Posts Tagged ‘DKIM’

Incident report: Some mails to Microsoft online services was getting blocked..

Posted on: February 13th, 2025 by Mads Petersen

This afternoon earlier today one of the Kolab Now MX servers was listed on the Microsoft block list. This means that some users might have seen, that mails sent to recipients at ‘@outlook.com’, ‘@live.com’, ‘@hotmail.com’, and other Microsoft online services was bounced back with the message that looks something like this:

This is the mail system at host mx.kolabnow.com. 
I'm sorry to have to inform you that your message could not 
be delivered to one or more recipients. It's attached below. 
For further assistance, please send mail to postmaster. 
If you do so, please include this problem report. You can 
delete your own text from the attached returned message. 
The mail system <some-email@outlook.com>: host  
outlook-com.olc.protection.outlook.com[x.x.x.x] said: 550 5.7.1 
Unfortunately, messages from [y.y.y.y] weren't sent. Please contact 
your Internet service provider since part of their network is on our block 
list (S3150). You can also refer your provider to 
http://mail.live.com/mail/troubleshooting.aspx#errors. [Name=Protocol 
Filter Agent][AGT=PFA][MxId=<some long number>] 
[SG2PEPF03345FBECA.apcprd05.prod.outlook.com 2025-02-13T<timestamp>Z 
<another long number>] (in reply to MAIL FROM command)

Although the listing was fast discovered, Microsoft was contacted and the listing is reversed as soon as it is possible, it took a while. At this time emails should be delivered to the Microsoft online services.

A few users has misinterpreted the symptoms with error messages from missing the DKIM changes made on Monday (please read this blog post from December 2024 and the follow ups). If you are a group manager, then please make sure that you have the new DKIM related CNAMES added to your DNS zone.

If you have any questions or concerns in this context, then please contact support.

Tags: Anti-Spam, blog, DKIM, DNS, Incident Report, Security, SPAM, Support

Service Window: Change to DKIM-Signatures – domain alignment

Posted on: February 5th, 2025 by Mads Petersen

On December 20’th 2024 we announced a change to the DKIM configuration on Kolab Now. The announcement described actions needed for users with private domains. We recommended that group managers (the owners of private domains) set the following CNAMEs (both of them) in the DNS of their private domain:

dkim1._domainkey CNAME dkim1._domainkey.kolabnow.com.
dkim2._domainkey CNAME dkim2._domainkey.kolabnow.com.

We also said in the announcement, that we would provide the actual update top the system in the end of January. Unfortunately the snow in the Swiss alps was so wonderful in the end of January, that our techies got a bit delayed.

However, it has now come so far that we announce a service window on:

Monday February 10’th, 2025 @ 08:00 UTC.

The Service window will last for an hour, within which users might see a small bump in the performance.

If you are the owner of a private domain and you have not yet added the CNAME records to your domain, then your outgoing emails might be refused by the recipient servers after the change.

We will keep you up to date with the progress of the work via updates to this post.

– 2025-02-10 @ 07:59 UTC: The service window is now open and the work is in progress. As written, you should not see any big impact.

– 2025-02-10 @ 08:45 UTC: The change has been implemented, and the service window is done. The new domain alignment is tested and seems to be working as expected. If you have any problems with your private domain, then please contact support.

Tags: DKIM, DNS, Service Window

Action required for Group managers!: Change to DKIM-Signatures – domain alignment

Posted on: December 20th, 2024 by Mads Petersen

Lately we have seen a few emails not being delivered to third parties and bounced emails with messages about failing DKIM signatures.

DKIM is a mechanism that allows a receiving party of emails to determine whether an email has indeed been sent by the party that is claimed to be the sender, thus protecting against forged sender email addresses. Kolab Now implemented DKIM signatures a long time ago, but so far we have always used the kolabnow.com domain as the sender domain, when sending an email from a custom domain. An example signature header would look like this (please note the ‘d= tag’):

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h= content-type:content-type:content-transfer-encoding:message-id :subject:subject:from:from:date:date:mime-version:received :received:received; s=dkim20240523; t=1734354313; x=1736168714; bh=mBUfOmuiUe6nDmAiAsHAHqpD0F+Gd9nJUF5Z5spFd8I=; b=bVuQog18XlAx +YG8FhYOSvrHhdAyr2PUb/24fINK1zlqDGQS56ULJp87ogvG0NBK7G4dNG94Nhnc GIOtTwZX5+NDpOFcQ6hldkxU7thO1734fWHA6kL8CXKWZ35IWnyyf7/DAp1rPIhe wUM9td8SwP+/SOibhOOLPKf4Zz9I3qygVvnzMBMFXb0bTQbpV45ASLk0RsG8Q+jP RBFlRboeqE5mCEgrg3q0i3ip2bGkhqAGzUTmqi0ckTvXltm+nCFpVSKlRy+lgrXY PQyaK97xt3pUHX9sdcJFHyIDldU/cSWCcTsrQobk5J0UPj8Dlh2RIma/06K9EEcl Bx27XRIK4Q==

