Topics

DKIM causing bounces


Jeff Kane
 

My personal email domain is being hosted by Zoho.com.  I set up the DKIM records as they show.  For over a year it has been working just fine.  Around the end of May all emails from groups.io started bouncing.  I can send to my groups, but I do not get the message in my inbox.  All message from any group and from anyone bounce now.

I checked the DKIM records, and they are OK.  It appears to only be messages from groups.io.  I am getting email from everyone else OK.

Where can I look to try and figure out why?  I don't see anything helpful in the logs.  This is the only message I see and it is on every message.  "554 5.2.3 MailPolicy violation Error delivering to mailboxes".

I talked to Zoho, and they recommended setting my DKIM to "quarantine" instead of "temporary reject".  I just did that.  I also white listed groups.io.  I sent a test message and it didn't bounce this time.

I am not a fan of white listing!  Any suggestions or help on where to look wold be appreciated.


Toby Kraft
 

This should be sent to support so Mark can investigate.


 

Jeff,

... I set up the DKIM records as they show. ... Around the end of May
all emails from groups.io started bouncing. I can send to my groups,
but I do not get the message in my inbox. All message from any group
and from anyone bounce now.
DKIM is an authentication technology (digital signature), so I would expect that setting it up in your email provider would affect the messages you send TO Groups.io, not the messages you receive FROM Groups.io.

Where can I look to try and figure out why? I don't see anything
helpful in the logs. This is the only message I see and it is on
every message. "554 5.2.3 MailPolicy violation Error delivering to
mailboxes".
I presume you're seeing this in the "Email Delivery History" of the Subscription page (or in your Members record) in one of your groups? That's where bounce-related info goes. If somewhere else, please explain.

I talked to Zoho, and they recommended setting my DKIM to "quarantine"
instead of "temporary reject". I just did that. I also white listed
groups.io. I sent a test message and it didn't bounce this time.
Ah, so your provider has controls for the disposition of incoming messages based on those message's signature.

But "temporary reject" sounds like greylisting, which shouldn't have caused a complete failure, and in particular it should have been returned to Groups.io with a 4xy not a 554 code. 5xy are codes for a "permanent" error.
https://en.wikipedia.org/wiki/Greylisting

I am not a fan of white listing! Any suggestions or help on where to
look wold be appreciated.
Groups.io strips off the signature you supplied when you sent your message to the group, and applies its own signature to the messages it delivers to members. This is correct and necessary because Groups.io modifies the message content (adds footers, if nothing else), invalidating your original signature. But that shouldn't matter to ZoHo.

Given that all Groups.io messages are now bouncing perhaps they are objecting to the fact that the message says that the messages are "From" you (your email domain) or some other member, but is sent to them by Groups.io.

Do you find any exceptions? Do messages from people using Yahoo Mail or AOL, for example, get through? If so that would tend to confirm the idea that the problem is a conflict in the From versus the sender.

Whitelisting may be your only solution. The real answer is for Zoho to improve their inbound processing to properly allow for message that pass through email lists, even when those lists which preserve the original From field. It sounds like they've gone in a DMARC-like direction, if so they should go all the way, including ARC processing for mailing list messages.

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Jeff Kane
 

"DKIM is an authentication technology (digital signature), so I would expect that setting it up in your email provider would affect the messages you send TO Groups.io, not the messages you receive FROM Groups.io."

That is why I am wondering if something changed with groups.io.

"
presume you're seeing this in the "Email Delivery History" of the Subscription page (or in your Members record) in one of your groups? That's where bounce-related info goes. If somewhere else, please explain."

Yes. My own email account history.

"
Do you find any exceptions? Do messages from people using Yahoo Mail or AOL, for example, get through? If so that would tend to confirm the idea that the problem is a conflict in the From versus the sender."

I am the only one who notices it. Yahoo and Gmail accounts are fine. I am pretty sure it is the "From". Which, again, is why I am wondering what may have changed at Groups.IO. I have been using Zoho for about a year now. I was doing my own hosting before that. Got tired of managing a mail server and decided to do the cloud thing. :-) It was working great until the end of May. I own 2 active groups.io lists and 1 that I use for testing features. This happened in both groups at the same time.

Is there a way to get a more complete bounce message with headers rather than the short version in the Email Delivery History? That is what Zoho is asking me for.


Jeff Kane
 

I realized that if I send the message to zoho's quarantine queue, I can see the headers there.  I removed the white list and send a test message.  This is interesting.

X-ZohoMail-DKIM: fail (Signature date is -18 seconds in the future.)

Someone has a time server issue!  How to figure out which one?

The rest of the headers.

Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from@...; helo=web01.groups.io;
 
Authentication-Results: mx.zohomail.com;
 
    dkim=fail;
 
    spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender)  smtp.mailfrom@...
 
