is not signed for your domain because of this (host is applying a fallback for you, like Google do, but this is nowhere near as good).

(Mail from transip should already be fine)

2 Likes
#6

Yes I fixed this with a SMTP plugin as I noticed the bounce email was broken.
Thanks :slight_smile:

#7

Thank you, edited to see if it’s working.

Will try another mail from the contact form.

Used the validator yesterday without results. will try again, thank you!

#8

Still get “no found MX records”.
DKIM results still unchanged as it was already good.
Still get “invalid SPF” as it seems to use the Cloudflare’s CDN IP to check instead of my server’s IP.

https://www.mail-tester.com/test-gtwm1

#9

Check your MX Record for the domain webserver.risingmedia.nl

and as @matteo noticed, change the A to IP4

#10

Give me about 15 minutes until I get to a PC. Doing this on a phone is challenging.

#11

Looks like you’ve made a few changes. Unfortunately that means you’ve now got different errors…

Firstly, there’s now no valid SPF for taxi-53.nl:

[email protected]:~# host -t TXT taxi-053.nl
Host taxi-053.nl. type TXT error: SERVFAIL

Also no MX records:

[email protected]:~# host -t mx taxi-053.nl
Host taxi-053.nl. type MX error: SERVFAIL

Depending on the message, the fact that the webserver.risingmedia.nl has no MX records will also impact your spam score:

[email protected]:~# host -t mx webserver.risingmedia.nl
Host webserver.risingmedia.nl. has no MX record

Personally I never use a web hosts infrastructure for this as there’s just too much that you don’t control (I can foresee the last issue never being resolved, even though the first two are trivial for you to do).

It’s a sideways step but I’d probably move these emails over to a real ESP. You mentioned you use an SMTP Plugin to this would easily interface with someone like Mailgun. I’ve used them and recommended them countless times and they’ve always been decent. The free tier is 10,000 messages per month which is pretty generous.

#12

#13

I own the VPS. Just tell me what I am doing wrong :slight_smile:

Mail is working fine on all the other accounts, but this website is the only one I have CDN running on (testing).

Since I’m using CloudFlare I’m having problems with mail for Taxi 053.

#14

Haha, woops! Missed that.

I’m getting all manner of errors for that domain now. You could help things by putting MX records in place for webserver.risingmedia.nl but I can’t for the life of me see what’s happening right now on the actual taxi-053.nl domain because all my DNS queries are throwing errors. The last mail test log you posted also had the same issues - that’s why it can’t find the SPFs etc.

To answer as to why thing might have crept in after using Cloudflare - this can most likely be explained by the use of the +a in the SPF record. Pre-Cloudflare this in all likelihood matched the IP of the host sending the mail, but after Cloudflare the value of ‘A’ would be a Cloudflare IP even though mail continued to be sent from the original backend IP. So long story short - that’s the ‘fix’ (include ip4=your-vps-ip-address instead of +a when Cloudflare proxying is used as +a no longer gets expanded to your IP) but we’ve unfortunately just stumbled on some other curios on this domain (case in point, the fact I can’t get any queries back now)

#15

Think we all did.

Ok, things are starting to make sense, now. So you’re hosting sites using risingmedia.nl and taxi053 is the client. Also, are you hosting all mail,
using another mail provider e.g. VPS provider or some other third party?

exactly and I should have updated my post after @matteo caught it.

Everything I DIG results in servfail

@user1214 in the past 20 hrs or so, have you changed any other DNS records apart from the TXT records?

#16

I have only 1 VPS with shared hosting accounts as I am working independently without staff and have a bit more than 15 clients.

I run a Centos 7 VPS with WHM/cPanel and setup my mailserver accordingly on the same server.

What I have right now is:

Yes I did change some DNS records; I removed the AAAA IPv6 record, A the wildcard, A root domain and my secondary MX record which linked to the server’s hostname to test what would happen.

SPF record works when I remove the A record(s), but of course the website will stop working then.

Thanks for your input so far guys

#17

With the addition of the +ip4:149.210.235.210 statement in your SPF, the presence or otherwise of the A record should no longer impact you (providing that you use the IP address of the server sending the mail). That was your initial issue (and a bit of tidying up) which should be resolved.

Problems appear (at my end) due to be to lookups simply giving SERVFAILs. Can you turn DNSSEC off? That could be what causing issues as I see the domain has issues:

http://dnsviz.net/d/taxi-053.nl/dnssec/

Get that resolved see how we get on but I’d hope(!) that’s all your issue now is.

#18

Hey saul,

since disabling DNSSEC the score has improved, but still getting MX record issues (?)

https://www.mail-tester.com/test-j7ba6

EDIT: My bad, refreshed and still same issue.

#19

Looks ok to me. That’s a 9.5/10 and the only downer I can see is the dmarc fail but I think that’s a false reading. You’re fine.

1 Like
#20

hahaaaaaaaaaaa, must’ve been the refresh rate or something…

Thank you very much!

1 Like