This used to be fine paired with our DMARC policy recommendation, but recently some parties in the email ecosystem have become more stringent, often ignoring the DMARC policy, and rejecting email that is not domain aligned.
Going forward, we are planning to adjust our DKIM-Signature so that it will use your sender domain for alignment. This means, that for a user ‘doe@kolab.org’ the signature would look something like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolab.org; h= content-type:content-type:content-transfer-encoding:message-id :subject:subject:from:from:date:date:mime-version:received :received:received; s=dkim20240523; t=1734354313; x=1736168714; bh=mBUfOmuiUe6nDmAiAsHAHqpD0F+Gd9nJUF5Z5spFd8I=; b=bVuQog18XlAx +YG8FhYOSvrHhdAyr2PUb/24fINK1zlqDGQS56ULJp87ogvG0NBK7G4dNG94Nhnc GIOtTwZX5+NDpOFcQ6hldkxU7thO1734fWHA6kL8CXKWZ35IWnyyf7/DAp1rPIhe wUM9td8SwP+/SOibhOOLPKf4Zz9I3qygVvnzMBMFXb0bTQbpV45ASLk0RsG8Q+jP RBFlRboeqE5mCEgrg3q0i3ip2bGkhqAGzUTmqi0ckTvXltm+nCFpVSKlRy+lgrXY PQyaK97xt3pUHX9sdcJFHyIDldU/cSWCcTsrQobk5J0UPj8Dlh2RIma/06K9EEcl Bx27XRIK4Q==

and so ensuring that all outgoing emails from this sender are domain aligned. However, this will require that the DKIM key is available on your domain in DNS. We recommend that group managers (the owners of private
domains) set the following CNAMEs (both of them) in the DNS of their private domain:

dkim1._domainkey CNAME dkim1._domainkey.kolabnow.com.
dkim2._domainkey CNAME dkim2._domainkey.kolabnow.com.

This will delegate the actual DKIM public key to be managed by the kolabnow.com domain, who in turn will align the key with the sending domain as mentioned above.

We will enable domain-aligned signatures in the end of January 2025, at which point DKIM validation will fail if these above (CNAME) records are not set.

Please keep an eye on this blog for news and updates. We hope this will improve email deliverability.

PS: Thank you to the users who reported the issue, and delivered content for our investigations. You know who you are.

Tags: DKIM, DMARC, Sender Policy Framework

Junk Email Filter.com is Junk

Posted on: October 16th, 2017 by Jeroen van Meeuwen

We’re dropping our use of junkemailfilter.com “Spam DNS Lists”, because we have few positive experiences with it. Frankly, it is Junk.

> Continue Reading

Tags: Anti-Spam, DKIM, DMARC, DNSSEC, DNSWL, Junk Email Filter, RBL, RHSBL, RHSWL, Sender Policy Framework, Support

A Stricter DMARC Policy, Part II

Posted on: October 9th, 2017 by Jeroen van Meeuwen

Last month, we let you know a stricter DMARC policy was being applied to Kolab Now infrastructure. With a primary aim to increase our reputation and decrease phishing attempts from clearly false senders, we’ve since learned about some secondary effects;

> Continue Reading

Tags: DKIM, DMARC, DNSSEC, Phishing, Sender Policy Framework, SPAM

A Stricter DMARC Policy

Posted on: September 26th, 2017 by Jeroen van Meeuwen

Sometimes, we receive reports that either our general reputation has declined to the point that certain receiving parties will block some of the email sent through our infrastructure, and that bothers us — because it bothers our customers. This usually involves just a limited number of messages, but is annoying nonetheless.

Other times we receive reports of phishing. These usually do not include verbiage that is suitable for repeating in this here blog, as the reports reply to messages do not originate from us, usually refer to external, third party sites but are most importantly also not submitted through our infrastructure. We follow up these occurrences with abuse reports to web server hosting companies, email providers and through other associated channels, but responses are often not thorough and not quick.

> Continue Reading

Tags: DKIM, DMARC, DNSSEC, Phishing, Sender Policy Framework, SPAM