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com
 
    with SMTPS id 1531244100222185.37727506897534; Tue, 10 Jul 2018 10:35:00 -0700 (PDT)
 
Return-Path: <bounce+7413+13130+354203+694381@groups.io>
 
Subject: Re: [Trubs] Ignore test
 
To: Trubmeisters@groups.io
 
From: "Jeff Kane" <jeff@...>
 
X-Originating-IP: 74.203.203.133
 
User-Agent: GROUPS.IO Web Poster
 
MIME-Version: 1.0
 
Date: Tue, 10 Jul 2018 10:35:04 -0700
 
References: <2904d91e-0dc4-e84d-adf2-f6a109f3a4aa@...>
 
In-Reply-To: <2904d91e-0dc4-e84d-adf2-f6a109f3a4aa@...>
 
Message-ID: <1531244104989637499.971@groups.io>
 
Precedence: Bulk
 
List-Unsubscribe: <https://groups.io/g/Trubmeisters/unsub>
 
Sender: Trubmeisters@groups.io
 
List-Id: <Trubmeisters.groups.io>
 
Mailing-List: list Trubmeisters@groups.io; contact Trubmeisters+owner@groups.io
 
Reply-To: Trubmeisters@groups.io
 
Content-Type: multipart/alternative; boundary="3vz6Vqmgtg4IDaE9AjeZ"
 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 
 q=dns/txt; s=20140610; t=1531244118;
 
 bh=ofu6avEWFxWK/OUwJ1Qd6E6dMmCkOCzAtf3NnkWHgQ0=;
 
 h=Content-Type:Date:From:Reply-To:Subject:To;
 
 b=g5TtnOBZBurI6RGDSGC0hbaMrdyp/PCYwNlIokGBDZwgXX10EPv+yJ0WqTjQtpq1nEf
 
 gKB2s6TJfulrha7nyG8qwKhCscKEGNIsMHsJgzAd0Lmp8iUG7GcOCYw5hYH43wq5u6Lgb
 
 ZpCxk+sx/q3aERbKF1RBw6b/7+XkPFqU2aY=
 
X-ZohoMail-DKIM: fail (Signature date is -18 seconds in the future.)
 
X-ZohoMail: RDKM_2  RSF_0  Z_651682213 SPT_1 Z_651682212 SPT_1 QTP_2
 
--3vz6Vqmgtg4IDaE9AjeZ
 
Content-Type: text/plain; charset="utf-8"
 
Content-Transfer-Encoding: quoted-printable
 
 


 

On Tue, Jul 10, 2018 at 10:57 am, Jeff Kane wrote:

*X-ZohoMail-DKIM: fail (Signature date is -18 seconds in the future.)*

Someone has a time server issue!  How to figure out which one?
DKIM signatures don't contain dates. "Date" is among header lines DKIM-signed. I compared Date in a digest from groups.io with time in Received added by my personal mail server (with synchronized clock - I checked) - OK. In your header:

Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com
    with SMTPS id 1531244100222185.37727506897534; Tue, 10 Jul 2018 10:35:00 -0700 (PDT)
Date: Tue, 10 Jul 2018 10:35:04 -0700
X-ZohoMail-DKIM: fail (Signature date is -18 seconds in the future.)
Therefore, it's time in ZohoMail server which is off.


 

Lena,

DKIM signatures don't contain dates.
Actually they do contain a timestamp. In this case t=1531244118; which is GMT: Tuesday, July 10, 2018 5:35:18 PM -- 18 seconds ahead of the Received field, as advertised.

Looking at your message I have t=1531269237; aka GMT: Wednesday, July 11, 2018 12:33:57 AM; and Gmail's Received from Groups.io is Tue, 10 Jul 2018 17:33:38 -0700 (PDT). Nineteen seconds ahead. I doubt Gmail's servers are off, so I'm going to CC support on this one.

Zoho can be faulted for that confusing minus sign though ("-18 seconds in the future"). And for one of the more picayune reasons to bounce a message I've heard of. But a sanity check is a sanity check I suppose.
I wonder if they have any tolerance on that - would one second in the future also cause a bounce?

Shal


On Tue, Jul 10, 2018 at 10:57 am, Jeff Kane wrote:

*X-ZohoMail-DKIM: fail (Signature date is -18 seconds in the future.)*

Someone has a time server issue!  How to figure out which one?

--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


 

Jeff,

That is why I am wondering if something changed with groups.io.
I would have said no, but now that you've dug up the actual source of the problem, I'll say maybe.

It was working great until the end of May. I own 2 active groups.io
lists and 1 that I use for testing features. This happened in both
groups at the same time.
Which could have been when the time discrepancy crept in, or it could be when Zoho added that test to their processing.

Is there a way to get a more complete bounce message with headers
rather than the short version in the Email Delivery History? That is
what Zoho is asking me for.
Not that I know of. You could ask support, but I think that may be a moot question for this incident.

The error code and message are supposed to be enough. If Zoho is using a generic code and text, the elaborating elsewhere in the body of the failure notice then I think that's kind of on them.

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Jeff Kane
 

Thanks everyone for the help!  I agree that Zoho should be a bit more lenient on time being off by less than a minute.  I have engaged them again on this and await their response.


 

Jeff
​,


Thanks everyone for the help!  I agree that Zoho should be a bit more lenient on time being off by less than a minute.  I have engaged them again on this and await their response.

​Mark reports that it should be fixed now.

He's a bit mystified ​as to why ntpd wasn't running on a couple of machines, even though they were set up exactly the same as the others (where it was). He's updated the setup scripts to (hopefully) prevent this from happening again.

Shal


--
Help: https://groups.io/static/help
More Help: https://groups.io/g/GroupManagersForum/wiki
Even More Help: Search button at the top of Messages list


Jeff Kane
 

Awesome!  Test email got through with not white list.  :-)

Thanks again!  And thank you Mark for the quick fix.