On 4/2/2016 9:07 AM, David Gerard wrote:
GMail is being flaky as hell about accepting or not
from the RW server, 22.214.171.124 - sometimes works, sometimes hits
spam, sometimes gets 550 refused (with no particular reason given).
Google doesn't do customer service, of course.
We don't *seem* to be in the email blackhole lists (I see our IP
126.96.36.199 gets 6 DNSBL hits in
but I go to the sites in
question and they say it's not listed); so the only other hypothesis
that springs to mind is that they don't like email coming from J.
Random Linode VM (and at least one DNSBL does consider that a reason).
Has SPF/DMARC helped anyone with this sort of thing?
What does one do in this case? Is there e.g. a commercial third-party
email relay service that, say, GMail users will get mail from?
First of all, let's see if this message even makes it to the list. :D
One caveat to SPF/DKIM/DMARC is that mailing lists don't work well with
them. One reason I'm not very active here is because this list resends
my posts with my address and domain, but my DMARC settings don't specify
the list server as a valid sender, so they often end up in everyone's
spam folders. I see that with other people's posts as well. This
mailing list really needs to resend messages from a centralized address
@lists.wikimedia.org, not from the original sender's address. But
that's a function of the mailing list software, and it would take an
admin to reconfigure it.
SPF, DKIM, and DMARC will go a long way to getting your messages to
GMail addresses, as well as other free mail services like Yahoo! I use
Linode as well, and while my wiki doesn't send out a lot of mail (I'm
the only sysop/editor), I have a forum and a custom-built subscription
service that sends out messages regularly. I had problems in the past
sending e-mail to places like Yahoo! until I set up and configured these
Just keep in mind that SPF and DKIM validate different things, and DMARC
is mostly a way of setting your domain's policy with respect to your SPF
and DKIM settings:
* SPF specifies which IPs can send mail for your domain. This is the
easiest to set up, as it only requires adding a record to your DNS.
* DKIM digitally signs your outbound headers to make sure nothing's
been tampered with, letting the receiver know it actually came from
your servers. DKIM can be tricky to configure and requires additional
software and tweaks to your mail subsystem. Most Linux distros should
include a DKIM proxy or other mailer plugin, however. The good news
is, once configured, all outbound mail from your server that uses the
configured mailer should be digitally signed, not just your wiki mail.
* DMARC lets receiving mail servers know what to do with your SPF and
DKIM results. You can be very restrictive and say they should
quarantine or even outright reject mail that doesn't match both, or
you can put it in a reporting mode that lets unvalidated mail through
but informs you of the validation results. Google is very good at
sending DMARC reports to domain holders if you have DMARC properly
configured; I get reports every day from them. You can also see the
IPs of spambots spewing out spam in your name and how Google handled
Here are the Wikipedia articles on each of these systems to get you started:
My suggestion is that you start conservative, then slowly dial in the
restrictions once you know it's working the way you want. For example,
SPF has a flag at the end of each record that can say "these are the
only IPs that can send valid mail for my domain" or "these IPs are the
official IPs, but others can send mail as well". Obviously, you'll
eventually want the more restrictive flag, but to start with you should
use the more permissive flag until you know it's working correctly.
Similarly, your DMARC policy can go from "report only" to
to "reject" based on your SPF and DKIM test results.
There are a number of SPF and DKIM test tools that will look at your
SPF, DKIM, and DMARC DNS records and see if they're configured
correctly. Those should be pretty easy to find with a few Google searches.
Google, Microsoft, and Yahoo! are all pretty good at sending DMARC
reports. I use Google for Work for my own domain and send status
e-mails to myself regularly, so I get reports from them all the time. I
have a few users of my subscription service and forum with Hotmail,
Outlook, and Yahoo! addresses. There are other services out there as
well that are pretty good with DMARC, but there are still a lot of mail
servers that haven't implemented any of these technologies. Since you
have a GMail address already, sending test e-mails to yourself is an
easy way to generate Google DMARC reports.
I hope this helps...
Jeffrey T. Darlington
General Protection Fault