SPF, DKIM, DMARC, check... mail received... negative


Driving me up the walls!

I hate mail :-1: so am determined to get this solved.

Seriously what else am I supposed to be looking for in these headers? I see nothing that pops out as being incorrect.

(Jeff Atwood) #2

Did you follow all the advice in the test email text, sent from Admin, Email, Send Test Email button?

There’s some critical advice and websites to check in the text of that email…


I did.

  • notify email is correct, not skipped.
  • source has been looked at backwards and sideways
  • reverse PTR matches the FQDN of the mail server
  • SPF checked by multiple sites
  • DKIM checked by multiple sites
  • Anti-spam Blacklists checked

No clue what to do from here.

(Jeff Atwood) #4

What about the link to the mail testing service at the bottom of that email?


I don’t see one at the bottom, I see a few different ones.

  1. for SPF, 1 for DKIM, 1 for blacklist

I checked them all.

I’m doing nslookups right now, it seems there may be an issue with my mx record, but that’s the easiest one! no clue how I goofed that.

Wrong nslookup query, showing up correctly.

All my nslookups show as:


before showing the correct values underneath that I’m looking for. Is that the problem? Shouldn’t it be showing something besides localhost address? I’m not querying them locally. …but that can’t be the problem, because every domain I nslookup shows the same.

(Jeff Atwood) #6

Hmm yeah I thought I added that there, will check. In the meantime, here it is:


Guess I’m just not lovely enough

Well I just kept pasting in records until that showed up.

Now I gotta take them out one by one tomorrow figure out which ones are needed.

Then do over and try for a perfect run.

I hate mail!


Okay I got mail figured out the issue was I was making the mailserver TOO secure so that any mail coming in from a subdomain of the main domain was quarantined. All I had to do was remove the dmarc message for the main domain and it went away.

Hell of a lot less records now, it looks clean enough.

(Jeff Atwood) #9

Great! I added the link to http://www.mail-tester.com/ to that test email just now. I would have sworn I did that already, but I guess not…


That site is very good. It gave clear instruction on exactly what was missing, and where to input the values in DNS.

Thanks for the help :+1:

(Jay Pfaffman) #11

I swear it is much harder to configure mail now than it was 22 years ago when I had to hack sendmail and UUCP to get it to compile under Linux. I’m not sure how much longer I’ll be willing to do it (at least if it’s not my job).

I finally got to a 10/10 too, at least for my domain that runs Discourse.


My understanding is that standards are added on over the years, and they don’t drop off. Eventually there will be a reassessment and flip over to a new clean system, at least that would be the sane ideal.

(Jay Pfaffman) #13

I spoke too soon.

I was so proud that today I got mail tweaked so that I’m passing all of the tests at http://www.mail-tester.com/. I even blogged about it. Now, for the first time in the 9 months I’ve been running Discourse, I’m getting a little notice on my admin page about email jobs failing. The load average on the machine that’s relaying my mail is pretty much zero.

Jobs::HandledExceptionWrapper: Wrapped Net::OpenTimeout: execution expired

Now what?

I guess “nothing” might be the best answer, as if I click “reply-all” they just seem to all go away. Until they come back.


What exactly did you change?

(Jay Pfaffman) #15

I turned on DKIM on the mail server for that domain name. Unless DKIM signing takes a lot more time than I’d considered, I’m totally stumped.


When you view the source headers of your mail does it show dkim=pass like my pic at the top of this topic?

I’m working through cal/card dav right now, it doesn’t appear to be synching my contacts from phone to webserver to home computer. Mail works flawlessly, but I’m new to this DAV stuff (apparently 4 years behind everyone else)