On 26/04/2021 13:31, Jeff Abrahamson wrote:
On 26/04/2021 12:56, Dominic Raferd wrote:
On 26/04/2021 10:16, Jeff Abrahamson wrote:
I'm seeing a disturbing (but minority) number of hosts that class our
mail is spam. After some digging, I've found an interesting test
case. What I'm uncertain of is if this represents a config error on
our side or a (grossly) misbehaving mail host elsewhere.
The interesting test case is a correspondent with a private domain
(per...@example.com) and a gmail address (per...@gmail.com), both of
which deliver to his gmail address. That is, MX for example.com
points to mx01.1and1.fr but the mail is still delivered to
per...@gmail.com.
When I mail to per...@gmail.com, he receives the mail fine, and gmail
reports that SPF, DKIM, and DMARC all pass.
When I mail to per...@example.com, he receives the mail classed as
spam, gmail reports that SPF is neutral, DMARC fails (and DKIM passes).
Now what's odd is that gmail reports that SPF passes with the IP of
my MX, but in the other case that it fails with the address of
mout.kundenserver.de. We've confirmed that mout.kundernserver.de
handles mail to him via 1and1.fr, but not what could be causing an
issue.
Mangling headers so badly to cause SPF/DMARC failures seems so
egregious that I'm inclined to think it's somehow our fault.
(Note: this is about mail for mobilitains.fr and not p27.eu.)
When the third party relays your mail from their own mailserver into
gmail it breaks SPF because gmail sees the email coming from the third
party mailserver IP, not from your IP. This is outside your control
unless you want to add all the 3rd party's outgoing email IPs as valid
for your SPF record, which is not advisable. But it should not be a
problem - gmail does not block emails purely on SPF failure. Nor
should anyone else IMO.
If you use DMARC then ensure that you DKIM-sign all your emails and
they will pass DMARC testing when they reach gmail via the 3rd party
relay (despite SPF failure), this may also improve the reputation of
your email domain within gmail.
Thanks. That's what I thought, too. But this is the strange
thing:
gmail reports that the DKIM signature is good even while complaining
that DMARC fails. (And so gmail classes as spam, apparently.)
DMARC policy is set to "v=DMARC1; p=none; rua=mailto:dm...@p27.eu"; (for
_dmarc.mobilitains.fr).
That is strange, can you provide an example ARC-Authentication-Results
header from mx.google.com?
