Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Matt Palmer via mailop]

On Tue, Jun 02, 2020 at 11:37:59PM +0300, Atro Tossavainen via mailop wrote:
> On Tue, Jun 02, 2020 at 08:22:40PM +, Michael Wise via mailop wrote:
> > It would need to be a standard... a SINGLE standard.
> > 
> > Like the FTC "Do Not Call" list.
> 
> What Michael said... And it would be a colossally bad idea.
> 
> Anybody think it wouldn't leak and be used specifically to spam some
> more? A list of 100% guaranteed working email addresses? :-D

SHA-256 hash them.  The search space for possible e-mail addresses being so
large, it's not practical to brute force the hashes back into valid e-mail
addresses (unlike phone numbers, where you just brute-force the search space
by dialling them all and hassling whoever answers).

Of course, just having a giant list of "do not spam" hashes isn't helpful
without regulatory teeth, which is the main reason why such a system isn't
likely to get up and running any time soon -- since you can spam from
anywhere, avoiding regulation is not particularly difficult.

- Matt


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Outlook autodiscover IMAP server settings

[Ralph Seichter via mailop]

* Silver Asu via mailop:

> Is there any chance to get IMAP/SMTP/POP3 server settings autodiscover
> to work with modern desktop and mobile Outlook clients?

Have you considered automx2 ? See https://gitlab.com/automx/automx2 .

-Ralph

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Force double opt in for marketing list companies per email address

[Ángel via mailop]

On 2020-06-02 at 22:58 +0100, Tim Bray via mailop wrote:
> 
> I don't really believe I've been sat in people's dormant lists  (at an
> email service provider) for years and years.   I think it is fresh
> lists extracted from CRMs and webstores, but maybe several years of
> old data.  And maybe people sharing lists with their mates or when
> sales people move companies.
> 
> (if you pay by paypal, then pretty much the merchant gets your email
> address whatever)

> I've put a subject access request into mailchimp, so I'll see what
> comes back.  I guess depends whether mailchimp think they are governed
> by GDPR or not.


I was going to suggest GDPR. IANAL, but I think they would need to have
proper evidence for processing of your data.*
Maybe one company has really been doing its homework for so long, and
can provide that you signed up on a web form at  on 15th February
1997 11:47 am, with name "Nadine" and checkbox "Feel free to spam me
whenever you want" checked.

Actually, I would doubt that the consent of (most) marketing lists
gathered prior of GDPR would pass (did they really inform you back them
of everything your are now entitled to?). In fact, even for later ones,
they are probably still not getting properly the consent for processing.

(user consent is not the only legal path for processing your
information, but it's certainly the easiest one. Sending an invoice
could easily fit as 'legitimate interest' but adding you to a marketing
list wouldn't)



* I'm not sure if mailchimp would qualify here as the processor or not.
Anyway, I think you should be able to reach them with your request, and
they should be liable to get that information from their customer.
Of course, should the customer not timely produce such information, they
should be booted from the platform with no further questions needed.


Best regards



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Verizon Media Recurring Issue

[Michael E. Weisel via mailop]

I have some more information as we now see that the whole /24 may be blocked.  
Could someone from the Verizon Team please contact me so I can explain the 
issue in detail?

 
 
Thanks,
 
Michael
 
Michael E. Weisel
CTO / Deliverability Lead
Gold Lasso
(301) 990-9857 Corporate
(240) 813-0174 Direct Dial


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Force double opt in for marketing list companies per email address

[Tim Bray via mailop]

On 02/06/2020 21:52, Oreva Akpolo via mailop wrote:

Hey Tom,

I'm Oreva, a Deliverability Engineer at Mailchimp. There currently 
isn't a system to force double opt-in on recipients per email address. 
What we can recommend is to set up filters or folders, so that you're 
only seeing mail from users you've actively subscribed to in your inbox.




Maybe you could put the senders name in the Return-Path?

To make filtering easier? Where I want to block an account where I might 
be on multiple lists at the same account?


Suppose I could just extract from the first bit of the url in the 
List-Unsubscribe ??


List-Unsubscribe: 

Re: [mailop] [EXTERNAL] Re: Force confirmed opt in for marketing list companies per email address

[Joe Provo via mailop]

IHNJ, just correcting the subject line... 

On Tue, Jun 02, 2020 at 10:58:18PM +0100, Tim Bray via mailop wrote:
> On 02/06/2020 21:22, Michael Wise via mailop wrote:
> >
> > It would need to be a standard... a SINGLE standard.
> >
> > Like the FTC "Do Not Call" list.
> >
> 
> I wasn't thinking about something central at all.?? I was just thinking 
> about it as something top 1 or 2 market leaders could do to be helpful.
> 
> (like various UK banks have secondary security things you can turn on if 
> you are high risk or a victim of identity theft or in a domestic 
> violence situation. The credit reference agencies are helpful too in 
> terms of letting you see what searches done in your name)
> 
> Because I'm unsubscribing from 3 or 4 things a day.?? (but like 10 
> today)?? Mainly from reputable marketing companies (like mailchimp)
> 
> I don't want rid of all marketing emails. There are companies whose 
> mails I want.
> 
> 
> Maybe mailchimp could send me a weekly digest of `these 10 companies 
> signed you up this week`.?? And I could just click `unsubscribe from all, 
> never signed up for this list`.?? In one go, rather than several times a day.
> 
> 
> I don't really believe I've been sat in people's dormant lists (at an 
> email service provider) for years and years. I think it is fresh lists 
> extracted from CRMs and webstores, but maybe several years of old data.?? 
> And maybe people sharing lists with their mates or when sales people 
> move companies.
> 
> (if you pay by paypal, then pretty much the merchant gets your email 
> address whatever)
> 
> I've put a subject access request into mailchimp, so I'll see what comes 
> back.?? I guess depends whether mailchimp think they are governed by GDPR 
> or not.
> 
> 
> 
> -- 
> Tim Bray
> Huddersfield, GB
> t...@kooky.org
> 

> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


-- 
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Tim Bray via mailop]

On 02/06/2020 21:22, Michael Wise via mailop wrote:


It would need to be a standard... a SINGLE standard.

Like the FTC "Do Not Call" list.



I wasn't thinking about something central at all.  I was just thinking 
about it as something top 1 or 2 market leaders could do to be helpful.


(like various UK banks have secondary security things you can turn on if 
you are high risk or a victim of identity theft or in a domestic 
violence situation.   The credit reference agencies are helpful too in 
terms of letting you see what searches done in your name)


Because I'm unsubscribing from 3 or 4 things a day.  (but like 10 
today)  Mainly from reputable marketing companies (like mailchimp)


I don't want rid of all marketing emails.   There are companies whose 
mails I want.



