On 4/2/2016 9:07 AM, David Gerard wrote:
GMail is being flaky as hell about accepting or not accepting email from the RW server, 173.255.233.133 - sometimes works, sometimes hits spam, sometimes gets 550 refused (with no particular reason given). Google doesn't do customer service, of course.
We don't *seem* to be in the email blackhole lists (I see our IP 173.255.233.133 gets 6 DNSBL hits in http://www.kloth.net/services/dnsbl.php but I go to the sites in question and they say it's not listed); so the only other hypothesis that springs to mind is that they don't like email coming from J. Random Linode VM (and at least one DNSBL does consider that a reason). Has SPF/DMARC helped anyone with this sort of thing?
What does one do in this case? Is there e.g. a commercial third-party email relay service that, say, GMail users will get mail from?
First of all, let's see if this message even makes it to the list. :D One caveat to SPF/DKIM/DMARC is that mailing lists don't work well with them. One reason I'm not very active here is because this list resends my posts with my address and domain, but my DMARC settings don't specify the list server as a valid sender, so they often end up in everyone's spam folders. I see that with other people's posts as well. This mailing list really needs to resend messages from a centralized address @lists.wikimedia.org, not from the original sender's address. But that's a function of the mailing list software, and it would take an admin to reconfigure it.
SPF, DKIM, and DMARC will go a long way to getting your messages to GMail addresses, as well as other free mail services like Yahoo! I use Linode as well, and while my wiki doesn't send out a lot of mail (I'm the only sysop/editor), I have a forum and a custom-built subscription service that sends out messages regularly. I had problems in the past sending e-mail to places like Yahoo! until I set up and configured these protocols correctly.
Just keep in mind that SPF and DKIM validate different things, and DMARC is mostly a way of setting your domain's policy with respect to your SPF and DKIM settings:
* SPF specifies which IPs can send mail for your domain. This is the easiest to set up, as it only requires adding a record to your DNS. * DKIM digitally signs your outbound headers to make sure nothing's been tampered with, letting the receiver know it actually came from your servers. DKIM can be tricky to configure and requires additional software and tweaks to your mail subsystem. Most Linux distros should include a DKIM proxy or other mailer plugin, however. The good news is, once configured, all outbound mail from your server that uses the configured mailer should be digitally signed, not just your wiki mail. * DMARC lets receiving mail servers know what to do with your SPF and DKIM results. You can be very restrictive and say they should quarantine or even outright reject mail that doesn't match both, or you can put it in a reporting mode that lets unvalidated mail through but informs you of the validation results. Google is very good at sending DMARC reports to domain holders if you have DMARC properly configured; I get reports every day from them. You can also see the IPs of spambots spewing out spam in your name and how Google handled those messages.
Here are the Wikipedia articles on each of these systems to get you started:
https://en.wikipedia.org/wiki/Sender_Policy_Framework https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail https://en.wikipedia.org/wiki/DMARC
My suggestion is that you start conservative, then slowly dial in the restrictions once you know it's working the way you want. For example, SPF has a flag at the end of each record that can say "these are the only IPs that can send valid mail for my domain" or "these IPs are the official IPs, but others can send mail as well". Obviously, you'll eventually want the more restrictive flag, but to start with you should use the more permissive flag until you know it's working correctly. Similarly, your DMARC policy can go from "report only" to "quarantine" to "reject" based on your SPF and DKIM test results.
There are a number of SPF and DKIM test tools that will look at your SPF, DKIM, and DMARC DNS records and see if they're configured correctly. Those should be pretty easy to find with a few Google searches.
Google, Microsoft, and Yahoo! are all pretty good at sending DMARC reports. I use Google for Work for my own domain and send status e-mails to myself regularly, so I get reports from them all the time. I have a few users of my subscription service and forum with Hotmail, Outlook, and Yahoo! addresses. There are other services out there as well that are pretty good with DMARC, but there are still a lot of mail servers that haven't implemented any of these technologies. Since you have a GMail address already, sending test e-mails to yourself is an easy way to generate Google DMARC reports.
I hope this helps...