Jump to content

Blocked email after moving domain to VPS (from Tommy)


Recommended Posts

Hi, everybody.

First, I don't know whether this problem is related to the move, especially since the mail from my domain is managed by Google Workspaces, but it just started after the move yesterday.

Today I was blocked by a client I has been corresponding with for years. This is the return message I received:

image.png

It translates to:

The message has been blocked.
Your message to dguerrero@elnuevomundo.com has been blocked. For more information see the following technical data:
This is the response from the remote server:
550 permanent failure...

I sent an email to M@ilGenius to check for problems (first email spam test I found googling) and the problem seems to be the SPF records:

image.thumb.png.0eeca867fc7cf46163c1de23c6578776.png

Here's the detail:

image.png.398012a0457953868972c9d9d496dfee.png

I use my personal Gmail account to send (and read) my infantex.com.mx's mail (via smtp.gmail.com). Nothing has changed there.

I mean, the only change from yesterday is that the infantex.com.mx domain was previously hosted on Tommy and as of yesterday night I moved it to my HelioHost VPS. I use Hestia control panel, I didn't select "enable email" when creating the domain and I set the corresponding MX records in the DNS zone to point to the relevant Google servers (ASPMX.L.GOOGLE.COM, and such).

Any ideas? Would it help to diagnose the problem if Iposted the raw email content?

Link to comment
Share on other sites

SPF is a text record for your domain that verifies the IP address the email was sent from is allowed to send emails from your domain. Since you're using Google Workspaces, perhaps this explanation might help: Google Help. Essentially, you'll need to create a TXT record like this one: v=spf1 mx a ip4:<your email server's IP> ~all.

As for DKIM, that one's a bit more complicated. Unless HestiaCP allows you to create a DKIM key, you'll need to create one yourself, and add it as to your domain's text records accordingly. 

Link to comment
Share on other sites

Thanks for your answer.

There was an SPF record in Hestia, paired to the VPS's IP, I changed it to "v=spf1 include:_spf.google.com ~all" as per Google's instructions (instructions didn't include the quote marks, the existing record had them, I left them there 😬). I'll let the change propagate for a while and test again later.

 

Five days later and the SPF record still hasn't propagated! Am I doing something wrong? I'm still getting my email blocked.

I used the SPF record checker of the DMARC Analyzer site (https://www.dmarcanalyzer.com/es/spf-3/checker/) and I got the old record (originally created by Hestia SPF record):

v=spf1 a mx ip4:65.19.141.197 -all

Is this normal after five days of having changed it?

 

I tried the following:

C:\Users\JorgeZaldivar>nslookup
Servidor predeterminado:  2806-1020-ffff-0004-0000-0000-0000-000e.ipv6.infinitum.net.mx
Address:  2806:1020:ffff:4::e

> server 65.19.141.197
Servidor predeterminado:  [65.19.141.197]
Address:  65.19.141.197

> set q=TXT
> infantex.com.mx
Servidor:  [65.19.141.197]
Address:  65.19.141.197

infantex.com.mx text =

        "v=spf1 a mx ip4:65.19.141.197 -all"
>

So, to my surprise, even my VPS is returning the old SPF record, so it's not a propagation thing. I don't know.

image.thumb.png.29ceb31ee2c78976ea29bf332f99bfe8.png

The correct SPF record is there. What am I doing wrong?

I will delete that record (I edited it from Hestia's original) and add it again. I don't know what else to do.

Any ideas?

 

I deleted the SPF record and entered it again.

Still, no luck.

I deleted the record. Used nslookup and got the (deleted) old record.

I added the new record. nslookup still returned the old record... even if I was using my own VPS as nameserver.

Shouldn't, in that case, the change be reflected immediately?

 

At some point, as per @wolstech suggestion, I modified the NS record that pointed to ns1.heliohost.us and pointed it to ns1.infantex.com.mx, and deleted the NS record that pointed to ns2.heliohost.us. Later, on my own accord, after noticing that the DNS zone listed ns1.heliohost.us as SOA, I modified it, as well, to point to ns1.infantex.com.mx.

I don't know if that could be a problem. I just reverted the SOA to ns1.heliohost.us but I'm acting blindly here.

EDIT: I tried last week to move the DNS managment to Cloudflare (new to it) to see if that could solve the problem (and also so I wouldn't need to fiddle with this after returning to Tommy) but I couldn't add the domain to Cloudflare, I got an error: "Failed to lookup registrar and hosting information of infantex.com.mx at this time. Please contact Cloudflare Support or try again later." I  just tried again and got the same result.

Last Thursday, after failing to add the domain to Clodflare, I checked DNS propagation with WhatsMyDNS.net (https://www.whatsmydns.net/#A/infantex.com.mx) and, while some servers listed my VPS's IP, most listed ns1.heliohost.us. Today, all list the VPS's IP (65.19.141.197).

Link to comment
Share on other sites

What I ended up doing was using Cloudflare for DNS.

I had to temporally revert the DNS at my Registrar's to ns1 and ns2.heliohost.org, so that I could add it to Cloudflare.

I set the SPF (actually a TXT record properly formatted for SPF: v=spf1 include:_spf.google.com ~all).

Around 15 minutes after that, it began to propagate, as per WhatsMyDNS.net results (when I did the same in Hestia it NEVER propagated).

A couple of hours later, I tested with dmarcanalyzer.com's SPF record check tool and got a passing result.

As I final test, I programmed an email to be sent tomorrow during working hours to the same customer that blocked me in the first place. Hopefully, it won't be blocked this time.

I don't know why the SPF record didn't propagate from my VPS.

 

Link to comment
Share on other sites

Sounds like the DNS server on Hestia isn't working properly for some reason. I don't know enough about Hestia to troubleshoot that unfortunately :(

CF will work fine as a substitute though as long as you make your DNS changes there.

Link to comment
Share on other sites

10 hours ago, wolstech said:

Sounds like the DNS server on Hestia isn't working properly for some reason. I don't know enough about Hestia to troubleshoot that unfortunately :(

CF will work fine as a substitute though as long as you make your DNS changes there.

This is, unfortunately, the situation I am in ad well. I was forced to use Cloudns for my free domain and Cloudflare for my paid one. No idea why, but from what I can gather, the Hestia team didn't mess with the DNS config from vesta when they built it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...