Maybe mailchimp could send me a weekly digest of `these 10 companies 
signed you up this week`.  And I could just click `unsubscribe from all, 
never signed up for this list`.  In one go, rather than several times a day.



I don't really believe I've been sat in people's dormant lists (at an 
email service provider) for years and years.   I think it is fresh lists 
extracted from CRMs and webstores, but maybe several years of old data.  
And maybe people sharing lists with their mates or when sales people 
move companies.


(if you pay by paypal, then pretty much the merchant gets your email 
address whatever)


I've put a subject access request into mailchimp, so I'll see what comes 
back.  I guess depends whether mailchimp think they are governed by GDPR 
or not.




--
Tim Bray
Huddersfield, GB
t...@kooky.org

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Luis E. Muñoz via mailop]

On 2 Jun 2020, at 14:25, Michael Peddemors via mailop wrote:

Yeah, and IMHO (don't hit me) that VERP should go the way of the 
Dodo..


This assertion doesn't follow the rest of your message. Even if useless 
for the use case being discussed – for which it was never meant as a 
solution – there are plenty of other valuable use cases for VERP.


Any use case involving a downstream or 1-removed error benefits from 
VERP, because the sending organization can unambiguously know which 
destination address was at fault and can mitigate.


Best regards

-lem

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Michael Peddemors via mailop]

Yeah, and IMHO (don't hit me) that VERP should go the way of the Dodo..

If a domain owner wants to have MailChimp send bulk email for them, they 
should add MailChimp to their SPF record.. and have their domain in the 
MAIL FROM.. it helps improve delivery dates.. eg the ISP can safely 
'whitelist' the trusted domain, and use SPF to block forgeries..


The 'From' header is too easily forged (see all the 'Paypal' and 
'Netflix' phishing SendGrid is dealing with..


If you want to say, accept ALL email from MailChimp, sure.. leave the 
VERP, even though ANYONE who is 'bouncing' to the VERP, will undoubtably 
be also generating backscatter.. rejecting based on MAIL FROM is much 
more efficient email processing, than accepting it, and later trying to 
bounce to the MAIL FROM address (see forgeries)


Oh, and BTW "today" it's still SendGrid and MailGun sending to too many 
invalid recipients, based on reports from Telco's across North America, 
so someone is using old databases for sending..




On 2020-06-02 2:07 p.m., Atro Tossavainen via mailop wrote:

In the end, if mailchimp actually DID use the sender's email in the
MAIL FROM, it might make it easier.. If they did had a way to see
that this was an invite..


Practically all ESPs use VERP.

https://en.wikipedia.org/wiki/Variable_envelope_return_path

It makes sense for them in so many ways. For starters, they can
guarantee that SPF matches for domains they themselves control, which
is nowhere near a given with customer domains. It should also make
bounce processing trivial. (Evidence in the form of Koli-Lõks OÜ
having a business at all shows that nobody is monitoring that, though.)





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Force double opt in for marketing list companies per email address

[Michael Peddemors via mailop]

HOLD THE PHONE!!

Do we hear a ESP actually recommending that all their email gets sent to 
a junk folder .. hehehe..


But again, the best way for an email to support what you are suggesting, 
is if you are transparent in the MAIL FROM, so that 'Allow Sender I am 
subscribed to' would actually work in all cases ..


On 2020-06-02 1:52 p.m., Oreva Akpolo via mailop wrote:

Hey Tom,

I'm Oreva, a Deliverability Engineer at Mailchimp. There currently isn't 
a system to force double opt-in on recipients per email address. What we 
can recommend is to set up filters or folders, so that you're only 
seeing mail from users you've actively subscribed to in your inbox.


I hope that helps.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Force double opt in for marketing list companies per email address

[Graeme Fowler via mailop]

On 2 Jun 2020, at 21:52, Oreva Akpolo via mailop  wrote:
> 
> I'm Oreva, a Deliverability Engineer at Mailchimp. There currently isn't a 
> system to force double opt-in on recipients per email address. What we can 
> recommend is to set up filters or folders, so that you're only seeing mail 
> from users you've actively subscribed to in your inbox. 

Is this where we say “Oh, mate”?

The average email recipient can’t spell scalability, and they sure as hell 
don’t understand it. What they sometimes understand is “why is all this crap I 
never subscribed to in my Inbox?”.

Are you really suggesting, as a representative of MailChimp, that you expect 
recipients to manage unwieldy and ever-growing allow- and deny-lists?

Graeme
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Atro Tossavainen via mailop]

> In the end, if mailchimp actually DID use the sender's email in the
> MAIL FROM, it might make it easier.. If they did had a way to see
> that this was an invite..

Practically all ESPs use VERP.

https://en.wikipedia.org/wiki/Variable_envelope_return_path

It makes sense for them in so many ways. For starters, they can
guarantee that SPF matches for domains they themselves control, which
is nowhere near a given with customer domains. It should also make
bounce processing trivial. (Evidence in the form of Koli-Lõks OÜ
having a business at all shows that nobody is monitoring that, though.)

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Michael Peddemors via mailop]

Yeah, over the last 10 years we banged our head on how a universal 
method would work, and yes.. all vulnerable to abuse..


In the end, if mailchimp actually DID use the sender's email in the MAIL 
FROM, it might make it easier.. If they did had a way to see that this 
was an invite..


You 'could' filter it all to the junk mail folder, but flag the 
'invites' so a person could 'click' on 'I want to be on this list', 
which would exempt it from going to the junk folder, and adding the 
sender to your address book..


So far, that's all we got ;)

You will never get 100% accuracy, but you can go for 99.99, and allow 
the recipient to make the final choice on what is wanted/unwanted.


Remember, one person's spam, is another person's reading material.

At the end, only transparency can make that happen, however transparency 
often goes against the business model where you get paid on how much 
reaches the inbox, and quite quickly allowing the 'questionable' paying 
customer to join the 'good' paying customers traffic, to increase 
revenue. IMHO


On 2020-06-02 1:37 p.m., Atro Tossavainen via mailop wrote:

On Tue, Jun 02, 2020 at 08:22:40PM +, Michael Wise via mailop wrote:

It would need to be a standard... a SINGLE standard.

Like the FTC "Do Not Call" list.


What Michael said... And it would be a colossally bad idea.

Anybody think it wouldn't leak and be used specifically to spam some
more? A list of 100% guaranteed working email addresses? :-D



Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?



