Discover Centmin Mod today
Register Now

Email using business email address with amazon ses?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Altair, Oct 11, 2020.

  1. Altair

    Altair Member

    68
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    12:12 AM
    hi @eva2000

    quick question, for ses do I have to register first an @domain.com email?
    since the from address would be myemail@domain.com

    my question do I register it with zoho for their free service, or do you recommend someone else?

    apparently with zoho I can't have multiple mx records or is it ok? also amazon ses requires dkim, can I set dkim for both zoho and amazon and spf?
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    8:12 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yes you need to own the domain you want to sent Amazon SES email from so register with a domain registrar first.

    The idea is figure out what email @domain.com your want to sent email from and have that domain registered at domain registrar and then setup with Amazon SES DNS records. So for me, I want emails sent from @centminmod.com so I setup the centminmod.com domain I already registered with domain registrar with Amazon SES

    Yes you can setup Zoho and Amazon SES as they have their own independent DNS records for DKIM, SPF etc
     
  3. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    So if I use cloudflare, and my xf site (which sends mail via php) is hosted on AWS, and I use zoho for POP email, do I have this correct?:
    cloudflare DNS:
    -- for SPF: make sure record includes IPs for both AWS (domain) and zoho
    -- for DKIM: per zoho, "You have to inform your Website hosting team to configure DKIM for your domain and don't configure DKIM for the return path of emails." .... so does this mean I need to get the DKIM for AWS? I don't know what is mean by "don't configure for the return path"
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    8:12 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Zoho and AWS SES both will have instructions to setup their own separate and independent, DKIM and SPF records. Just need to follow their respective instructions.
     
  5. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Thanks - but if I don't use ses and instead send from the server (xf setting / php), do i use the ec2 domain? I already include the IP.
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    8:12 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    yes if you send via server it will be server's IP address evaluated and those server's main hostname from Getting Started Step 1 Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS. Hence why the guide at Email - Steps to ensure your site/server email doesn't end up in spam inboxes recommends doing SPF/DKIM for both site domain + Centmin Mod server's main host name.
     
  7. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Thank you! Your DKIM instructions (here) don't make any mentions of selectors, and I think that's my remaining problem. I can send no problem via SSH command line and XF-based emails sends fine, but the difference between the two are in the headers:
    from ssh: includes "dkim=pass;"
    from xf: does not include "dkim=pass;"
    and when I try to test dkim specifically via mxtoolbox, I get the following:
     
  8. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    8:12 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Make sure you entered the TXT DNS record for DKIM correctly.

    i.e. for Cloudflare TXT DNS record name would be = default._domainkey.host where host is subdomain of host.domain.com which is your main hostname from Getting Started Guide step 1

    The DKIM selector is part of the generated TXT record outlined at Beta Branch - Automated DKIM setup with opendkim

    So for MXToolBox enter in domain name input field something like where host.domain.com is your main hostname from Getting Started Guide step 1
    Code (Text):
    default._domainkey.host.domain.com

    and leave selector input field blank
     
  9. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    It's very odd; everything passes checks, EXCEPT when I send a message from the xenforo platform (to gmail for example)... The note sends fine, but when I copy/paste the email header into the mxtoolbox header analyzer, I get the following result:

    upload_2021-1-5_19-33-27.png

    Indeed, I do not see a dkim=pass line item in the header... (nothing about dkim in the header, in fact). But everything else checks out. Specifically:
    yes, the DKIM entry there appears to be correct.

    Looks good, and when I send a test email via command line per your instructions, I do get the dkim=pass item, and everything checks out fine. It also works if I send via POP email, which aligns with my zoho account, and again, dkim=pass is in the header. The mxtoolbox results for mxtoolbox, dkim (per your instructions above; see result screen grab below), and spf seems to work everywhere (thanks to this post).

    upload_2021-1-5_19-35-48.png

    Here are the relevant entries; apologies for crude obfuscation but trying to give as much context as possible. Anything you see amiss here?

    upload_2021-1-5_19-50-26.png
     

    Attached Files:

  10. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    ...it does have this, though... ? it's followed by my host.domain.com and some short string.

    DKIM-Filter: OpenDKIM Filter v2.11.0
     
  11. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    still can't determine why dkim=pass won't show up (except when sending from command line). When running from command line, I also get notice that "spf=none (zohomail.com: x.x.x.x is neither permitted nor denied by domain of host.domain.com)" ....

    When sending from xenforo, or from POP mail spf=pass but there is no line for dkim. It's not dkim=fail, there's just no dkim.
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    8:12 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    FYI main hostname cant be a proxied cloudflare DNS record it has to point to real IP of server not masked by Cloudflare proxy.
     
  13. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    When I turn off proxy for the host.domain.com A record (and I leave the domain.com A record itself on proxy/orange cloud), I get site monitor errors (i.e., I get alerts that says the site is down), even though domain.com itself seems to be fine.

    On nginx, does my domain.com.conf file need to make any reference to host.domain.com? (It does not currently; it only has configurations for domain.com). Here is an excerpt - any issues here?

    Code:
     server{
      listen 443 ssl http2;
      server_name domain.com;
    
    ssl_certificate    /usr/local/nginx/conf/ssl/cloudflare/domain.com/domain.com.pem;
    ssl_certificate_key   /usr/local/nginx/conf/ssl/cloudflare/domain.com/domain.com.key;
    ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
    ssl_verify_client on;
    http2_max_field_size 16k;
    http2_max_header_size 32k;
    
      # enable ocsp stapling
    #  resolver 8.8.8.8 8.8.4.4 valid=10m;
    #  resolver_timeout 10s;
    #  ssl_stapling on;
    #  ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/cloudflare/cloudflare.crt;
     
  14. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    8:12 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    where the alerts coming from ? uptime monitors or cloudflare healthchecks in place ?

    no references needed
     
  15. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    uptime monitors
     
  16. eva2000

    eva2000 Administrator Staff Member

    45,974
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    8:12 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    I'd double check uptime monitors are monitoring the right domain name. What uptime monitors you using?
     
  17. tonmo

    tonmo Member

    45
    1
    8
    Jul 20, 2019
    Ratings:
    +5
    Local Time:
    5:12 PM
    1.17.1
    5.5.5 (10.3.16-MariaDB)
    Uptime Robot in Slack. It is actually monitoring www.domain.com (my site is set up to redirect to domain.com).