> On Nov 13, 2021, at 2:45 PM, Jeroen Massar wrote:
>>
>> And I finally broke down and implemented DKIM on the server (as Linus and I
>> speculated that that might help to not be "disappeared" by gmail).
>
> Yeah, these are sucky tactics, and in many cases, unless you have personal
> contacts at the big orgs you are going to be stuck not delivering.
At this point (knock on wood) it seems all of the large ones are back to
accepting email from me. There are a couple that are still rejecting email (and
that don't have "contact me here" addresses to try and escalate the problem),
but I'm hopeful that this will be resolved soon.
> DKIM is not going to be enough, and as you are already doing you are
> rewriting the From header (which is annoying as reply-to gets munged etc.)
>
> In order to be 'accepted' by the large orgs, a combo of at least:
> - don't be in a /24 or /48 with spammers, IP neighborhood matters
Yes - that was one of the challenges in the beginning. Finding a VPS hoster
whose IP subnet has acceptable reputation. I found one who seems to be doing a
good job keeping things clean (and of course I don't want to kicked out of
their subnet :) )
> - IP/domain reputation matters (high volume can thus spam 1%, low volume
> means with 1 'spam' mail you might be out...)
I go through my logs usually at least once a week - the fact that it took me
two weeks to notice this one annoyed me - but I had a few other things going on
in my life the last couple of weeks.
> - have forward + reverse DNS matching (forward verified reverse or whatever
> it is called)
I do. The gateway server IP reverse maps to mailhub.gr8dns.org, which resolves
back to the same IP. And that's one of the MX hosts for subsurface-divelog.org
-- so I think that should be ok.
> - SPF (-all)
done
> - DKIM
done
> - DMARC (strict)
> - ARC (Authenticated Receiver Chain aka DMARC for forwarders)
I don't do either of those. Need to read up on them, I guess.
> - List-Unsubscribe + Precendence: List
I have a List-Unsubscribe header (actually, two, with both an HTTP and an SMTP
method to unsubscribe).
And I have Precendence: List
> - Signup to google postmaster + outlook SNDS if you have your own IPs, so
> that it indicates that you 'care'...
I do have my own IP. So I need to figure out how to do that signup you are
talking about
> And that is the bare minimum.... most of those boxes are being ticked already.
>
> Note that proper big spammers have that all setup nicely, places like Gmail
> where most spam come from of course have such high volumes that any 'small
> spamrun' just comes through.
>
> If you need any help with the above don't hesitate to ask.
If you have pointers on the three things I haven't done (DMARC, ARC, SNDS) I'd
appreciate those - feel free to send them off list so we don't bore the rest.
> Oh, please note that because of the header:
>
> From: Dirk Hohndel via subsurface <[email protected]>
>
> MUAs that auto-add people you reply to in the address book.... auto-complete
> for your name, becomes the mailinglist.
Yes, I find that super annoying. But unless I do that, neither SPF nor DKIM
will work
> Add to that that Safari and Outlook both are stupid and then auto-fills the
> name of a person based on that entry... voila, first mail somebody replies
> to, all subsequent mails come from that person for the list...
>
> The way around that, as I implemented for Trident, is the
> <jeroen%[email protected]> format, as then there is a unique address that
> can be reversed to the original address; but that also implies that for Reply
> to the From address needs to arrive at the original recipient and thus has to
> be rewritten.
But that's also wrong - and I certainly don't want to enable that forwarding on
my server. And it still autocompletes to the wrong address for people.
> Note that the following:
>
> Authentication-Results: massar.ch;
> dkim=pass (2048-bit key; unprotected) header.d=subsurface-divelog.org
> [email protected] header.a=rsa-sha256 header.s=2021
> header.b=T84KKRk5;
> dkim=fail reason="signature verification failed" (2048-bit key;
> unprotected) header.d=hohndel.org [email protected] header.a=rsa-sha256
> header.s=2021 header.b=oEnVr5CJ;
> dkim-atps=neutral
>
> Shows that the hohndel.org DKIM header was still present. ARC covers that
> part, to make Google a bit happier in your host declaring that you verified,
> but then broke that sig.
You lost me :)
> The big orgs are making it on-purpose hard to do your own, as they know that
> they then get more of the mail on their platforms, and every bit of data
> helps :( [not that something like 80% of mail ends up there anyway, thus
> they effectively see it all unfortunately, and with domain hosting and
> forwarding one never knows where your mail ends up; PGP oh meh... to protect
> sensitive stuff...]
I noticed :)
> As for Mailman: one thing that really helps is changing the standard URLs for
> the signup page, makes it harder for bots to get there, and script kiddies
> would then have to manually change the scripts they have, and that, is hard
> for them.
Interesting idea. I'll look into how to do that. If you have a link to a
tutorial, I'd be thrilled :)
Thank you so much for all this valuable feedback. Very, very much appreciated.
/D
_______________________________________________
subsurface mailing list
[email protected]
http://lists.subsurface-divelog.org/cgi-bin/mailman/listinfo/subsurface
