On 26/04/2021 12:56, Dominic Raferd wrote: > On 26/04/2021 10:16, Jeff Abrahamson wrote: >> >> I'm seeing a disturbing (but minority) number of hosts that class our >> mail is spam. After some digging, I've found an interesting test >> case. What I'm uncertain of is if this represents a config error on >> our side or a (grossly) misbehaving mail host elsewhere. >> >> The interesting test case is a correspondent with a private domain >> ([email protected]) and a gmail address ([email protected]), both of >> which deliver to his gmail address. That is, MX for example.com >> points to mx01.1and1.fr but the mail is still delivered to >> [email protected]. >> >> When I mail to [email protected], he receives the mail fine, and gmail >> reports that SPF, DKIM, and DMARC all pass. >> When I mail to [email protected], he receives the mail classed as >> spam, gmail reports that SPF is neutral, DMARC fails (and DKIM passes). >> >> Now what's odd is that gmail reports that SPF passes with the IP of >> my MX, but in the other case that it fails with the address of >> mout.kundenserver.de. We've confirmed that mout.kundernserver.de >> handles mail to him via 1and1.fr, but not what could be causing an >> issue. >> >> Mangling headers so badly to cause SPF/DMARC failures seems so >> egregious that I'm inclined to think it's somehow our fault. >> >> (Note: this is about mail for mobilitains.fr and not p27.eu.) >> > When the third party relays your mail from their own mailserver into > gmail it breaks SPF because gmail sees the email coming from the third > party mailserver IP, not from your IP. This is outside your control > unless you want to add all the 3rd party's outgoing email IPs as valid > for your SPF record, which is not advisable. But it should not be a > problem - gmail does not block emails purely on SPF failure. Nor > should anyone else IMO. > > If you use DMARC then ensure that you DKIM-sign all your emails and > they will pass DMARC testing when they reach gmail via the 3rd party > relay (despite SPF failure), this may also improve the reputation of > your email domain within gmail.
Thanks. That's what I thought, too. But this is the strange thing: gmail reports that the DKIM signature is good even while complaining that DMARC fails. (And so gmail classes as spam, apparently.) DMARC policy is set to "v=DMARC1; p=none; rua=mailto:[email protected]"; (for _dmarc.mobilitains.fr). -- Jeff Abrahamson +33 6 24 40 01 57 +44 7920 594 255 http://p27.eu/jeff/ http://mobilitains.fr/