-Original Message-
From: mailop  On Behalf Of Stuart Henderson via 
mailop
Sent: Tuesday, June 2, 2020 6:52 AM
To: Tim Bray 
Cc: mailop@mailop.org
Subject: [EXTERNAL] Re: [mailop] Force double opt in for marketing list 
companies per email address



On 2020/06/02 14:35, Tim Bray via mailop wrote:


My question to mailchimp et al:







Is there way I could force my email address to be double opt in?



Like register with you, confirm my address, and then any of your



customers who try to add me, I get a `please confirm` email.




This, but without the "have to register" bit ...





___

mailop mailing list

mailop@mailop.org

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7C54fda74ea1874866ddea08d806fcacb1%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637267029595466145sdata=Kvd%2FA%2FFCdoqX4R6I9RPGKjCX%2BF95xY5pBNATC6B4oXg%3Dreserved=0



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop







--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Force double opt in for marketing list companies per email address

[Oreva Akpolo via mailop]

Hey Tom,

I'm Oreva, a Deliverability Engineer at Mailchimp. There currently isn't a
system to force double opt-in on recipients per email address. What we can
recommend is to set up filters or folders, so that you're only seeing mail
from users you've actively subscribed to in your inbox.

I hope that helps.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Atro Tossavainen via mailop]

On Tue, Jun 02, 2020 at 08:22:40PM +, Michael Wise via mailop wrote:
> It would need to be a standard... a SINGLE standard.
> 
> Like the FTC "Do Not Call" list.

What Michael said... And it would be a colossally bad idea.

Anybody think it wouldn't leak and be used specifically to spam some
more? A list of 100% guaranteed working email addresses? :-D

> 
> Aloha,
> Michael.
> --
> Michael J Wise
> Microsoft Corporation| Spam Analysis
> "Your Spam Specimen Has Been Processed."
> Open a ticket for Hotmail ?
> 
> 
> 
> -Original Message-
> From: mailop  On Behalf Of Stuart Henderson via 
> mailop
> Sent: Tuesday, June 2, 2020 6:52 AM
> To: Tim Bray 
> Cc: mailop@mailop.org
> Subject: [EXTERNAL] Re: [mailop] Force double opt in for marketing list 
> companies per email address
> 
> 
> 
> On 2020/06/02 14:35, Tim Bray via mailop wrote:
> 
> > My question to mailchimp et al:
> 
> >
> 
> > Is there way I could force my email address to be double opt in?
> 
> > Like register with you, confirm my address, and then any of your
> 
> > customers who try to add me, I get a `please confirm` email.
> 
> 
> 
> This, but without the "have to register" bit ...
> 
> 
> 
> 
> 
> ___
> 
> mailop mailing list
> 
> mailop@mailop.org
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7C54fda74ea1874866ddea08d806fcacb1%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637267029595466145sdata=Kvd%2FA%2FFCdoqX4R6I9RPGKjCX%2BF95xY5pBNATC6B4oXg%3Dreserved=0

> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop


-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] [EXTERNAL] Re: Force double opt in for marketing list companies per email address

[Michael Wise via mailop]

It would need to be a standard... a SINGLE standard.

Like the FTC "Do Not Call" list.

Aloha,
Michael.
--
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Open a ticket for Hotmail ?



-Original Message-
From: mailop  On Behalf Of Stuart Henderson via 
mailop
Sent: Tuesday, June 2, 2020 6:52 AM
To: Tim Bray 
Cc: mailop@mailop.org
Subject: [EXTERNAL] Re: [mailop] Force double opt in for marketing list 
companies per email address



On 2020/06/02 14:35, Tim Bray via mailop wrote:

> My question to mailchimp et al:

>

> Is there way I could force my email address to be double opt in?

> Like register with you, confirm my address, and then any of your

> customers who try to add me, I get a `please confirm` email.



This, but without the "have to register" bit ...





___

mailop mailing list

mailop@mailop.org

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailopdata=02%7C01%7Cmichael.wise%40microsoft.com%7C54fda74ea1874866ddea08d806fcacb1%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637267029595466145sdata=Kvd%2FA%2FFCdoqX4R6I9RPGKjCX%2BF95xY5pBNATC6B4oXg%3Dreserved=0
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Outlook autodiscover IMAP server settings

[Andrew via mailop]

On 02/06/2020 19:41, Robert L Mathews via mailop wrote:

On 6/2/20 5:16 AM, Andrew via mailop wrote:

tl;dr - start with ensuring you've got RFC 6186 records setup

Out of interest, do you know what clients now support RFC 6186?

I tested a variety of them a couple of years back and couldn't find any
major ones that supported it, so I didn't bother setting up such records
for our customers. It sounds like that's perhaps changed, which would be
great.


I took the view that I'd setup all the possible auto setup options, and 
only checked a few mail clients picked up the settings. RFC 6186 looks 
like the obvious standard for mail clients to follow, so I *assume* it 
would have been adopted by a good quantity of mail clients. Dangerous 
things, assumptions ;-)


I would however note that it's a relatively easy method to setup.

AR.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Kurt Andersen (b) via mailop]

Leaving aside the discussion about Gmail specifics (which has been
adequately answered by others)...

On Tue, Jun 2, 2020 at 8:08 AM Benoit Panizzon via mailop 
wrote:

>
> So at the moment I'm only using DMARC with SPF. According to my
> reading on how DMARC works, if no DKIM record is published, a passing
> SPF record is sufficient for authentication.
>

SPF alone is sufficient for DMARC authentication regardless of whether or
not you publish (or use) DKIM records and signatures.

The rule is "SPF or DKIM", not "SPF xor DKIM" or "SPF and DKIM" (in a
boolean logic way) - presuming alignment rules are met in all cases.

--Kurt
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Outlook autodiscover IMAP server settings

[Robert L Mathews via mailop]

On 6/2/20 5:16 AM, Andrew via mailop wrote:
> tl;dr - start with ensuring you've got RFC 6186 records setup

Out of interest, do you know what clients now support RFC 6186?

I tested a variety of them a couple of years back and couldn't find any
major ones that supported it, so I didn't bother setting up such records
for our customers. It sounds like that's perhaps changed, which would be
great.

-- 
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[John R Levine via mailop]

In article <947f2235-ae10-47b5-90cd-f096d5648...@wordtothewise.com> you write:


Why is Google applying a strict reject when the policy is p=none?


It is my understanding that Google requires all IPv6 mail to be SPF or
DKIM authenticated with or without DMARC.

The "aspf=s" is probably the reason since the mail servers have names
in three Gaullish subdomains of imp.ch and I doubt those domains are
on the From: line of mail.

