AOL Now rejecting all emails without DMARC record matching the sending domain!!

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
Ok, don't know how to fix this one but, I have to ask. We're getting lots of calls about email not making it to AOL.com users. After looking at the logs, we noticed that AOL is now using DMARC for verification. This presents a big problem because AOL is also rejecting email not coming from the users domain. All emails are still coming from the servers.myserver.com domain instead of the .usersdomain.com.

How can we change EXIM to do a domain looking for each users from email address and have all outgoing email form that domain be from that @domain? We use PHPMail function mostly since these are Joomla and Wordpress sites.

Thanks
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
We already use DKIM and has to affect on AOL's new policies. cPanel by default has the sender domain as the server which is what I need to change. Can't seem to find a definitive answer on how to accomplish that. This is only going to get worse so, the send from domain has to have an answer.
 

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
833
28
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
It's not cpanel that's doing this though. Your scripts are using php mail() to send, rather than SMTP. So it's the fact that you are sending as [email protected]me rather than [email protected] that is the problem. Without some complex ACL f*ckery within Exim, you're not going to get it to change the origin sender on the fly when in fact your applications are sending through mail() rather than any other currently-accepted method.

My mention of DKIM is due to the fact that a lot of other providers use DMARC now, including gmail, and DKIM is typically listed as a solution to authenticate other hostnames to be allowed to send email in behalf of a domain.
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
The only other solution I can think of would be Sendmail, would that accomplish the goal or just flat out SMTP? This is going to become and issue and something has to be figured out on a server wide basis versus telling every client to login all their apps via SMTP?
 

vanessa

Well-Known Member
PartnerNOC
Sep 26, 2006
833
28
178
Virginia Beach, VA
cPanel Access Level
DataCenter Provider
Using a smarthost like Sendgrid to route all your outgoing mail through a single host that can authenticate for all your domains is possible, but if you have a lot of email traffic, can also be $$$. Especially if one of your clients encounters a spam outbreak, which isn't unusual considering the software they are running.

Sendmail won't do this for you. Your applications need to use SMTP to send mail, using a valid email address and password for authentication. The authentication details would have to be unique for each site, so not sure how you think this can be server-wide without using a smarthost or external SMTP server.
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
Regarding Gmail, they are way more progressive than AOHe// btw, Gmail gives us no problems with SPF pass and DKIM as good but, AOL in their infinite wisdom is skipping DMIM apparently.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,220
463
Hello :)

I just wanted to note that most common scripts (e.g. Joomla, Wordpress) have options available to send email via SMTP authentication. It might seem like a large task, but ultimately it's the best way to resolve the issue going forward.

Thank you.
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
Thanks and yes, SMTP will be the final way to solve this. I just seems as though with all this great tech that we could have all emails coming from the sender domain vs the server domain. This is eventually going to become a bigger headache for people when more companies adopt DMARC and not DKIM. :(
 

rezman

Well-Known Member
Feb 3, 2011
45
0
56
USA
cPanel Access Level
Root Administrator
It's not cpanel that's doing this though. Your scripts are using php mail() to send, rather than SMTP. So it's the fact that you are sending as [email protected]me rather than [email protected] that is the problem. Without some complex ACL f*ckery within Exim, you're not going to get it to change the origin sender on the fly when in fact your applications are sending through mail() rather than any other currently-accepted method.

My mention of DKIM is due to the fact that a lot of other providers use DMARC now, including gmail, and DKIM is typically listed as a solution to authenticate other hostnames to be allowed to send email in behalf of a domain.
Won't the following solve the php mail() problem?

mail($to, $subject, $body, $headers, '[email protected]' );

I know most major CMS packages should support this. There is also a way to force enable this and fail if someone doesn't pass the '-f' parameter. I've been doing this for a good 2 years now in all my code. It also makes for easier sent mail tracking via exim logs.

Also for all Cpanel accounts on their own dedicated IP, I have enabled Send mail from account’s dedicated IP address under Service Config > Exim Config > Domains and IPs
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
Downside to tall this is troubleshooting after the fact. Right now, AOL isn't even allowing SMTP authentication via Joomla 1.5.
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
here's what we're seeing in the exim_mainlog
Code:
68023:2014-06-23 14:03:46 1Wz9Ws-0003NR-7U <= user @ server3.domain.net U=user P=local S=634 [email protected] T="Test email" for otheruser @ aol.com
68025:2014-06-23 14:03:46 1Wz9Ws-0003NR-7U SMTP connection outbound 1403550226 1Wz9Ws-0003NR-7U domaintoo.com otheruser @ aol.com
68030:2014-06-23 14:03:46 1Wz9Ws-0003NR-7U ** otheuser @ aol.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host mailin-03.mx.aol.com [64.12.88.164]: 521 5.2.1 :  (DMARC) This message failed DMARC Evaluation for an AOL Domain. For more information please visit [url=http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/]AOL Mail updates DMARC policy to 'reject' - AOL Postmaster Blog[/url]
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
Exactly except their own policy stops you from sending email from a valid off server AOL email address with DKIM and SPF records
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
vanessa, great solution! I used an email forwarder instead of an account and had the local form send to the local forwarder and bingo. Mail received on the AOL account.

