Unauthenticated email... is not accepted due to domain's DMARC policy

Operating System & Version
CentOS 7.9 virtuozzo
cPanel & WHM Version
92.0.11

GoWilkes

Well-Known Member
Sep 26, 2006
558
21
168
cPanel Access Level
Root Administrator
I'm working with a hosting client. He has a form on his site (that I wrote in Perl) that:

1. sends a plain-text email through /usr/sbin/sendmail ;
2. the "to" is his email address on the server that forwards to a Gmail address;
3. the return address is entered by the user that submitted the form.

When someone submitted it yesterday using their Yahoo address in the "from" field, it sent an error message to [email protected]_name.com:

Code:
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

[email protected]
  (generated from [email protected]_domain.com)
  host gmail-smtp-in.l.google.com [142.250.115.26]
  SMTP error from remote mail server after end of data:
  550-5.7.26 Unauthenticated email from yahoo.com is not accepted due to domain's
  550-5.7.26 DMARC policy. Please contact the administrator of yahoo.com domain
  550-5.7.26 if this was a legitimate mail. Please visit
  550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the
  550 5.7.26 DMARC initiative. b24si10524548oob.80 - gsmtp
Of course, the support page given was useless:

I changed the program to make the "from" address match the "to" address (eg, [email protected]_domain.com ) and resubmitted it, but it still bounced with the same error (except it had his domain in place of yahoo.com).

I double checked, and his SPF, DKIM, and DMARC all seem fine:

Code:
# changed the IP for this post, of course
his_domain.com. 14400 IN TXT "v=spf1 +a +mx +ip4:123.45.67.89 ~all"

default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=[key]\;

_dmarc 14400 IN TXT "v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]"
MXToolbox shows no errors with the MX records.

I have another client with a contact form that had a similar problem a few weeks ago, but their site is slow so I forgot about it until now. But that means that the issue isn't isolated to this domain, it's definitely a setting somewhere.

Any thoughts?
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
587
182
343
cPanel Access Level
DataCenter Provider
I'm pretty sure that DMARC will not sign the email if it's routed through /usr/sbin/sendmail. You have to use actual SMTP commands and authenticate to have it DKIM signed.
 

GoWilkes

Well-Known Member
Sep 26, 2006
558
21
168
cPanel Access Level
Root Administrator
Well that's disappointing, I didn't have this problem until this year when I moved everything to a new server :-( What's weird is that my own site has a contact form that uses sendmail to send to my Gmail address, and I don't seem to have any problem getting those emails! Did I somehow change my own Gmail to allow unauthenticated email, and either didn't know it or forgot that I did it?

@ffeingol, when you say "use actual SMTP commands and authenticate", can you be more specific? Are you thinking about something like this (an example I found, not my own):

Code:
use MIME::Lite;
use Net::SMTP;

my $host = 'mail.domain.com';
my $user = '[email protected]';
my $pass = 'password1234';

MIME::Lite->send('smtp', $host, AuthUser => $user, AuthPass => $pass);
my $msg = MIME::Lite->new(
    From     => $from,
    To       => $to,
    Subject  => 'Foo',
    Type     => 'text/plain; charset=UTF-8',
    Encoding => 'quoted-printable',
    Data     => 'Hello world!'
);
$msg->send;