Jump to content
FPiette

Where is the link to register to the forum?

By FPiette, in Community Management

Recommended Posts

Guest   

Guest
Posted (edited)

Gmail places the messages from this forum automatically on the spam list..that's what happend to me after registration I had to wait 20 hours before I decided to take look in the spam list where I found the activation link.

 

My first attempt was probably in 2021 but I cant obtain activation email. recently I read on this blog https://blog.dummzeuch.de/2021/12/16/registration-problems-in-delphi-praxis-solved/  that the problem was fixed I decided to try again.

Edited by Guest

Share this post

Link to post

Kas Ob.    91

Kas Ob.
Posted

@Daniel

Looking at this lookup result 

C:\Users\Kas>nslookup -type=TXT -debug delphipraxis.net 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

------------
    QUESTIONS:
        delphipraxis.net, type = TXT, class = IN
    ANSWERS:
    ->  delphipraxis.net
        text = "v=spf1 a mx ~all"
        ttl = 86330
    ->  delphipraxis.net
        text = "google-site-verification=axHu87aSc4n6ry1pc4VMwdNcEsrBD8WbBeYO-jA1sl0"
        ttl = 86330
    AUTHORITY RECORDS:
    ADDITIONAL RECORDS:
------------
Non-authoritative answer:
delphipraxis.net        text = "v=spf1 a mx ~all"
delphipraxis.net        text = "google-site-verification=axHu87aSc4n6ry1pc4VMwdNcEsrBD8WbBeYO-jA1sl0"

Authoritative answers can be found from:

I see few problems:

1) The TTL is way long, i prefer 6 minutes at most instead of 24 hours.

2) there is Sender Policy Framework (SPF) and it is correct, but it is useless in this format, literally it is saying i am here, nothing else, accepting/allowing form any IP ("~all" parameter will relax the usage too much too), doesn't help at all, mx in this format with the actual domain also saying SMTP mx domain can send an email using this domain, but reverse resolving the IP will result in your other ".eu" domain !!.... in short this SPF can/should be better and more secure, hence will help a lot with spam flagging.

3) No DomainKeys Identified Mail (DKIM?! 

4) No Domain-based Message Authentication, Reporting and Conformance (DMARC) ?! 

 

Here is headers i got from an email form this forum 

Authentication-Results: 	spf=none (sender IP is 138.201.18.17) smtp.mailfrom=mail.danielwolf.eu; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=delphipraxis.net;

Received-SPF: 	None (protection.outlook.com: mail.danielwolf.eu does not designate permitted sender hosts)

// these are values from Outlook (the general score)
X-MS-Exchange-Organization-PCL: 	2
X-MS-Exchange-Organization-SCL: 	1
X-Microsoft-Antispam: 	BCL:0;

So to break these

1) SPF should be more restrictive at least, it should list the IPs that SMTP will use, mx field is good but as mentioned above, it should be pointing to the actual mx for this domain not leaving it to the receiver to guess.

2) DKIM is helpful and will not cost you anything, just one extra layer of authentication like SPF.

3) DMARC will consolidate the SPF and DKIM together and provide one brilliant way to saty on top of things by reporting.

 

Suggestions:

1) If you can then transfer your domain to more robust and concrete domain registrar, my self since moving all my domain to CloudFlare DNS, i never looked back, even if i am not using their services like protection of any, i just want them to serve domains and have control with API over my DNS records and subdomains.

2) change the TTL to shorter period, and here you must be very careful, if you want to start enhancing and tweaking your domains and DNS record, make sure it is 1 minute and wait until that 24h to pass then tweak it, don't touch it today if you decide you tweak something.

3) Enhance the SPF, most likely you have static IP for the mx which also serving another one or more, it is acceptable to be more than mx record on one IP, but declare these IP for each domain/subdomain, another tricky thing here, if you are allowing sending and using IPv6, then you should be 100% it will not change, it is static and controlled by you, or just disable it, also you can use and IP or a range, both will be OK and better form leaving it empty for any IP.

4) DKIM, well it is as simple at it sound generate key with hash... there is so many resources on internet so i am not getting there, on side note we can ask Angus to expand his built binary tools to include generating DKIM key, if i would do it it will be on his style with many checkboxes and radio buttons, i love doing that, "Just don't use any online service to generate the key !" use command for OpenSSL or ICS or what ever local for you.

5) there is so many to explain what mx in the SPF and its interaction with DKIM should be, but if you are delegating the sender for your domain lets say delphipraxis.net to Gmail or Outlook, it can be secure and validate , but one of these (SPF or DKIM) will fail as per designed, hence DMARC will come to rescue, also there is many resources on how to do it right, i love https://dmarcian.com/ it is free and can be paid if you prefer, DMARC will inform the receivers of email sent from your servers/SMTP.. to report the failures and may be even the success, the reported data are not private, so you should not care about an IP trying to spam other impersonating your domain, dmarcian have tools to analyze your domain parameters, so it will help you a lot, and if you used it right then services like GMail will email you back on daily/weekly/whenneeded basis a report of success delivery and failure or most important the spam recognized as pretending to be you, you can also receive these report and parse them on you own, it is just more beautiful to see their charts in work !

 

Extra info :

About reducing TTL: TTL is there to prevent DNS attacks, yet it is two side blade (it can be debated both ways), so in my opinion the longer TTL was helping in the past, but not so relevant in modern days with DNSSEC and DNS-over-HTTPS (DoH), and here is the thing building an attack on mail/mx DNS with very shorter is rendered useless with the existence of SPF, DKIM and DMARC !

 

I see you are using Gmail site-verification and it is good wo work with Gmail, but that is not enough, they still have their own score, and the above will help, OutLook on other hand does use these record in their score system and consolidate with their own register method attached to your account and verified for more 

https://sendersupport.olc.protection.outlook.com/snds/JMRP.aspx

 

Some additional reources

https://en.wikipedia.org/wiki/Sender_Policy_Framework

https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

https://en.wikipedia.org/wiki/DMARC

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-spam-confidence-level-scl-about?view=o365-worldwide

https://support.google.com/a/answer/174124?hl=en

https://support.google.com/a/answer/2466580?sjid=17120824358789328945-EU

 

 

Hope that helps, not only for Daniel !

 

  • Thanks 3

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing Community Management
×