BTW, been reading your blog for a long time!
 
Last edited:

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
Running into this issue again.. argh.. asking for advice on this. I have another client thats using Google biz mail for their email and when sending from their website (Joomla). I have correct SPF and DKIM records so, I'm really lost on this. It seems as though COX.net and others are really starting to crack down on SPF and DKIM.

Any thoughts?

X-Apparently-To: [email protected] via 98.138.85.222; Thu, 26 Jun 2014 17:12:08 +0000
Return-Path: <[email protected]>
Received-SPF: none (domain of server3.web-jive.net does not designate permitted sender hosts)
X-YMailISG: DqgBHfEWLDtVj68rc4sJEkH7LmHFokbxulElIqB4dgP1Jcy1
F1h_EJX_3oH7eCBDTe0uj0BdmkO2QnAgbHszrh3G0CiH76ABCvFzsX5xKjKe
Y9ZMVkCO6ABNQmSnMZP2YNrQKkPZbPOSWSKlNZueZ60UplejlTThzguE1C70
PuWO1D5dnbBPMiWBXlIRKLTmHL4iclIvG5iP4G4QRs3eGnQXMSb_RPgeJP_k
8uoqGM1aqM4.KHrzoIAvQYpYbGe6du73p3bEkhWMGUp_.qa7WP19AiRTvWfe
4XOQyr8yUu.55t7ophP_zcEA0H9jfXLBUGugAAcsFznLOpE_jTmNMqQva9Ka
Io2APXUSRFzrMDiCAJM_L2o1CQkZ3FWpYLlyjVSuqvcnAtKmXAURJ9Q6JYji
ot0TXV_ef72vzrDkUF9YGzW82fntcgeF3bbruPZE9LVsANFPs9VSUcnU5NrD
UCTDV40ZJcHgjV4_7qi2DP8ZK81PGKUz.C5uq6jFjkIu8xCvkuwYAn94DXPn
ebD8mK3DpBm4llBo4pKLuvJjffuH1oViVDyCLsLm33wqd7ewnK_X7StidXb.
pK8jh_ZtwjR0W4tuZse3VhO4hI1YXakA05UbEVzAPBSQbvL6sbbUuPr2IXCF
k9pj3iXBWDlSjOUCrCzp0Ji.wwTlXtOOlrs5UyuUbT.9zzOqIRALF5ZeYyyf
VWCnjNdZxOAiQgrdLZdxk7wWBOS1kf8gse1uKMoafeO_jVzACXj6UN9DfG6P
I.98O32fWQljevwNmfqLNL6OGbts9TxiSfEgwP3jfB1kQ9C60FGwRgWh8wKa
59vE2EbF_I2GJyRo6AT1Z5dcmRDmsLl4mqmvXSHEvdHzSE6b1AmDXaDdILYN
p8t8BjdL8SmAP3X5K4Vi3rkpgXsg9HvGZj2WGmt9wwzPwrs40AoAogghFhJA
H0C9Wdf1pO1o5HRFIaUIxvNVqBITrLeWHAJD4DVEaGROfEAit67jTR.sChNP
ZBfZ4qFO1D02n6bRFmVmexlGxaPPfpYIxF2rrsq97o6iF85IhD4htQYKf.Qv
PysfNJZSQ_gYWW4Fc3kQLCdUXYSMTCYqXhR0Vm.wx5WFdNxCakWgqhATX4xy
kU7ufAxZfx_HcNmvn4pvKz5eNsTqili7qXcWyYMRm2aGrVXM5f5rkEJMasCt
RQySunYEwOdTPRL9ydcUyqubfZ0n7CW7ITtwyqFf9crG6okLaJiXb1Prat.G
eCX6JX.R0QXZtuwTuWztL7tgVq.sySQn5hXQhrbQ9n0YsVt4qJMSM6jOP3.v
38et4DJorrrDUcwg5PPmv4_Xg4_2ECdKzc8AUQ--
X-Originating-IP: [173.193.19.50]
Authentication-Results: mta1367.mail.gq1.yahoo.com from=server3.web-jive.net; domainkeys=neutral (no sig); from=smokeonthewaterbbq.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO server3.web-jive.net) (173.193.19.50)
by mta1367.mail.gq1.yahoo.com with SMTPS; Thu, 26 Jun 2014 17:12:08 +0000
Received: from smokebbq by server3.web-jive.net with local (Exim 4.82)
(envelope-from <[email protected]>)
id 1X0DDT-0005H2-Uh
for [email protected]; Thu, 26 Jun 2014 12:12:07 -0500
 

WebJIVE

Well-Known Member
Sep 30, 2007
101
15
68
OK, figured this one out too. Have to dump PHPMail() and stick with SMTP and localhost for sending all mail now. Just add forwarders or actual email accounts and SPF/DKIM starts passing again. Looks like its time to sundown PHPMail for Joomla sites.