Weird Spoofing Alert

Discussion in 'General discussions' started by Alex Read, Jan 10, 2019.

  1. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
    Hi

    I'm getting this alert in my inbox from emails that are sent from my own G Suite account.

    Any idea what could be causing this?

    Alex
     

    Attached Files:

  2. frm.mwz

    frm.mwz Well-Known Member

    Joined:
    Mar 8, 2016
    Messages:
    3,705
    Likes Received:
    676
    S.E:
    2019-11-27 02:17:39
    L.T:
    Regular
    L.C:
    7
    Can you send a screen shot (redacted for privacy of course) of »the result« when you click on Gmail's top right corner menu option 'show original'?

    GmailTopRightCornerMenu.jpg
     
  3. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
    https://pastebin.com/c4Ufk1GU

    I have it on another domain on the server. I assume it's an incorrect record somewhere.

    Maybe this gives a clue?
    Code:
    spf=permerror (google.com: permanent error in processing during lookup of name@lab41.co: mailgun.org~all not found) 
     
  4. frm.mwz

    frm.mwz Well-Known Member

    Joined:
    Mar 8, 2016
    Messages:
    3,705
    Likes Received:
    676
    S.E:
    2019-11-27 02:17:39
    L.T:
    Regular
    L.C:
    7
    Yes (spf=permerror says it all), basically, check/fix your spf and dkim (and while at it, also dmarc).
     
  5. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
    It was a space before ~all! I hope this fixes it. :) Thanks for the help and guidance. I wasn't sure where to start looking!
     
  6. frm.mwz

    frm.mwz Well-Known Member

    Joined:
    Mar 8, 2016
    Messages:
    3,705
    Likes Received:
    676
    S.E:
    2019-11-27 02:17:39
    L.T:
    Regular
    L.C:
    7
    You are welcome! When you setup a DS, send yourself a confirmation message to your gmail account and see that show origina´ls and you will know if you setup the authentications properly (and the green lock) ;)
     
  7. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
    (and the green lock)?
     
  8. frm.mwz

    frm.mwz Well-Known Member

    Joined:
    Mar 8, 2016
    Messages:
    3,705
    Likes Received:
    676
    S.E:
    2019-11-27 02:17:39
    L.T:
    Regular
    L.C:
    7
    If the email was sent making encrypted connections (SSL/TLS) then a number of mobile clients will show a green lock (similar to web browers when using httpS). And when gmail does not receive that, it flags it as unsafe (and recipients view that as negative, which harms the open/click rate).
    GmailGreenLock.jpg
     
  9. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
    Thanks! I figured it was something like that but haven't seen it before.
     
  10. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
    Hi

    I've also seen this recently:
    Can you explain that a bit and how to check/fix it?

    Not even sure where to begin!
     
  11. frm.mwz

    frm.mwz Well-Known Member

    Joined:
    Mar 8, 2016
    Messages:
    3,705
    Likes Received:
    676
    S.E:
    2019-11-27 02:17:39
    L.T:
    Regular
    L.C:
    7
    rDNS/PTR: IP -> domain (opposite of your A record: domain -> IP), but domain should actually be rather a FQDN
    e.g.
    https://www.nslookuptool.com/#PTR&204.194.223.101 -> smtp-soi-g01-101.aweber.com
    https://www.nslookuptool.com/#A&smtp-soi-g01-101.aweber.com -> 204.194.223.101

    https://en.wikipedia.org/wiki/Reverse_DNS_lookup

    # if your host is the admin for rDNS: then either your host allows you to set rDNS in their web gui, or you need to open a ticket to have them do it
    # if it is at a third party provider, then in their interface, e.g.:
    https://help.dnsmadeeasy.com/managed-dns/dns-record-types/pointer-ptr-record/
    https://www.cloudns.net/wiki/article/40/
    https://www.cloudflare.com/learning/dns/dns-records/dns-ptr-record/

    In any case, if sending from an IP, the smtp banner should match the rDNS (see test results of mail-tester or mxtoolbox or dnstools), as otherwise deliverability suffers.
     
  12. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
    Yikes. I think I get it.

    So I do this:
    1) https://www.nslookuptool.com/#A&kathreadwrites.agency which gives the IP 104.24.122.209
    2) I then put the IP into https://www.nslookuptool.com/#PTR&104.24.122.209.
    and if I get an X everywhere I need to fix it?

    To Fix It:
    1) I use Cpanel shared so I guess I need to open a ticket.
    2) But what do I tell them to set it to?
    I can't work out how to get this part for my domain '147.94.208.in-addr.arpa.'
    (I'm basing it off https://help.dnsmadeeasy.com/managed-dns/dns-record-types/pointer-ptr-record/)
    3) Do I need a PTR record for EACH addon domain that I'm sending from?
    4) Does it make a big difference to deliverability?

    Thanks for your help & patience!
     
  13. frm.mwz

    frm.mwz Well-Known Member

    Joined:
    Mar 8, 2016
    Messages:
    3,705
    Likes Received:
    676
    S.E:
    2019-11-27 02:17:39
    L.T:
    Regular
    L.C:
    7
    only if u send from that ip

    shared hosts will most likely not allow u to use their ip for rdns ;)
    but if it is your own (rented) ip (not shared), then it could work

    however, 104.24.122.209 is a cloudflare ip, so this is neither your ip nor of the shared host...

    see earlier post re banner match

    it can mean, depending on receiving server, the difference between full inboxing and complete rejection

    if u do a test as suggested in the earlier post, then the results should be useful (feel free to post them if u want further hlp)
     
  14. Alex Read

    Alex Read Active Member

    Joined:
    Apr 8, 2018
    Messages:
    163
    Likes Received:
    32
    S.E:
    Expired
    L.T:
    Regular
    L.C:
    2
  15. frm.mwz

    frm.mwz Well-Known Member

    Joined:
    Mar 8, 2016
    Messages:
    3,705
    Likes Received:
    676
    S.E:
    2019-11-27 02:17:39
    L.T:
    Regular
    L.C:
    7
    1st cent: just read/follow the previous posts thoroughly
    2nd cent: simply post the results of mail-tester.com for each problem domain/ip
     

Share This Page