Re: [nanog] Re: Gmail (thus Nanog) rejecting ipv6 email
On Sat, 2 Apr 2022, Michael Thomas wrote: On 4/2/22 6:21 PM, John Levine wrote: It appears that Michael Thomas said: I'll be eager to see the papers substantiating this. Until then I remain completely skeptical. It's an experimental RFC for a reason. Let's see the data. ARC is not mentioned here: https://support.google.com/mail/answer/81126?hl=en But nor are mailing lists/listservs. Most of the guidance on "lists" seems to be related to marketing lists (which I hate way more, but gmail seems to be quite forgiving of), vs discussion lists. Also, the error message we're getting speaks to the reputation of "our domain", not our IP block. Otherwise, I would think v4 mail would bounce as well. Now, if that's caused by our staff posting to *other* mailing lists that do not do ARC, we have zero control over that. If it's being implied that gmail is ranking us (i.e. dkim-signed and spf-compliant mail from Mark Andrews to *this list*) with a "very low" reputation because *our* mailman lists don't presently do arc-sealing, then could someone from google please tell me that canonically? -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org ---
Re: [nanog] Re: Gmail (thus Nanog) rejecting ipv6 email
On Sun, 3 Apr 2022, Jeroen Massar wrote: Hi Dan, Hope the rest of the world is treating you decently! There are a lot of bits and bobs that one has to get right for mail to flow, amongst which: - IP -> PTR lookup -> that hostname lookup, and match to IP again (https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS) - SPF - DKIM - DMARC - ARC (for mailinglists) - SRS (When forwarding, rewrite the From and resign DKIM, and then ARC-sign that) - Decent TLS - MTA-STS And that list grows and grows... and grows and grows. It is kinda a test if one has actually bothered to configure a setup, and not just are randomly sending an email by just telneting from a random server. Of course the large spam outfits have this fully automated and configured, so that their spam^Wadvertising comes through. A wee little test tells that there are a few improvements to be made at minimum: https://internet.nl/mail/isc.org/ • Not all authenticity marks against email phishing (DMARC, DKIM and SPF) We have SPF, DKIM signing, and a DMARC policy that sets p=none. We're not setting p=reject, considering the number of mailing lists our users are on that are outdated or based on EOL software (including this one which depends on python 2.7, and including our own which have the same problem). It's impossible to know, from the outside, how mailing lists are configured. Mailman3 is...special. That's a rant for another time. We get about an email a week from someone emailing security-officer@ trying to get a bug bounty telling us we should set p=reject. There's an ecosystem for this stuff. I don't think this affects our domain's "reputation". • Failed :Mail server connection not or insufficiently secured (STARTTLS and DANE) This has little to do with what ciphers we support outbound, and little to do with our reputation. Unlike HTTPS, the failback to startTLS not working is plain-text. Setting a stricter cipher requirement would result in more mail being delivered in the clear. This is a somewhat broken test. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org ---
Re: [nanog] Re: Gmail (thus Nanog) rejecting ipv6 email
On Sun, 3 Apr 2022, Niels Bakker wrote: I also run my own mail server. I had to firewall off Google's MXes for this exact reason: silent and not-so-silent email rejection when offered over IPv6. Every now and then they rotate their IP addresses, which causes mail to get dropped for a while. There is no other conclusion possible than that Gmail is actively anti-email at this point. I'm pretty sure I receive more spam from them than I send to them, despite forwarding all emails for a few family members' domains. I too have encountered this. This comes up on mailop periodically. It kind of makes me want to drop entries for the various gmail.com MXes in /etc/hosts, because while postfix gives me a way to override the one domain (say, gmail.com) it's whack-a-mole with the various gmail-hosted-domains. Bind9 has a filter- feature, but it doesn't quite work this way, easily, and of course it breaks DNSSEC. It's my opinion (not that of my employer, necessarily), that gmail is to email as old-school AOL is to the internet. And it's september. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC FB: fb.com/DanielMahoneyIV LI: linkedin.com/in/gushi Site: http://www.gushi.org ---
