Using external services for deliverability?
I have a Mailman 3 server up and running but I'm terrified to migrate to it from my existing Mailman 2 provider for fear that services like Gmail will randomly start blacklisting my IP with little I can do about it. I have SPF records set up so I'm hoping I'll be Ok but I'd like to have a backup plan.
Has anyone ever tried using an external service like Mailgun or Sendgrid as a relay? I tried both but couldn't get either to work due to their sender authentication mechanism. They want all 'From:' headers to be from domains that are pre-authenticated as senders. But Mailman keeps the 'From' header from the original sender so it won't match any authenticated domains. Right?
Is there anything to be done here or do I just have to migrate and pray?
On 6/30/20 9:56 AM, tom@gather.coop wrote:
I have a Mailman 3 server up and running but I'm terrified to migrate to it from my existing Mailman 2 provider for fear that services like Gmail will randomly start blacklisting my IP with little I can do about it. I have SPF records set up so I'm hoping I'll be Ok but I'd like to have a backup plan.
Has anyone ever tried using an external service like Mailgun or Sendgrid as a relay? I tried both but couldn't get either to work due to their sender authentication mechanism. They want all 'From:' headers to be from domains that are pre-authenticated as senders. But Mailman keeps the 'From' header from the original sender so it won't match any authenticated domains. Right?
There is no reason to be afraid if you are sending out legitimate communications. SPF records will help. You will also need to enable DMARC mitigation on your lists and Mailman 3 does that very well as Mailman 2 did. It also helps if you sign your outbound mail with DKIM. With those 3 things in place, you should have no problem sending mail. Keep in mind AT&T will probably block you if the IP address you are using is new. That is standard practice for them. It's easy to get that block remove. Same goes for Comcast using their Vader RBL.
I have found Gmail to be the easiest mail provider to work with. I don't think I have ever seen a permanent block from them. But then again, I don't host spammers.
-- Please let me know if you need further assistance.
Thank you for your business. We appreciate our clients. Brian Carpenter EMWD.com
-- EMWD's Knowledgebase: https://clientarea.emwd.com/index.php/knowledgebase
EMWD's Community Forums http://discourse.emwd.com/
On 6/30/20 7:03 AM, Brian Carpenter wrote:
On 6/30/20 9:56 AM, tom@gather.coop wrote:
I have a Mailman 3 server up and running but I'm terrified to migrate to it from my existing Mailman 2 provider for fear that services like Gmail will randomly start blacklisting my IP with little I can do about it. I have SPF records set up so I'm hoping I'll be Ok but I'd like to have a backup plan. ... There is no reason to be afraid if you are sending out legitimate communications. SPF records will help. You will also need to enable DMARC mitigation on your lists and Mailman 3 does that very well as Mailman 2 did. It also helps if you sign your outbound mail with DKIM. With those 3 things in place, you should have no problem sending mail. Keep in mind AT&T will probably block you if the IP address you are using is new. That is standard practice for them. It's easy to get that block remove. Same goes for Comcast using their Vader RBL.
You also need to ensure you have full circle DNS <https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS>. That together with SPF and DKIM signing of outbound mail is virtually essential for deliverability.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
And speaking of reverse DNS, I do have a valid PTR record that maps to the domain of my server. But that domain will never match the sending domain for outgoing mailman mail for two reasons:
- Mailman keeps the from header intact, so the sending domain can be anything.
- Even the list domain can be any number of domains since I host more than one domain on the server.
So I hope there is not an expectation that the rDNS domain match the email sender domain. If so I'm toast. Is it just sort of a smell test to see if the server looks legitimate?
Thanks again!
On 7/4/20 9:03 AM, tom@gather.coop wrote:
So I hope there is not an expectation that the rDNS domain match the email sender domain. If so I'm toast. Is it just sort of a smell test to see if the server looks legitimate?
Probably part of your confusion is the ambiguity of the term sender
which can refer to any of:
- the actual individual sending the original mail (the From: header)
- the envelope sender (the listname-bounces@listdomain address in the case of list mail)
- the sending server.
In the case of FCrDNS we're talking about the server (MTA) delivering the message to the recipient MX. I.e., that server's IP should have a PTR to its name and its name should have a A (or AAAA in the case of IPv6) record with the same IP. That's what FCrDNS implies.
Quoting from <https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS>:
"... the requirement is the forward and reverse lookup for the sending relay have to match, it does not have to be related to the from-field or sending domain of messages it relays."
It is also good if the name by which the MTA identifies itself (the myhostname setting in Postfix) is the same as the server's name. Quoting from the same article:
"Some e-mail mail transfer agents will perform FCrDNS verification on the domain name given on the SMTP HELO and EHLO commands. This can violate RFC 2821 and so e-mail is usually not rejected by default."
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thank you both for the help. I have SPF and reverse DNS setup. But I thought DKIM is no help because Mailman rewrites the email headers, invalidating the signature? Am I not understanding that right?
On 7/4/20 8:50 AM, tom@gather.coop wrote:
Thank you both for the help. I have SPF and reverse DNS setup. But I thought DKIM is no help because Mailman rewrites the email headers, invalidating the signature? Am I not understanding that right?
Asked and answered at <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/thread/LSTFEDZ2QWJF7HLYWTCW7FKZVDYQU6SW/>
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Brian Carpenter -
Mark Sapiro -
tom@gather.coop