Learn about Centmin Mod LEMP Stack today
Become a Member

Email DNS Server emails not sending since I setup Zoho mail, DNS questions

Discussion in 'Domains, DNS, Email & SSL Certificates' started by brainlet2000, Apr 16, 2020.

Tags:
  1. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    So I set up the @domain emails on Zoho with the centminmod guide. But is this possible while also sending out forum emails from the actual server host? Or must it be send through Zoho as SMTP as well?

    My Xenforo forum emails are not delivering since I added Zoho, I believe this is because I have duplicate DMARC, DKIM and SPF records. But I don't know how to fix it, since I set them up for the server host first, then added the Zoho ones.

    Additionally, In the "getting started guide" it says to setup hostname.website.com pointing to server IP as the A record. But then people who visit your site which is website.com will not be pointed to the server IP right?

    So I have 2 A records, one to hostname.website.com pointing to server IP and one website.com pointing to server IP. Is this wrong? Note that I am using Cloudflare and my DNS is only setup on Cloudflare.

    I attached a picture of my DNS records on Cloudflare with the website info blurred out. Can somebody point me in the right direction? I asked @eva2000 about it before but I didn't really get it.


    cloudflare dns.png
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,192
    10,277
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,927
    Local Time:
    4:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    You can do either. Though for forum mass email sending you should use a transactional email provider like Amazon SES for 3rd party SMTP usage Amazon AWS - Amazon AWS SES SMTP Transactional Email Info as they have better reliability and less or more sensible rate limits on how much email you can send out at once so as to less likely get your emails marked as spam.
    Yes you have duplicate of same DKIM record selector default._domainkey. Zoho would of provided you with their own DKIM selector - I checked my Zoho domain and it's something like zoho._domainkey so no chance of duplicating. You can use the last post listed mail-tester online tool at Email - Steps to ensure your site/server email doesn't end up in spam inboxes to test your email sending ability as well.

    from Email - Zoho Mail Free @yourdomain.com Email Provider Setup Information linking to DKIM Configuration to prevent email spoofing - Zoho Mail

    You would usually set DNS A record for hostname.website.com and website.com both to point to server IP. That is how DNS works. Then Nginx vhost server_name directory tells Nginx which site to direct when you access the domain/hostname.
     
  3. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Sorry, I still don't understand at all. As I understand it you need to have DKIM, DMARC and SPF records for both the server that you are sending mails from, as well as the Zoho DKIM, DMARC and SPF records. So in any case you have 2 times DKIM, DMARC AND SPF records, right?
    Also my DKIM records are not duplicate, they are different, just looks that way from the parts I had to cut out for privacy reasons. What I meant was is it normal that you have 2 times of each record for both the server and Zoho?

    So then there are two DNS A records, one to hostname.website.com and one to website.com? So it's normal to have TWO of them? Just to confirm.

    Thanks!
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,192
    10,277
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,927
    Local Time:
    4:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yes that is normal you can have separate DKIM, SPF for hostname.domain.com and domain.com when they have unique DKIM selectors. One domain I have 6 sets of DKIM/SPF records for 6 different subdomains off of the same domain without issue.

    Yes
     
  5. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Thanks, this made it clear to me, I believe I fixed those now. Now a few more questions:

    Email - Steps to ensure your site/server email doesn't end up in spam inboxes

    Here in step 1. SPF / TXT record setup you write "Ensure both your site's domain name and server's main hostname from Getting Started Guide step 1 have valid SPF TXT records". So I need 3 SPF records, one for domain.com, one for hostname.domain.com and one for zoho? So would it be fine to have the same spf record for domain.com and hostname.domain.com?

    2. Reverse PTR record. Should this record resolve to hostname.domain.com or domain.com? Or both?

    3. How important is DMARC? It's not really clear to me and for Zoho you don't have to set it up at all. According to the tools the DMARC I set up isn't correct somehow.

    Thanks again. You're a lifesaver.
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,192
    10,277
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,927
    Local Time:
    4:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    domain.com and zoho should be the same SPF/DKIM while hostname.domain.com is the 2nd set for SPF/DKIM
    Reverse PTR should be for hostname.domain.com as domain.com via Zoho has PTR done on Zoho's end themselves.

    DMARC is important these days Hotmail/Outlook use it but it's optional. It doesn't hurt to have DMARC though.
     
  7. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Thanks. That answers all my questions. Amazing as always.
     