Beyond that I'm also wondering if the /32 in the SPF record is too big
and smells too close to +all.  The MTAs are all in the same /64 so put
that in the SPF record.



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Brandon Long via mailop]

Gmail does not require DKIM for DMARC.  Using only SPF works according to
the spec.

If people really want to shoot themselves in the foot by only using SPF
with DMARC, we let them.

If you don't have the dmarc reject, you can see the messages that are
delivered and see the AuthRes headers to see what we thought of the message.
All things being equal, I'd guess it's alignment...

actually, not only is it alignment, but you're sending from a sub-domain,
which for SPF requires that there is an SPF record on the sub-domain (there
is no look at the higher domain like with DMARC).  Google will calculate a
"zone" SPF in this case, but that fallback isn't used for DMARC because
that's not part of the spec.

Brandon

On Tue, Jun 2, 2020 at 8:08 AM Benoit Panizzon via mailop 
wrote:

> Hi Gang
>
> I'm on the way of more widely deploying DMARC and also testing DKIM
> once again. Also on our ISP email service domains.
>
> So at the moment I'm only using DMARC with SPF. According to my
> reading on how DMARC works, if no DKIM record is published, a passing
> SPF record is sufficient for authentication.
>
> But as soon as I set p=reject Gmail is rejecting all emails:
>
> : host aspmx.l.google.com[2a00:1450:4013:c04::1a] said:
> 550-5.7.26 Unauthenticated email from imp.ch is not accepted due to
> domain's 550-5.7.26 DMARC policy. Please contact the administrator of
> imp.ch domain if 550-5.7.26 this was a legitimate mail. Please visit
> 550-5.7.26  https://support.google.com/mail/answer/2451690 to learn
> about
> the 550 5.7.26 DMARC initiative. i4si1617970edq.200 - gsmtp (in reply
> to
> end of DATA command)
>
> imp.ch descriptive text "v=spf1 ip6:2001:4060::/32 ip4:157.161.0.0/16 ip4:
> 217.173.238.128/27 ip6:2a00:ec0:1::/64 -all"
>
> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; rua=mailto:
> dmarc-rep...@imp.ch; ruf=mailto:dmarc-rep...@imp.ch; aspf=s"
> (reverted to p=none)
>
> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
>
> Any idea what is going wrong? Is Gmail's DMARC implementation broken
> and REQUIRES DKIM violating RFC?
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> <+41%2061%20826%2093%2000>
> CH-4133 PrattelnFax  +41 61 826 93 01
> <+41%2061%20826%2093%2001>
> Schweiz Web  http://www.imp.ch
> __
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Laura Atkins via mailop]

Why is Google applying a strict reject when the policy is p=none?

laura 



> On 2 Jun 2020, at 16:42, Ken O'Driscoll via mailop  wrote:
> 
> On Tue, 2020-06-02 at 17:04 +0200, Benoit Panizzon via mailop wrote:
>> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; rua=mailto: 
>> dmarc-rep...@imp.ch
>> ; ruf=mailto: dmarc-rep...@imp.ch  ; aspf=s"
>> (reverted to p=none)
>> 
>> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
>> 
>> Any idea what is going wrong? Is Gmail's DMARC implementation broken
>> 
>> and REQUIRES DKIM violating RFC?
> 
> Without seeing the actual message my guess is that the aspf=s is the problem. 
> This is telling receivers that you want to enforce strict SPF alignment, 
> which means the FQDNs used the SPF tests must match. So, if your 5321.From is 
> using a sub-domain then this will fail a DMARC test in the absence of DKIM.
> 
> Ken.
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: https://wordtothewise.com/blog 







___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Tim Bray via mailop]

On 02/06/2020 16:42, Ken O'Driscoll via mailop wrote:
Without seeing the actual message my guess is that the *aspf=s* is the 
problem. This is telling receivers that you want to enforce strict SPF 
alignment, which means the FQDNs used the SPF tests must match. So, if 
your 5321.From is using a sub-domain then this will fail a DMARC test 
in the absence of DKIM.


I think this.

and I guess the domain in the HELO too?

And the envelope sender.


We have no problems sending IPv6 email to google.   With DKIM, SPF and 
reverse DNS, it just worked.  I'm not sure what we do right, but it is 
possible to have it working.



--
Tim Bray
Huddersfield, GB
t...@kooky.org

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Al Iverson via mailop]

I had similar trouble sending to Gmail over IPv6 long ago and I just
turned off the IPv6 interface on my server to fix it, because I'm a
typical dumb American. I was never quite sure, do I just not
understand how to specify SPF properly for IPv6 or does Gmail have a
bug in how they process SPF for IPv6.

Kitterman SPF check says:
Mail sent from this IP address: 2001:4060:1:1002::139:139
Mail from (Sender): b...@example.com
Mail checked using this SPF policy: v=spf1 ip6:2001:4060::/32
ip4:157.161.0.0/16 ip4:217.173.238.128/27 ip6:2a00:ec0:1::/64 -all
Results - PASS sender SPF authorized

In your case, I agree that SPF should be passing. I guess double check
that you're actually connecting to Google servers over the correct
interface, I also ran into this before as an issue, too. Maybe it's
not really connecting via 2001:4060:1:1002::139:139 and thus truly is
failing SPF.

I do see many examples of SPF/DMARC (no DKIM) working as
expected...i.e. delivers, not blocked. At work we have so many MTAs
with varying configs that we occasionally would have someone try to
send from a new MTA without DKIM yet configured, but SPF still passes,
and it delivers fine to Gmail. Granted, I haven't tested this in the
past few days, but unless it broke very recently, I feel confident
that they don't block in this way.

Good luck!

Regards,
Al Iverson

On Tue, Jun 2, 2020 at 10:13 AM Benoit Panizzon via mailop
 wrote:
>
> Hi Gang
>
> I'm on the way of more widely deploying DMARC and also testing DKIM
> once again. Also on our ISP email service domains.
>
> So at the moment I'm only using DMARC with SPF. According to my
> reading on how DMARC works, if no DKIM record is published, a passing
> SPF record is sufficient for authentication.
>
> But as soon as I set p=reject Gmail is rejecting all emails:
>
> : host aspmx.l.google.com[2a00:1450:4013:c04::1a] said:
> 550-5.7.26 Unauthenticated email from imp.ch is not accepted due to
> domain's 550-5.7.26 DMARC policy. Please contact the administrator of
> imp.ch domain if 550-5.7.26 this was a legitimate mail. Please visit
> 550-5.7.26  https://support.google.com/mail/answer/2451690 to learn about
> the 550 5.7.26 DMARC initiative. i4si1617970edq.200 - gsmtp (in reply to
> end of DATA command)
>
> imp.ch descriptive text "v=spf1 ip6:2001:4060::/32 ip4:157.161.0.0/16 
> ip4:217.173.238.128/27 ip6:2a00:ec0:1::/64 -all"
>
> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; 
> rua=mailto:dmarc-rep...@imp.ch; ruf=mailto:dmarc-rep...@imp.ch; aspf=s"
> (reverted to p=none)
>
> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
>
> Any idea what is going wrong? Is Gmail's DMARC implementation broken
> and REQUIRES DKIM violating RFC?
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> CH-4133 PrattelnFax  +41 61 826 93 01
> Schweiz Web  http://www.imp.ch
> __
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop



-- 
Al Iverson // Wombatmail // Chicago
Song a day! https://www.wombatmail.com
Deliverability! https://spamresource.com
And DNS Tools too! https://xnnd.com

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Is Gmails DMARC check broken?

