Getting "This message does not meet IPv6 sending guidelines"

[MarkEHansen]

I'm running CentOS 5.10 (just updated a couple weeks ago) and sendmail 8.13.8.

I have a small network at home, where my CentOS machine acts as a bastion box (firewall, router, sendmail server, IMAP server, etc.).
I have a static IP address through my ISP, which is 65.78.188.61
I have DNS services provided by ENOM (http://access.enom.com) and my domain name is mehconsulting.com

A few weeks ago, I began getting errors when attempting to send e-mail messages to anyone at gmail.com:

550-5.7.1 [2606:400:0:5:240:f4ff:fe04:c83c 16] Our system has detected that
550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR
550-5.7.1 records and authentication. Please review
550-5.7.1 https://support.google.com/mail/?p=ipv6 ... tion_error for more
550 5.7.1 information. xb5si11175110pab.55 - gsmtp

In looking at the page referenced in the error message, it sounds like they are complaining that I don't have a reverse DNS record for my IPv6 address. However, I was told by someone else that it was not my IPv6 network at all, but rather I needed to update the SPF records configured at my DNS service.

I haven't done anything (as far as I know) on my CentOS machine to prevent IPv6 networking and I think I don't want to. I would rather add what is needed to get gmail to be happy when sending e-mail.

In doing research on this issue, I thought I read that for IPv6, I need to have Quad-A (AAAA) records or the new DNAME records
at my DNS provider, but ENOM doesn't seem to support either of these record types.

At my DNS provider, I have the following records. Can anyone please tell me where I need to go to resolve this error?

Code: Select all

Host Records:
  Host Name       Address                         Record Type     Options
  @               65.78.188.61                    A (Address)
  @               v=spf1 mx a ptr -all            TXT
  ftp             stargate.mehconsulting.com.     CNAME (Alias)
  mail            stargate.mehconsulting.com.     CNAME (Alias)
  mail            v=spf1 mx a ptr -all            TXT
  phone           messaging.name-services.com.    CNAME (Alias)
  stargate        65.78.188.61                    A (Address)
  stargate        v=spf1 mx a ptr -all            TXT
  www             stargate.mehconsulting.com.     CNAME (Alias)
  www.phone       messaging.name-services.com.    CNAME (Alias)

SRV Host Records:


Email Settings:
  Select Service: User simplified (IP Address)

  Hostname      Record Type     IP Address
  mail          MXE (mail)      65.78.188.61

Thanks for any help.

[avij]

Are you sure eNom does not support AAAA records? This page seems to suggest that they'd be supported.

It was left unclear whether you managed to add the IPv6 reverse DNS entry for your IPv6 address or not. If you have the possibility to fix that, I'm sure that would take care of a few obstacles.

As for SPF, you could update your TXT records to contain the IPv6 address of your server, like "v=spf1 mx a ptr ip6:2001:db85678::/64 -all" and see if that helps.

[MarkEHansen]

For some reason, I thought they didn't provide any way to add the quad-A record, but you are correct.

Based on what you've said, I've updated my Enom configuration as shown below. Is this what you meant?
Are there other changes which you think are needed? I'll need to wait a while before I can test, as I think
it will take some time before Google refreshes its cache.

Thanks,

Enom configuration:

Code: Select all

Host Records:
  Host Name       Address                                                   Record Type     Options
  @               65.78.188.61                                              A (Address)
  @               2606:400:0:5:240:f4ff:fe04:c83c                           AAAA (Address)
  @               v=spf1 mx a ptr -all                                      TXT
  @               v=spf1 mx a ptr ip6:2606:400:0:5:240:f4ff:fe04:c83c -all  TXT
  ftp             stargate.mehconsulting.com.                               CNAME (Alias)
  mail            stargate.mehconsulting.com.                               CNAME (Alias)
  mail            v=spf1 mx a ptr -all                                      TXT
  phone           messaging.name-services.com.                              CNAME (Alias)
  stargate        65.78.188.61                                              A (Address)
  stargate        2606:400:0:5:240:f4ff:fe04:c83c                           AAAA (Address)
  stargate        v=spf1 mx a ptr -all                                      TXT
  www             stargate.mehconsulting.com.                               CNAME (Alias)
  www.phone       messaging.name-services.com.                              CNAME (Alias)

SRV Host Records:


Email Settings:
  Select Service: User simplified (IP Address)

  Hostname      Record Type     IP Address
  mail          MXE (mail)      65.78.188.61

Do I need to add the new ip6 SPF record for the "stargate" and "mail" entries as well?

Thanks!

[MarkEHansen]

Note that I just queried the name server at my ISP using dig, and although it shows the reverse DNS for my IPv4 address, it doesn't
show anything for my IPv6 address. Do I just need to wait longer, or do I have it configured improperly?

Reverse lookup of my IPv4 address:

Code: Select all

19 stargate:->> dig @66.60.130.2 -x 65.78.188.61

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> @66.60.130.2 -x 65.78.188.61
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65462
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;61.188.78.65.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
61.188.78.65.in-addr.arpa. 86185 IN     PTR     stargate.mehconsulting.com.

