Score:2

Google G Suite DMARC + SPF + DKIM for user domain aliases fail Google Admin Toolbox CheckMX

cn flag

I have set up the above in my Google's old G-Suite account for a User Domain Alias but am still getting two warning messages:

https://webcoder.co.uk

There were some non-critical problems detected with the configuration of this domain.
Depending on how you configured your mail-flow, this could be a source of mail delivery issues. 

DKIM is not set up. warning [this one always appears in yellow]

TXT lookup should fit in one UDP response packet.

https://toolbox.googleapps.com/apps/checkmx/check?domain=webcoder.co.uk

I have SPF and DKIM set up correctly according to other tools that successfully validate and only few necessary entries in DNS:

# dig webcoder.co.uk any

; <<>> DiG 9.16.1-Ubuntu <<>> webcoder.co.uk any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13051
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;webcoder.co.uk.            IN  ANY

;; ANSWER SECTION:
webcoder.co.uk.     86400   IN  A   176.58.127.176
webcoder.co.uk.     86400   IN  NS  ns1.tsodns.com.
webcoder.co.uk.     86400   IN  NS  ns2.tsodns.com.
webcoder.co.uk.     86400   IN  SOA ns1.tsodns.com. support.tsohost.com. 1628681639 10800 3600 604800 3600
webcoder.co.uk.     86400   IN  MX  1 ASPMX.L.GOOGLE.com.
webcoder.co.uk.     86400   IN  MX  5 ALT1.ASPMX.L.GOOGLE.com.
webcoder.co.uk.     86400   IN  MX  5 ALT2.ASPMX.L.GOOGLE.com.
webcoder.co.uk.     86400   IN  MX  10 ALT3.ASPMX.L.GOOGLE.com.
webcoder.co.uk.     86400   IN  MX  10 ALT4.ASPMX.L.GOOGLE.com.
webcoder.co.uk.     86400   IN  TXT "google-site-verification=oYfc0eoSUnoeUBYoTYKS9qIUlUlw6cHk6IWdC4UfTCc"
webcoder.co.uk.     86400   IN  TXT "v=spf1 include:_spf.google.com ~all"

;; Query time: 19 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Aug 11 13:00:02 BST 2021
;; MSG SIZE  rcvd: 401


# dig webcoder.eu any

; <<>> DiG 9.16.1-Ubuntu <<>> webcoder.eu any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63301
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;webcoder.eu.           IN  ANY

;; ANSWER SECTION:
webcoder.eu.        86400   IN  A   176.58.127.176
webcoder.eu.        3600    IN  NS  ns51.domaincontrol.com.
webcoder.eu.        3600    IN  NS  ns52.domaincontrol.com.
webcoder.eu.        3600    IN  SOA ns51.domaincontrol.com. dns.jomax.net. 2021081123 28800 7200 604800 3600
webcoder.eu.        604800  IN  MX  20 alt1.aspmx.l.google.com.
webcoder.eu.        604800  IN  MX  30 alt2.aspmx.l.google.com.
webcoder.eu.        604800  IN  MX  10 aspmx.l.google.com.
webcoder.eu.        604800  IN  MX  40 aspmx2.googlemail.com.
webcoder.eu.        604800  IN  MX  50 aspmx3.googlemail.com.
webcoder.eu.        86400   IN  TXT "v=spf1 include:_spf.google.com ~all"
webcoder.eu.        86400   IN  TXT "MS=ms50869792"
webcoder.eu.        86400   IN  TXT "google-site-verification=mq-5iDOSGsTY1whcBFqWbq6DXAy9WfD9YpXlDGU3Qyg"

;; Query time: 79 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Aug 11 13:00:50 BST 2021
;; MSG SIZE  rcvd: 445

When I check my primary domain webcoder.eu, on the other hand, am getting either successfully validated (all green) or intermittent UDP errors:

error (in red):

    MX lookup must fit in one UDP response packet.

    Overly large MX response will cause problems for many senders. To avoid this, either decrease the number of MX records or shorten their names

warning appeared only a couple of times (yellow):

    DKIM is not set up. warning

    TXT lookup should fit in one UDP response packet.

webcoder.co.uk avatar
cn flag
Pro tip: do not use dig ... ANY as it does not do what you think it does, hence it is not a good troubleshooting tool. Another important point that you might not see and which will create havoc is that for some reason your two TXT records have different TTLs (1d vs 1h) which is kind of against the DNS specifications, you might want to fix that. – Patrick Mevzek 17 hours ago from StackOverflow
webcoder.co.uk avatar
cn flag
My question to the above is why do hosting companies allow to specify different TTLs for individual TXT records if it's against DNS specification? I could not find anything about it in RFC anyway.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.