[Ken O'Driscoll via mailop]

On Tue, 2020-06-02 at 17:04 +0200, Benoit Panizzon via mailop wrote:
> _DMARC.imp.ch descriptive text "v=DMARC1; p=none; rua=mailto: 
> dmarc-rep...@imp.ch; ruf=mailto: dmarc-rep...@imp.ch ;
> aspf=s"(reverted to p=none)
> That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.
> Any idea what is going wrong? Is Gmail's DMARC implementation broken
> and REQUIRES DKIM violating RFC?

Without seeing the actual message my guess is that the aspf=s is the
problem. This is telling receivers that you want to enforce strict SPF
alignment, which means the FQDNs used the SPF tests must match. So, if
your 5321.From is using a sub-domain then this will fail a DMARC test
in the absence of DKIM.

Ken.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: 'Low reputation of the sending domain'

[Tim Bray via mailop]

On 02/06/2020 09:37, Benoit Panizzon via mailop wrote:

Still 'Spamrate' and 'IP Reputation' and 'Domain Reputation' (all other
items too) still show 'there is no data available yet'.



At work (provu.co.uk) we send hundreds of emails a day, but always no 
data in postmaster tools.  I just presume you have to send more mail to 
get noticed.



Other things I noticed  (I'm not google)

1) No TLS on your mailserver - to receive email.  What about sending?    
(most well maintained mailservers have TLS now)


2) SPF record is a whole /48 for IPv6.    Why not just try the 1 
address  of your mailserver  (I'd be suspicious of such a wide range of 
space for sending mailservers)




--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Is Gmails DMARC check broken?

[Benoit Panizzon via mailop]

Hi Gang

I'm on the way of more widely deploying DMARC and also testing DKIM
once again. Also on our ISP email service domains.

So at the moment I'm only using DMARC with SPF. According to my
reading on how DMARC works, if no DKIM record is published, a passing
SPF record is sufficient for authentication.

But as soon as I set p=reject Gmail is rejecting all emails:

: host aspmx.l.google.com[2a00:1450:4013:c04::1a] said:
550-5.7.26 Unauthenticated email from imp.ch is not accepted due to
domain's 550-5.7.26 DMARC policy. Please contact the administrator of
imp.ch domain if 550-5.7.26 this was a legitimate mail. Please visit
550-5.7.26  https://support.google.com/mail/answer/2451690 to learn about
the 550 5.7.26 DMARC initiative. i4si1617970edq.200 - gsmtp (in reply to
end of DATA command)

imp.ch descriptive text "v=spf1 ip6:2001:4060::/32 ip4:157.161.0.0/16 
ip4:217.173.238.128/27 ip6:2a00:ec0:1::/64 -all"

_DMARC.imp.ch descriptive text "v=DMARC1; p=none; 
rua=mailto:dmarc-rep...@imp.ch; ruf=mailto:dmarc-rep...@imp.ch; aspf=s"
(reverted to p=none)

That email was sent from: 2001:4060:1:1002::139:139 which passes SPF.

Any idea what is going wrong? Is Gmail's DMARC implementation broken
and REQUIRES DKIM violating RFC?

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Force double opt in for marketing list companies per email address

[Stuart Henderson via mailop]

On 2020/06/02 14:35, Tim Bray via mailop wrote:
> My question to mailchimp et al:
> 
> Is there way I could force my email address to be double opt in? Like
> register with you, confirm my address, and then any of your customers who
> try to add me, I get a `please confirm` email.

This, but without the "have to register" bit ...


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Force double opt in for marketing list companies per email address

[Tim Bray via mailop]

Hi,

So seems to be spam/ham day today.  I've just done 6 unsubscribes.  Orgs 
I have never heard of, or maybe an organization I once bought something 
from 10 years ago (or their sister company)


I think people are trying to kick start their businesses in the UK by 
digging out all their old email address lists from ancient CRM systems 
and webstores.  I'm pretty sure they aren't lists I've been on for years.


I think my email address also been passed around a bit.

And I've had the same corporate email address for 18 years now. :(


My question to mailchimp et al:

Is there way I could force my email address to be double opt in? 
Like register with you, confirm my address, and then any of your 
customers who try to add me, I get a `please confirm` email.


And then later, anybody who tries to add me to a list, then I can

I get loads of useful mail from mailchimp too, so I don't want to 
globally do a mass block.


(sorry mailchimp, you are like the best mailinglist people, so more 
comes from you)



--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: 'Low reputation of the sending domain'

[Laura Atkins via mailop]

Mail coming from IPv6 has higher requirements for delivery than mail from IPv4. 
The theory is that with IPv4 you may be in a situation where there’s legacy 
code or infrastructure that can’t be upgraded for operational reasons. For 
reasons of interoperability that is acceptable.

Anyone sending mail over IPv6 has a new(ish) system and there is zero reason to 
not meet all modern requirements. There is a reputation cost to sending over 
IPv6 without properly and fully (both SPF and DKIM) authenticating the email 
message.  There may be other issues here in that the domain reputation is bad 
AS WELL. But the first step is to sign with DKIM and see if that addresses the 
issue. Given you can send mail from the same domain over IPv4, it seems it’s 
not the overall domain reputation, but the domain reputation from an IPv6 IP 
address. 