Reverse lookup of my IPv6 address:

Code: Select all

20 stargate:->> dig @66.60.130.2 -x 2606:400:0:5:240:f4ff:fe04:c83c

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> @66.60.130.2 -x 2606:400:0:5:240:f4ff:fe04:c83c
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7963
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;c.3.8.c.4.0.e.f.f.f.4.f.0.4.2.0.5.0.0.0.0.0.0.0.0.0.4.0.6.0.6.2.ip6.arpa. IN PTR

[avij]

You will need to talk to your ISP (SureWest) about setting the reverse DNS name for your IPv6 address.

You seem to have two TXT records for mehconsulting.com now. There should be only one TXT record for @. Try removing the one that doesn't have the IPv6 address mentioned. Yes, you should probably have the same kind of TXT record (that has the ip6 part) for all the hosts that you currently have configured for SPF.

On the other hand, listing the IPv4/IPv6 addresses in the TXT record shouldn't be necessary when all the the forward and reverse DNS configuration is done. The current "mx a ptr" entries in the SPF record would be sufficient in that case. I suggested adding the ip6 because I was unsure about your possibilities to adjust the other DNS settings (forward and/or reverse).

I'm not sure if Google will still require a valid reverse DNS name for your IPv6 address, or if the TXT record amendmends will suffice. You will need to test that out yourself.

[TrevorH]

I'm not sure if Google will still require a valid reverse DNS name for your IPv6 address, or if the TXT record amendmends will suffice. You will need to test that out yourself.

I can tell you that the reverse works: I have no TXT records but do have ipv6 PTR records and do not get complaints from mail sent over ipv6 to the gmail servers. Before I added the rdns ipv6 PTR I did get the same errors but they go away as soon as I added the l.o.n.g.s.t.r.i.n.g.o.f.n.u.m.b.e.r.s.ip6.arpa. record.

[MarkEHansen]

Thanks for the help. I'm confused on where the problem is. Doesn't the DNS service (enom in my case) handle the name to IP address mappings for my domain? Why would I need to talk to my ISP then? Don't they just provide the IP for my domain?

To clarify, I only have one machine that is visible to the outside world. It is 65.78.188.61. It was my intention to have aliases for the various names associated with this machine (ftp.mehconsulting.com, mail.mehconsulting.com).

"stargate" is my internal name for the machine. I added the aliases because I thought they were needed (it's been so long now since I set this up, I really don't remember - it's been working until now, so I haven't had to bother with it).

I'm not clear what is needed for my TXT records. I have two for @: One for the IPv4 address and one for the IPv6 address. Are you saying I only need one of these?

Then I also have TXT records for "mail" and "stargate". Do I need these?

Sorry I'm having such a hard time with this. This all made sense when I originally set it up, but it's been so long...

[avij]

eNom takes care of the name -> IP address mapping, your ISP is responsible for the IP address -> name mapping. Your ISP can also delegate the resolving task to other nameservers, but whether they're willing to do that is another matter. I recommend asking them to set the reverse DNS name of 2606:400:0:5:240:f4ff:fe04:c83c to stargate.mehconsulting.com and see what they think of the idea. It could point to any suitable name, but as your IPv4 address seems to point to stargate.mehconsulting.com, perhaps it makes sense to point the IPv6 address to the same name.

Yes, you should have only one TXT record for each name. The same TXT record is used for both IPv4 and IPv6.

Whether "mail" and "stargate" need their own TXT records depends on how you have configured your sendmail, i.e. if those names will be shown to the remote host when sending email. If you're not sure, copy the TXT record from @ for mail and stargate as well. The TXT record can be the same for all your hosts, just duplicated for @, mail and stargate.

[MarkEHansen]

I've asked my ISP about the reverse DNS. I'll have to wait a day or two for them to respond.

I've updated my DNS records at enom. Do these look correct now?

Code: Select all

Host Records:
  Host Name       Address                                                       Record Type     Options
  @               65.78.188.61                                                  A (Address)
  @               2606:400:0:5:240:f4ff:fe04:c83c                               AAAA (Address)
  @               v=spf1 mx a ptr ip6:2606:400:0:5:240:f4ff:fe04:c83c/64 -all   TXT
  ftp             stargate.mehconsulting.com.                                   CNAME (Alias)
  mail            stargate.mehconsulting.com.                                   CNAME (Alias)
  mail            v=spf1 mx a ptr ip6:2606:400:0:5:240:f4ff:fe04:c83c/64 -all   TXT
  phone           messaging.name-services.com.                                  CNAME (Alias)
  stargate        65.78.188.61                                                  A (Address)
  stargate        2606:400:0:5:240:f4ff:fe04:c83c                               AAAA (Address)
  stargate        v=spf1 mx a ptr ip6:2606:400:0:5:240:f4ff:fe04:c83c/64 -all   TXT
  www             stargate.mehconsulting.com.                                   CNAME (Alias)
  www.phone       messaging.name-services.com.                                  CNAME (Alias)

SRV Host Records:


Email Settings:
  Select Service: User simplified (IP Address)

  Hostname      Record Type     IP Address
  mail          MXE (mail)      65.78.188.61

Thanks again,

[MarkEHansen]

I just got a response from the support folks at my ISP. They say:

Unfortunately the DNS servers provided by surewest for mapping DNS do not support adding an AAAA record, which is needed for ipv6 addresses at this time. However the static ipv4 address assigned to your account (65.78.188.61), is fully support via stargate.mehconsulting.com DNS Server.

However, this doesn't really help me, as the Google server will not accept a connection from me unless my IPv6 address has a reverse DNS.

What can I do now?