Unauthenticated email... is not accepted due to domain's DMARC policy

[GoWilkes]

I'm working with a hosting client. He has a form on his site (that I wrote in Perl) that:

1. sends a plain-text email through /usr/sbin/sendmail ;
2. the "to" is his email address on the server that forwards to a Gmail address;
3. the return address is entered by the user that submitted the form.

When someone submitted it yesterday using their Yahoo address in the "from" field, it sent an error message to [email protected]_name.com:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

[email protected]
  (generated from [email protected]_domain.com)
  host gmail-smtp-in.l.google.com [142.250.115.26]
  SMTP error from remote mail server after end of data:
  550-5.7.26 Unauthenticated email from yahoo.com is not accepted due to domain's
  550-5.7.26 DMARC policy. Please contact the administrator of yahoo.com domain
  550-5.7.26 if this was a legitimate mail. Please visit
  550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the
  550 5.7.26 DMARC initiative. b24si10524548oob.80 - gsmtp

Of course, the support page given was useless:

Control unauthenticated mail from your domain - Gmail Help

Troubleshoot delivery issues with Postmaster Tools Gmail Postmaster Tools provides senders with metrics on parameters such as reputation, spam rate, feedback loop, etc. It can help you prevent your em

support.google.com

I changed the program to make the "from" address match the "to" address (eg, [email protected]_domain.com ) and resubmitted it, but it still bounced with the same error (except it had his domain in place of yahoo.com).

I double checked, and his SPF, DKIM, and DMARC all seem fine:

# changed the IP for this post, of course
his_domain.com. 14400 IN TXT "v=spf1 +a +mx +ip4:123.45.67.89 ~all"

default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=[key]\;

_dmarc 14400 IN TXT "v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:[email protected];ruf=mailto:[email protected]"

MXToolbox shows no errors with the MX records.

I have another client with a contact form that had a similar problem a few weeks ago, but their site is slow so I forgot about it until now. But that means that the issue isn't isolated to this domain, it's definitely a setting somewhere.

Any thoughts?

 

[ffeingol]

I'm pretty sure that DMARC will not sign the email if it's routed through /usr/sbin/sendmail. You have to use actual SMTP commands and authenticate to have it DKIM signed.

 

[cPRex]

What @ffeingol said sounds right to me. You could further confirm this by comparing the message from your form to a message sent through webmail and see if they show up differently in the exim_mainlog.

 

[GoWilkes]

Well that's disappointing, I didn't have this problem until this year when I moved everything to a new server :-( What's weird is that my own site has a contact form that uses sendmail to send to my Gmail address, and I don't seem to have any problem getting those emails! Did I somehow change my own Gmail to allow unauthenticated email, and either didn't know it or forgot that I did it?

@ffeingol, when you say "use actual SMTP commands and authenticate", can you be more specific? Are you thinking about something like this (an example I found, not my own):

use MIME::Lite;
use Net::SMTP;

my $host = 'mail.domain.com';
my $user = '[email protected]';
my $pass = 'password1234';

MIME::Lite->send('smtp', $host, AuthUser => $user, AuthPass => $pass);
my $msg = MIME::Lite->new(
    From     => $from,
    To       => $to,
    Subject  => 'Foo',
    Type     => 'text/plain; charset=UTF-8',
    Encoding => 'quoted-printable',
    Data     => 'Hello world!'
);
$msg->send;

 

[ffeingol]

@GoWilkes that code looks correct. It's using a user-id/password, so it's authenticating.

Do you have a DMARC policy for your domain? It's their DMARC policy that is more than likely causing the issue: What is a DMARC Policy? All about the 3 policies - DMARC Analyzer

 

[GoWilkes]

Do you have a DMARC policy for your domain?

I do, and it's the same as for the client. The SPF is the same, too, so it makes no sense to me...