Sign with DKIM. 

laura 


> On 2 Jun 2020, at 13:32, Stuart Henderson via mailop  
> wrote:
> 
> On 2020/06/02 10:37, Benoit Panizzon via mailop wrote:
>> <<< 550-5.7.1 [2001:4060:dead:beef::1  19] Our system has detected that 
>> this
>> <<< 550-5.7.1 message is likely suspicious due to the very low reputation of 
>> the
>> <<< 550-5.7.1 sending domain.
> 
> "due to the very low reputation of the sending domain", I'm surprised
> that made it through legal...
> 
>> DKIM is not a solution. I faced too many problems with mailinglists
>> and similar which did alter the header and broke DKIM signatures.
> 
> DKIM isn't (or at least shouldn't be) used as an absolute check unless it's
> combined with a restrictive DMARC setting - usually it just feeds in to an
> overall score. Failing DKIM doesn't mean that people won't see a mail at
> all and when combined with other positive scores usually assigned to
> genuine mailing list servers, it will often still get through.
> 
> You are likely to need all the tricks in the book to get mail delivered
> over IPv6 into gmail (many people just gave up - most of the common open-
> source MTAs have methods to avoid delivering over v6 to certain servers
> precisely because of this) - DKIM definitely seems to be something worth
> doing.
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
la...@wordtothewise.com
(650) 437-0741  

Email Delivery Blog: https://wordtothewise.com/blog 







___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: 'Low reputation of the sending domain'

[Stuart Henderson via mailop]

On 2020/06/02 10:37, Benoit Panizzon via mailop wrote:
> <<< 550-5.7.1 [2001:4060:dead:beef::1  19] Our system has detected that 
> this
> <<< 550-5.7.1 message is likely suspicious due to the very low reputation of 
> the
> <<< 550-5.7.1 sending domain.

"due to the very low reputation of the sending domain", I'm surprised
that made it through legal...

> DKIM is not a solution. I faced too many problems with mailinglists
> and similar which did alter the header and broke DKIM signatures.

DKIM isn't (or at least shouldn't be) used as an absolute check unless it's
combined with a restrictive DMARC setting - usually it just feeds in to an
overall score. Failing DKIM doesn't mean that people won't see a mail at
all and when combined with other positive scores usually assigned to
genuine mailing list servers, it will often still get through.

You are likely to need all the tricks in the book to get mail delivered
over IPv6 into gmail (many people just gave up - most of the common open-
source MTAs have methods to avoid delivering over v6 to certain servers
precisely because of this) - DKIM definitely seems to be something worth
doing.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Outlook autodiscover IMAP server settings

[Andrew via mailop]

On 02/06/2020 12:12, Silver Asu via mailop wrote:
Is there any chance to get IMAP/SMTP/POP3 server settings autodiscover 
to work with modern desktop and mobile Outlook clients?


_autodiscover._tcp SRV record with autodiscover/autodiscover.xml seems 
not to work anymore.


I wrote up an answer on ServerFault [1] recently and also an Ansible 
role [2] which I hope covers most of the possibilities.


tl;dr - start with ensuring you've got RFC 6186 records setup. If your 
mail clients don't pick up settings from that, take a closer look at the 
other auto setup methods.


AR.

[1] 
https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406


[2] https://github.com/AndrewCRichards/Ansible_Role_email_auto_client_setup



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Verizon Media Recurring Issue

[Michael E. Weisel via mailop]

We have a client who we have worked with very closely to develop a solid 
engaged sender plan that has been working very well since they started sending 
through us a few years back.  Recently they have been having a recurring issue 
with just one of the Verizon Media domains that pops up every other week or so 
since March.  The postmaster team has been very helpful to get the issue 
resolved each time through the ticketing system but it’s not clear why it keeps 
happening and our client has a few days each time with no deliverability.  If 
anyone from Verizon Media is monitoring the list here, can they please contact 
me?



Thanks,

Michael

Michael E. Weisel
CTO / Deliverability Lead
Gold Lasso
(301) 990-9857 Corporate
(240) 813-0174 Direct Dial

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Outlook autodiscover IMAP server settings

[Silver Asu via mailop]

Hello!

 

Is there any chance to get IMAP/SMTP/POP3 server settings autodiscover to
work with modern desktop and mobile Outlook clients?

_autodiscover._tcp SRV record with autodiscover/autodiscover.xml seems not
to work anymore.

 

Thanks.

Silver Asu

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: 'Low reputation of the sending domain'

[Ken O'Driscoll via mailop]

On Tue, 2020-06-02 at 10:37 +0200, Benoit Panizzon via mailop wrote:
> DKIM is not a solution. I faced too many problems with mailinglists
> and similar which did alter the header and broke DKIM signatures.
> 
> Has anyone a hint what could be the cause for this problem?
> 
> And yes, disabling IPv6 seems to solve the issue, but that is the wrong
> way dealing with it :-)

This may be part of the issue. If you are using IPv6 then you really
need to be signing with DKIM. Mailing lists etc. breaking your DKIM
signature is pretty much expected behaviour and not a reason to disavow
it entirely.

Ken.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Outlook "Modern Authentication"?

[Ken O'Driscoll via mailop]

On Thu, 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote:
> Does anyone know if there is any alternative to Outlook to access
> 
> Exchange Online mailboxes that require modern authentication?

Take a look at Davmail, it's basically a proxy that sits in-between
your existing "legacy" MUA and O365. It handles all of the MFA and
talks EWA then presents standards based IMAP, SMTP, CalDAV and CardDAV
protocol interfaces for your MTA to use.

I don't know if it will work for your specific environment but it works
for most people that what to continue to use Thunderbird etc. with
Exchange.

Ken.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: 'Low reputation of the sending domain'

[sivasubramanian muthusamy via mailop]

There are two issues here:

1. We have been brought to a situation where it has become an
insurmountable necessity to send and receive mail from and to Google,
Microsoft and the likes of Amazon, if your mail has to reach from one end
to another.

2.  The filters in the middle (and in this at the 'cloud') make rules
leading to unknown and unreported false positives that are not even
knowable, let alone challengeable by ordinary mortals.