  8. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Sorry, 1 more question: should DMARC be for hostname.domain.com or domain.com? How could I understand these things myself?
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,192
    10,277
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,927
    Local Time:
    4:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    each domain and subdomain that sends email needs it's own set of DKIM, SPF and DMARC settings

    from very first few sentences at Email - Steps to ensure your site/server email doesn't end up in spam inboxes
     
  10. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Hi, thanks for your help. I think I set everything up properly now, exactly according to instructions. The emails are being sent now but still into spam inboxes and SPF, DMARC are failing according to gmail(even though I think I set it up properly). Really strange stuff.

    Screen Shot 2020-04-17 at 14.51.54.png

    I followed the instructions EXACTLY and have SPF, DMARC and DKIM 2x for both domain.com and hostname.domain.com and contacted my host for the reverse ptr to hostname.domain.com yet it STILL doesn't work. This is extremely frustrating. I will spend some time learning about DNS myself I guess and try to fix it, and I'll post my fix here when I'm done. I have probably struggled to fix the DNS for 50+ hours of my life now, lol.
     
  11. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Another weird issue I have is, when I try to test mail with

    Code:
    # echo "mail-test" | mail -s "mail-tester" test-fm7a4w5es@srv1.mail-tester.com
    -bash: mail: command not found
    
    I get the mail command not found output.. How is that possible? Only thing I could think of is I installed the CentMinMod_MailServer script of another user on the forum on my server, but it didn't work so I ran CMM_Email.sh script and ran the following options:
    7) Remove Mail Server (Postfix, Dovecot, OpenDKIM)


    8) Remove Addons from Mail Server (Amavisd, SpamAssassin and Clamav)

    Could this have deleted my mail server somehow? I thought it would only delete whatever it installed.
     
  12. brijendrasial

    brijendrasial Active Member

    125
    94
    28
    Mar 21, 2018
    Ratings:
    +148
    Local Time:
    11:47 PM
    1.13.9
    10.0.22-MariaDB
    yum install mailx -y

    I dont think this is pre installed. Just rpm gets deleted what sort of mail server you are saying? Yes the script deletes what it installs.
     
  13. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    So installing the script then using those menu options does not remove anything that it did not install by itself or?
     
  14. eva2000

    eva2000 Administrator Staff Member

    45,192
    10,277
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,927
    Local Time:
    4:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    mailx should be installed, you can check yum history for mailx package to see when it was installed, updated or if it was removed via command
    Code (Text):
    yum history list mailx

    Example on Centmin Mod 123.09beta01 CentOS 7 server my output is
    Code (Text):
    yum history list mailx
    Loaded plugins: fastestmirror, priorities, versionlock
    ID     | Command line             | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
        41 | -y install virt-what pyt | 2019-04-01 08:44 | Install        |  317  
    history list
    

    showing mailx was installed as part of yum initial install packages for Centmin Mod install on April 1, 2019
    For more detailed info use yum history info command
    Code (Text):
    yum history info mailx | egrep 'Transaction ID |Begin time|Command Line'

    example
    Code (Text):
    yum history info mailx | egrep 'Transaction ID |Begin time|Command Line'
    Transaction ID : 41
    Begin time     : Mon Apr  1 08:44:44 2019
    Command Line   : -y install virt-what python-devel gawk unzip pyOpenSSL python-dateutil libuuid-devel bc wget lynx screen deltarpm ca-certificates yum-utils bash mlocate subversion rsyslog dos2unix boost-program-options net-tools imake bind-utils libatomic_ops-devel time coreutils autoconf cronie crontabs cronie-anacron gcc gcc-c++ automake libtool make libXext-devel unzip patch sysstat openssh flex bison file libtool-ltdl-devel krb5-devel libXpm-devel nano gmp-devel aspell-devel numactl lsof pkgconfig gdbm-devel tk-devel bluez-libs-devel iptables* rrdtool diffutils which perl-Test-Simple perl-ExtUtils-Embed perl-ExtUtils-MakeMaker perl-Time-HiRes perl-libwww-perl perl-Crypt-SSLeay perl-Net-SSLeay cyrus-imapd cyrus-sasl-md5 cyrus-sasl-plain strace cmake git net-snmp-libs net-snmp-utils iotop libvpx libvpx-devel t1lib t1lib-devel expect expect-devel readline readline-devel libedit libedit-devel libxslt libxslt-devel openssl openssl-devel curl curl-devel openldap openldap-devel zlib zlib-devel gd gd-devel pcre pcre-devel gettext gettext-devel libidn libidn-devel libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel e2fsprogs e2fsprogs-devel libc-client libc-client-devel cyrus-sasl cyrus-sasl-devel pam pam-devel libaio libaio-devel libevent libevent-devel recode recode-devel libtidy libtidy-devel net-snmp net-snmp-devel enchant enchant-devel lua lua-devel mailx perl-LWP-Protocol-https OpenEXR-devel OpenEXR-libs atk cups-libs fftw-libs-double fribidi gdk-pixbuf2 ghostscript-devel ghostscript-fonts gl-manpages graphviz gtk2 hicolor-icon-theme ilmbase ilmbase-devel jasper-devel jasper-libs jbigkit-devel jbigkit-libs lcms2 lcms2-devel libICE-devel libSM-devel libXaw libXcomposite libXcursor libXdamage-devel libXfixes-devel libXfont libXi libXinerama libXmu libXrandr libXt-devel libXxf86vm-devel libdrm-devel libfontenc librsvg2 libtiff libtiff-devel libwebp libwebp-devel libwmf-lite mesa-libGL-devel mesa-libGLU mesa-libGLU-devel poppler-data urw-fonts xorg-x11-font-utils ipset ipset-devel
    

