Emails getting rejected from Gmail on Virtualmin/Webmin and CentOS

December 23, 2015 937 views
DNS Email CentOS

I have a CentOS 7 droplet that currently hosts 4 domains running Virtualmin/Webmin.

The dropled is named example.com (which is one of the 4 domains). PTR record is updated correctly with the droplet IP.

BIND DNS Server module is disabled, as I am using the "Networking > Domains" panel provided by DO. Per each of my domains, I have configured DNS as follows:

A         @       *droplet ip*
A         mail    *droplet ip*
CNAME     www     domain.com.
CNAME     *       domain.com.
MX        5       mail.domain.com.
TXT       @       "v=spf1 a mx a:domain.com ip4:*droplet ip* ?all"
NS        ns1.digitalocean.com.
NS        ns2.digitalocean.com.
NS        ns3.digitalocean.com.

Here are my /etc/hostname


And /etc/hosts

▽   server.example.com      server   localhost.localdomain   localhost   localhost4.localdomain4  localhost4

::1             server.example.com       server
::1             localhost.localdomain    localhost
::1             localhost6.localdomain6  localhost6

*droplet ip*    server.example.com

And /etc/resolv.conf

# Generated by NetworkManager
search example.com

Finally, I have setup a forward from postmaster@domain.com to my gmail account.

Here the issue comes: if I send a test email from my outlook account to postmaster@domain.com I expect it to get it delivered to my gmail account. However, this is what I get back:

This is the mail system at host server.localdomain. 

I'm sorry to have to inform you that your message could not 
be delivered to one or more recipients. It's attached below. 

For further assistance, please send mail to postmaster. 

If you do so, please include this problem report. You can 
delete your own text from the attached returned message. 

The mail system 

<myemail@gmail.com> (expanded from <postmaster@domain.com>): host 
gmail-smtp-in.l.google.com[] said: 550-5.7.1 [*droplet ip*] 
The IP address sending this message does not have a PTR 550-5.7.1 record 
setup. As a policy, Gmail does not accept messages from IPs 550-5.7.1 with 
missing PTR records. Please visit 550-5.7.1 
https://support.google.com/mail/answer/81126#authentication for more 550 
5.7.1 information. r7si49844073wmg.47 - gsmtp (in reply to end of DATA 

What am I doing wrong?

1 Answer

It sounds like your droplet's name is not a FQDN (Fully Qualified Domain Name). If you rename your droplet to use a FQDN (such as domain.com), the PTR record would update for your automatically. Once that globally propagates, you would not longer get that error from gmail.

Hope it helps!
Jason Colyer
DigitalOcean Platform Support Lead

  • I ended up working that out, but thank you for the reply!

    I still have a question, though. Do I need to add a:
    TXT @ "v=spf1 a mx a:domain.com ip4:dro.ple.tip ?all"

    for each of the domains? Or only in the domain matching the droplet name? Or do I not need that line at all?

    Thank you

    • You would want to have an SPF record and a DKIM record for any domain you will be using in your mail setup. This helps to prevent it from being logged as spam or spam-like. The records basically do a little extra to show the email was authenticated from the source.

      There is actually a great SPF record generator available here. It can ensure your SPF record does everything you would want from it.

      Hope it helps,
      Jason Colyer
      DigitalOcean Platform Support Lead

      • That's great, thank you.

        So using the tool you provided I got the following:

        domain.com.  IN TXT "v=spf1 mx a ip4:dropletip/32 a:ns1.digitalocean.com a:ns2.digitalocean.com ?all"

        Is that correct? My only doubt is that only the website that matches the droplet name has a FQDN. Would adding that line per each domain be enough?

        • It really depends on how strict you want your checks. On a general rule, something like this would work for you:

          domain.com. IN TXTv=spf1 mx a:mail.domain.;com -all```

          I would recommend each domain you are going to use have that for it. This way, they all are able to authenticate properly. You would want the record on that domain's DNS zone file. So if you had the domains:

          You would want each having it. If your mail server (in this example) was mail.domain.com, the records would look like so:
          ```domain.com. IN TXT ```v=spf1 mx a:mail.domain.;com -all`
          domain.org. IN TXT ```v=spf1 mx a:mail.domain.;com -all`
          domain.co.uk. IN TXT ```v=spf1 mx a:mail.domain.;com -all````
          Hope it helps,
          Jason Colyer
          DigitalOcean Platform Support Lead
Have another answer? Share your knowledge.