On Tue, Jun 2, 2020, 14:16 Benoit Panizzon via mailop 
wrote:

> Hi Gang
>
> My personal mailserver is not able to send any emails to gmail accounts
> since several months. I was hoping this would solve itself eventually.
> It did not.
>
> There are no breaches or spam or anything sent from that server. I
> would know as I am part of the AS6772 Abuse Desk. :-) Just the
> dozed or so emails per day sent by my family members and myself.
>
> Even emails to my own Gmail Account where my sending email address for
> sure is a know past sender, are being blocked.
>
> The Error:
>
>- Transcript of session follows -
> ... while talking to gmail-smtp-in.l.google.com.:
> >>> DATA
> <<< 550-5.7.1 [2001:4060:dead:beef::1  19] Our system has detected
> that this
> <<< 550-5.7.1 message is likely suspicious due to the very low reputation
> of the
> <<< 550-5.7.1 sending domain. To best protect our users from spam, the
> message has
> <<< 550-5.7.1 been blocked. Please visit
> <<< 550 5.7.1  https://support.google.com/mail/answer/188131 for more
> information. ds3si1043668ejc.545 - gsmtp
> 554 5.0.0 Service unavailable
>
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.e.e.b.d.a.e.d.0.6.0.4.1.0.0.2.ip6.arpa
> domain name pointer magma.woody.ch.
>
> magma.woody.ch has address 157.161.57.1
> magma.woody.ch has IPv6 address 2001:4060:dead:beef::1
>
> No DNS PTR issue I guess :-)
>
> I have registered woody.ch and magma.woody.ch with Gmail Postmaster
> Tools about one month ago, in the hope that eventually I would get some
> hint to the cause.
>
> Still 'Spamrate' and 'IP Reputation' and 'Domain Reputation' (all other
> items too) still show 'there is no data available yet'.
>
> Not listed in any blacklists @ MXToolbox.
>
> An SPF record exists since several years.
>
> woody.ch descriptive text "v=spf1 ip4:157.161.57.0/27
> ip6:2001:4060:dead::/48 -all"
>
> Yesterday, after re-reading google email recommendations, I also added a
> DMARC entry:
>
> _dmarc.woody.ch descriptive text "v=DMARC1; p=reject; rua=mailto:
> paniz...@woody.ch; ruf=mailto:paniz...@woody.ch; aspf=s"
>
> Still the problem persists as of a couple minutes ago.
>
> DKIM is not a solution. I faced too many problems with mailinglists
> and similar which did alter the header and broke DKIM signatures.
>
> Has anyone a hint what could be the cause for this problem?
>
> And yes, disabling IPv6 seems to solve the issue, but that is the wrong
> way dealing with it :-)
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> CH-4133 PrattelnFax  +41 61 826 93 01
> Schweiz Web  http://www.imp.ch
> __
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Google: 'Low reputation of the sending domain'

[Jan-Philipp Benecke via mailop]

Hey Benoit,

i'm facing the same issue since weeks with my private mailserver.
A few mails getting through and some not.
I've already tried to contact the sender support trough their form. 
Maybe this helps, lets see.


BTW: I'v enabled SPF, DKIM, DMARC (p=none) since a long time, this 
either didn't help.


Best,
Jan-Philipp

Jan-Philipp Benecke
Deliverability Engineer

Fon: +49 4402 97390-00 
E-Mail: j...@cleverreach.com 

Xing  LinkedIn 



*CleverReach GmbH & Co. KG
HRA 4020 Oldenburg (Oldb.)*
cleverreach.de 
CleverReach® 
CleverReach® 


Vertreten durch: CleverReach Verwaltungs GmbH, HRB 210079 Oldenburg (Oldb.)
//CRASH Building | Schafjückenweg 2 | 26180 Rastede | Germany
Geschäftsführung: Jens Klibingat, Sebastian Schwarz & Sebastian Strzelecki
Aufsichtsrat: Rolf Hilchner & Heinz-Wilhelm Bogena

PUSH///  CleverReach® 
 CleverReach @Instagram 
 https://twitter.com/cleverreach 
 CleverReach @YouTube 



Aktuell können Sie einige Informationen nicht sehen.Bitte aktivieren Sie 
externe Inhalte, um die Mail vollständig angezeigt zu bekommen oder 
klicken Sie hier. 





Benoit Panizzon via mailop schrieb am 02.06.20 um 10:37:

Hi Gang

My personal mailserver is not able to send any emails to gmail accounts
since several months. I was hoping this would solve itself eventually.
It did not.

There are no breaches or spam or anything sent from that server. I
would know as I am part of the AS6772 Abuse Desk. :-) Just the
dozed or so emails per day sent by my family members and myself.

Even emails to my own Gmail Account where my sending email address for
sure is a know past sender, are being blocked.

The Error:

- Transcript of session follows -
... while talking to gmail-smtp-in.l.google.com.:

DATA

<<< 550-5.7.1 [2001:4060:dead:beef::1  19] Our system has detected that this
<<< 550-5.7.1 message is likely suspicious due to the very low reputation of the
<<< 550-5.7.1 sending domain. To best protect our users from spam, the message 
has
<<< 550-5.7.1 been blocked. Please visit
<<< 550 5.7.1  https://support.google.com/mail/answer/188131 for more 
information. ds3si1043668ejc.545 - gsmtp
554 5.0.0 Service unavailable

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.e.e.b.d.a.e.d.0.6.0.4.1.0.0.2.ip6.arpa domain 
name pointer magma.woody.ch.

magma.woody.ch has address 157.161.57.1
magma.woody.ch has IPv6 address 2001:4060:dead:beef::1

No DNS PTR issue I guess :-)

I have registered woody.ch and magma.woody.ch with Gmail Postmaster
Tools about one month ago, in the hope that eventually I would get some
hint to the cause.

Still 'Spamrate' and 'IP Reputation' and 'Domain Reputation' (all other
items too) still show 'there is no data available yet'.

Not listed in any blacklists @ MXToolbox.

An SPF record exists since several years.

woody.ch descriptive text "v=spf1 ip4:157.161.57.0/27 ip6:2001:4060:dead::/48 
-all"

Yesterday, after re-reading google email recommendations, I also added a
DMARC entry:

_dmarc.woody.ch descriptive text "v=DMARC1; p=reject; rua=mailto:paniz...@woody.ch; 
ruf=mailto:paniz...@woody.ch; aspf=s"

Still the problem persists as of a couple minutes ago.

DKIM is not a solution. I faced too many problems with mailinglists
and similar which did alter the header and broke DKIM signatures.

Has anyone a hint what could be the cause for this problem?

And yes, disabling IPv6 seems to solve the issue, but that is the wrong
way dealing with it :-)

Mit freundlichen Grüssen

-Benoît Panizzon-


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Outlook "Modern Authentication"?

[Andrew C Aitchison via mailop]

On Thu, 28 May 2020, Daniele Nicolodi asked:

The IT department of the organization that is pushing thins says that
modern authentication and disabling IMAP (over SSL) enhance security.
I don't see how this is the case. Does anyone have an opinion?


Phil Pennock replied:
PP> As to IMAP/TLS -- I know of no security reason to mandate disabling 
PP> IMAP as opposed to any other access protocol.  This sounds more like 
PP> the traditional Outlook FUD-spreading re open protocols.


For the 95% or more of users who only use Microsoft clients and thus
don't use IMAP, disabling IMAP means that dictionary attacks over
ports 143 or 993 are impossible.