    Yeah you'll feel better once you conquered this and learn from it :)
     
  15. brijendrasial

    brijendrasial Active Member

    125
    94
    28
    Mar 21, 2018
    Ratings:
    +148
    Local Time:
    11:47 PM
    1.13.9
    10.0.22-MariaDB
    hmmmm wondering then why on my machine it wasnt installed initially. NVM I will add it to pre installed package in the script.
     
  16. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Yeah, it was indeed removed as part of @brijendrasial's script

    Code:
    ID     | Command line             | Date and time    | Action(s)      | Altered
    -------------------------------------------------------------------------------
        54 | remove mailx mutt -y     | 2020-04-16 16:07 | Erase          |    2   
         7 | -y install virt-what pyt | 2019-12-31 23:37 | Install        |  351   
    I reinstalled by running yum install mailx -y.

    Also, I had some breakthrough in my logic, I think the issue is CLOUDFLARE and not my DNS records. I found it out by running it through an SPF record analyzer.

    Screen Shot 2020-04-17 at 16.16.26.png

    As you can see the spf record shows that for the mechanism a included in the record it refers to those IP addresses. However that is a cloudflare IP address, not my server IP. so it makes sense that the SPF is invalid. So, I guess when using cloudflare you have to include the server ip address into the SPF record. Will try that next.
     
  17. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    Screen Shot 2020-04-17 at 16.35.09.png

    And there we go folks.. All fixed. Honestly some rage but screw Cloudflare for making me waste so much of my time on this shit. It's not intuitive at all that the cloudflare A record which points to the actual server address would somehow be recognized as the cloudflare servers IP address just because they act as reverse proxy. It makes no sense.

    Maybe you should explain that to users on here in your DNS guide since it's very illogical(to me). Or maybe it's because I am using the host.domain.com A record with proxy option as well? Not sure.
     
    Last edited: Apr 18, 2020
  18. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    In case anyone has the same issue this is the final SPF record I used in Cloudflare DNS:

    Code:
    v=spf1 mx a ip4:xx.xx.xx.xx  a:host.example.com include:zoho.eu -all
    Substitute your server IP and your main server host. I believe there is no way to prevent IP leak from server when sending emails via PHP so having the IP in the DNS is irrelevant anyways.

    I kind of start to think that Cloudflare is pretty much useless, might remove it all together. However maybe it's useful if using Amazon SES to prevent IP leaks to obfuscate server IP? I don't know, but I don't really want to pay for Amazon SES yet.
     
  19. eva2000

    eva2000 Administrator Staff Member

    45,192
    10,277
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,927
    Local Time:
    4:17 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yes only way Amazon SES is a must if you use Cloudflare and don't want to leak your real server IP address.

    For main hostname sent emails i.e. host.domain.com, Cloudflare can't proxy the domain as reverse PTR records will not see real server IP but Cloudflare's DNS A record so PTR would fail

    Ah i see
     
  20. brainlet2000

    brainlet2000 Member

    34
    1
    8
    Jan 21, 2020
    Ratings:
    +4
    Local Time:
    8:17 PM
    1.17.7
    10.3.21
    So on cloudflare if I have 2 A records, first pointing to example.com and second to mainhost.example.com the proxy should be enabled on the first and disabled on the second?

    If that's the case do the server IP and hostname not need to be included in the SPF record?

    However, then by accessing mainhost.example.com your IP address is exposed anyways right?