On the basis that a computer that is switched off, unplugged and
encased in concrete is more secure from hackers than one that is not,
what that IT department says is accurate.

Different people's minds work in different ways. For those whose minds
don't match Microsoft's model mind, forcing us to use their clients
can kill productivity.

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Google: 'Low reputation of the sending domain'

[Benoit Panizzon via mailop]

Hi Gang

My personal mailserver is not able to send any emails to gmail accounts
since several months. I was hoping this would solve itself eventually.
It did not.

There are no breaches or spam or anything sent from that server. I
would know as I am part of the AS6772 Abuse Desk. :-) Just the
dozed or so emails per day sent by my family members and myself.

Even emails to my own Gmail Account where my sending email address for
sure is a know past sender, are being blocked.

The Error:

   - Transcript of session follows -
... while talking to gmail-smtp-in.l.google.com.:
>>> DATA  
<<< 550-5.7.1 [2001:4060:dead:beef::1  19] Our system has detected that this
<<< 550-5.7.1 message is likely suspicious due to the very low reputation of the
<<< 550-5.7.1 sending domain. To best protect our users from spam, the message 
has
<<< 550-5.7.1 been blocked. Please visit
<<< 550 5.7.1  https://support.google.com/mail/answer/188131 for more 
information. ds3si1043668ejc.545 - gsmtp
554 5.0.0 Service unavailable

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.e.e.b.d.a.e.d.0.6.0.4.1.0.0.2.ip6.arpa domain 
name pointer magma.woody.ch.

magma.woody.ch has address 157.161.57.1
magma.woody.ch has IPv6 address 2001:4060:dead:beef::1

No DNS PTR issue I guess :-)

I have registered woody.ch and magma.woody.ch with Gmail Postmaster
Tools about one month ago, in the hope that eventually I would get some
hint to the cause.

Still 'Spamrate' and 'IP Reputation' and 'Domain Reputation' (all other
items too) still show 'there is no data available yet'.

Not listed in any blacklists @ MXToolbox.

An SPF record exists since several years.

woody.ch descriptive text "v=spf1 ip4:157.161.57.0/27 ip6:2001:4060:dead::/48 
-all"

Yesterday, after re-reading google email recommendations, I also added a
DMARC entry:

_dmarc.woody.ch descriptive text "v=DMARC1; p=reject; 
rua=mailto:paniz...@woody.ch; ruf=mailto:paniz...@woody.ch; aspf=s"

Still the problem persists as of a couple minutes ago.

DKIM is not a solution. I faced too many problems with mailinglists
and similar which did alter the header and broke DKIM signatures.

Has anyone a hint what could be the cause for this problem?

And yes, disabling IPv6 seems to solve the issue, but that is the wrong
way dealing with it :-)

Mit freundlichen Grüssen

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Outlook "Modern Authentication"?

[Mark Foster via mailop]

> On 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote:
>> Does anyone know if there is any alternative to Outlook to access
>> Exchange Online mailboxes that require modern authentication?
>>
>> The IT department of the organization that is pushing thins says that
>> modern authentication and disabling IMAP (over SSL) enhance security. I
>> don't see how this is the case. Does anyone have an opinion?
>
> There's two orthogonal things here: using temporary tokens for protocol
> login, and using IMAP.
>
> If you move a lot of the authentication into one common system which can
> present short-lived tokens for other application protocols to use, then
> you can start piling in more checks in one place.  It becomes easier to
> require two-factor authentication, etc etc.  Typically you then get an
> OAuth token out of that.
>
> You can use OAuth tokens in other protocols; within email and IMAP,
> Google use the `OAUTHBEARER` SASL mechanism, and Brandon Long of Google
> contributed support to mutt (requires external commands to handle the
> flow, in the usual mutt manner).
>
> As to IMAP/TLS -- I know of no security reason to mandate disabling IMAP
> as opposed to any other access protocol.  This sounds more like the
> traditional Outlook FUD-spreading re open protocols.
>
> -Phil
>

Start with
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

Azure AD supports several of the most widely used authentication and
authorization protocols including legacy authentication. Legacy
authentication refers to protocols that use basic authentication.
Typically, these protocols can't enforce any type of second factor
authentication. Examples for apps that are based on legacy authentication
are:

Older Microsoft Office apps
Apps using mail protocols like POP, IMAP, and SMTP

...

Legacy authentication protocols
The following options are considered legacy authentication protocols

Authenticated SMTP - Used by POP and IMAP client's to send email messages.
Autodiscover - Used by Outlook and EAS clients to find and connect to
mailboxes in Exchange Online.
Exchange Online PowerShell - Used to connect to Exchange Online with
remote PowerShell. If you block Basic authentication for Exchange Online
PowerShell, you need to use the Exchange Online PowerShell Module to
connect. For instructions, see Connect to Exchange Online PowerShell using
multi-factor authentication.
Exchange Web Services (EWS) - A programming interface that's used by
Outlook, Outlook for Mac, and third-party apps.
IMAP4 - Used by IMAP email clients.
MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later.
Offline Address Book (OAB) - A copy of address list collections that are
downloaded and used by Outlook.
Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier.
Outlook Service - Used by the Mail and Calendar app for Windows 10.
POP3 - Used by POP email clients.
Reporting Web Services - Used to retrieve report data in Exchange Online.
Other clients - Other protocols identified as utilizing legacy
authentication.

Regards
Mark.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Microsoft Outlook "Modern Authentication"?

[Phil Pennock via mailop]

On 2020-05-28 at 13:35 -0600, Daniele Nicolodi via mailop wrote:
> Does anyone know if there is any alternative to Outlook to access
> Exchange Online mailboxes that require modern authentication?
> 
> The IT department of the organization that is pushing thins says that
> modern authentication and disabling IMAP (over SSL) enhance security. I
> don't see how this is the case. Does anyone have an opinion?

There's two orthogonal things here: using temporary tokens for protocol
login, and using IMAP.

If you move a lot of the authentication into one common system which can
present short-lived tokens for other application protocols to use, then
you can start piling in more checks in one place.  It becomes easier to
require two-factor authentication, etc etc.  Typically you then get an
OAuth token out of that.

You can use OAuth tokens in other protocols; within email and IMAP,
Google use the `OAUTHBEARER` SASL mechanism, and Brandon Long of Google
contributed support to mutt (requires external commands to handle the
flow, in the usual mutt manner).

As to IMAP/TLS -- I know of no security reason to mandate disabling IMAP
as opposed to any other access protocol.  This sounds more like the
traditional Outlook FUD-spreading re open protocols.

-Phil

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop