How does Mailman handle spf/dkim/dmarc? Specifically, does it re-signature originating sender emails not caring whether or not the originating email has proper spf/dkim/dmarc signatures? Or does it NOT re-signature originating sender email, i.e. just pass them through without alteration?
On 2023-05-17 06:22:58 -0700 (-0700), Christian via Mailman-users wrote:
How does Mailman handle spf/dkim/dmarc? Specifically, does it re-signature originating sender emails not caring whether or not the originating email has proper spf/dkim/dmarc signatures? Or does it NOT re-signature originating sender email, i.e. just pass them through without alteration?
All of the above. You can configure the DMARC handling rules on a per-list basis, though if you want to re-sign with a new DKIM signature you'll need some additional configuration in the MTA to handle that part of the process.
As for SPF, that's entirely orthogonal. SPF is purely a set of rules in DNS records saying what hosts you expect will send messages for your domain. That doesn't require any alterations to your list or agent configuration, though you may end up configuring use of a smarthost in order to comply with an existing SPF policy rather than amending your SPF policy to include your MM3 host directly.
Jeremy Stanley
Any pointers on how to set up to resign with a new DKIM signature?
On Wed, May 17, 2023 at 9:30 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2023-05-17 06:22:58 -0700 (-0700), Christian via Mailman-users wrote:
How does Mailman handle spf/dkim/dmarc? Specifically, does it re-signature originating sender emails not caring whether or not the originating email has proper spf/dkim/dmarc signatures? Or does it NOT re-signature originating sender email, i.e. just pass them through without alteration?
All of the above. You can configure the DMARC handling rules on a per-list basis, though if you want to re-sign with a new DKIM signature you'll need some additional configuration in the MTA to handle that part of the process.
As for SPF, that's entirely orthogonal. SPF is purely a set of rules in DNS records saying what hosts you expect will send messages for your domain. That doesn't require any alterations to your list or agent configuration, though you may end up configuring use of a smarthost in order to comply with an existing SPF policy rather than amending your SPF policy to include your MM3 host directly.
Jeremy Stanley
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to swd@pobox.com
Duh. I use Postfix running on the same machine as mm3 as my MTA.
On Wed, May 17, 2023 at 9:55 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2023-05-17 09:39:20 -0400 (-0400), Stephen Daniel wrote:
Any pointers on how to set up to resign with a new DKIM signature? [...]
How you implement it will depend on your MTA (Exim? Postfix? QMail? Sendmail? something else?).
Jeremy Stanley
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to swd@pobox.com
On Wed, May 17, 2023 at 4:56 PM Stephen Daniel <swd@pobox.com> wrote:
Duh. I use Postfix running on the same machine as mm3 as my MTA.
https://tecadmin.net/setup-dkim-with-postfix-on-ubuntu-debian/
Not so complicated :)
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On 2023-05-17 09:56:06 -0400 (-0400), Stephen Daniel wrote:
Duh. I use Postfix running on the same machine as mm3 as my MTA. [...]
I don't use Postfix, but I asked a Web search engine (DuckDuckGo) for "configure dkim signing in postfix" and got many informative hits for various versions, platforms and distributions. Perhaps if you do that you'll get similar results and can find instructions which most closely match your deployment specifics. Best of luck!
Jeremy Stanley
Thanks all!
On Wed, May 17, 2023 at 10:03 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2023-05-17 09:56:06 -0400 (-0400), Stephen Daniel wrote:
Duh. I use Postfix running on the same machine as mm3 as my MTA. [...]
I don't use Postfix, but I asked a Web search engine (DuckDuckGo) for "configure dkim signing in postfix" and got many informative hits for various versions, platforms and distributions. Perhaps if you do that you'll get similar results and can find instructions which most closely match your deployment specifics. Best of luck!
Jeremy Stanley
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to swd@pobox.com
Hi Stephen.
Based on the conversation we had last week regarding you using Google Workspace as your smarthost, are you sure that it can't do the DKIM signing for you? With my Office365 acting as smarthost (see other post I made today), I had to turn off DKIM signing in my MTA as the Office365 was adding its own DKIM headers.
Thanks. Andrew.
-----Original Message----- From: Stephen Daniel <swd@pobox.com> Sent: Wednesday, May 17, 2023 3:05 PM To: Jeremy Stanley <fungi@yuggoth.org> Cc: mailman-users@mailman3.org Subject: [MM3-users] Re: spf/dkim/dmarc
Thanks all!
On Wed, May 17, 2023 at 10:03 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2023-05-17 09:56:06 -0400 (-0400), Stephen Daniel wrote:
Duh. I use Postfix running on the same machine as mm3 as my MTA. [...]
I don't use Postfix, but I asked a Web search engine (DuckDuckGo) for "configure dkim signing in postfix" and got many informative hits for various versions, platforms and distributions. Perhaps if you do that you'll get similar results and can find instructions which most closely match your deployment specifics. Best of luck!
Jeremy Stanley
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/me ssage/B3J7FLZMVKFX35UWJSPQ5Y2MN2F46WND/
This message sent to swd@pobox.com
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to andrew@hodgson.io
Thank you for your reply. I'm being driven mad by Gmail rejecting my SPF record, this while I get SPF record approvals everywhere else.
I read that having two SPF records for the same server will generate errors. Is this true?
-----Original Message----- From: Stephen Daniel <swd@pobox.com> Sent: Wednesday, May 17, 2023 6:39 AM To: Jeremy Stanley <fungi@yuggoth.org> Cc: mailman-users@mailman3.org Subject: [MM3-users] Re: spf/dkim/dmarc
Any pointers on how to set up to resign with a new DKIM signature?
On Wed, May 17, 2023 at 9:30 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2023-05-17 06:22:58 -0700 (-0700), Christian via Mailman-users wrote:
How does Mailman handle spf/dkim/dmarc? Specifically, does it re-signature originating sender emails not caring whether or not the originating email has proper spf/dkim/dmarc signatures? Or does it NOT re-signature originating sender email, i.e. just pass them through without alteration?
All of the above. You can configure the DMARC handling rules on a per-list basis, though if you want to re-sign with a new DKIM signature you'll need some additional configuration in the MTA to handle that part of the process.
As for SPF, that's entirely orthogonal. SPF is purely a set of rules in DNS records saying what hosts you expect will send messages for your domain. That doesn't require any alterations to your list or agent configuration, though you may end up configuring use of a smarthost in order to comply with an existing SPF policy rather than amending your SPF policy to include your MM3 host directly.
Jeremy Stanley
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/me ssage/TBU5CGTY2LE3KNRSJKAZTGE26G7PVJIV/
This message sent to swd@pobox.com
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to csa@web-analysts.net
On 2023-05-17 07:07:53 -0700 (-0700), Christian via Mailman-users wrote:
Thank you for your reply. I'm being driven mad by Gmail rejecting my SPF record, this while I get SPF record approvals everywhere else.
I read that having two SPF records for the same server will generate errors. Is this true? [...]
I'm not an SPF expert (I don't even use it for my domains), but I do know how to query standards documents. IETF RFC 7208 "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1" states in §3.2: "A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record."
https://www.rfc-editor.org/rfc/rfc7208#section-3.2
Hope that helps!
Jeremy Stanley
Ok. This is what I am getting in my mail.log:
May 17 06:20:40 lists postfix/smtp[28437]: C14F8101260: to=<billb6951@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.114.26]:25, delay=0.45, delays=0.01/0/0.14/0.29, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.250.114.26] said: 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with 550-5.7.26 the ip: [192.46.218.224].
I have two SPF records in dns for the server as follows:
mail v=spf1 mx -all
lists v=spf1 ip4:45.79.28.18 -all
please advise. Thank you!
-----Original Message----- From: Jeremy Stanley <fungi@yuggoth.org> Sent: Wednesday, May 17, 2023 7:15 AM To: mailman-users@mailman3.org Subject: [MM3-users] Re: spf/dkim/dmarc
On 2023-05-17 07:07:53 -0700 (-0700), Christian via Mailman-users wrote:
Thank you for your reply. I'm being driven mad by Gmail rejecting my SPF record, this while I get SPF record approvals everywhere else.
I read that having two SPF records for the same server will generate errors. Is this true? [...]
I'm not an SPF expert (I don't even use it for my domains), but I do know how to query standards documents. IETF RFC 7208 "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1" states in §3.2: "A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record."
https://www.rfc-editor.org/rfc/rfc7208#section-3.2
Hope that helps!
Jeremy Stanley
On Wed, May 17, 2023 at 5:21 PM Christian via Mailman-users < mailman-users@mailman3.org> wrote:
Ok. This is what I am getting in my mail.log:
May 17 06:20:40 lists postfix/smtp[28437]: C14F8101260: to=< billb6951@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.114.26]:25, delay=0.45, delays=0.01/0/0.14/0.29, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.250.114.26] said: 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with 550-5.7.26 the ip: [192.46.218.224].
I have two SPF records in dns for the server as follows:
mail v=spf1 mx -all
lists v=spf1 ip4:45.79.28.18 -all
It would appear to me that you need to substitute 192.46.218.224 for 45.79.28.18 in the above record. Use a tool like: https://easydmarc.com/tools/spf-record-generator
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On 2023-05-17 07:23:09 -0700 (-0700), Christian via Mailman-users wrote:
I have two SPF records in dns for the server as follows:
mail v=spf1 mx -all
lists v=spf1 ip4:45.79.28.18 -all [...]
That's not two SPF records for the domain, that's SPF records for two different domains (mail.ccalternatives.org and lists.ccalternatives.org) which just happen to be subdomains of the same parent domain. That should be completely fine according to the standard. Also the log you posted doesn't say anything to indicate that's an issue.
The problem seems to be with the lists SPF record specifically, according to the error you're receiving:
The MAIL FROM domain [lists.ccalternatives.org] has an SPF record 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with 550-5.7.26 the ip: [192.46.218.224].
Your record says "allow lists.ccalternatives.org messages from 45.79.28.18 and reject them from everywhere else" except you're then trying to send lists.ccalternatives.org messages from 192.46.218.224 instead, which is correctly rejected by the recipient's MTA.
Jeremy Stanley
On Wed, May 17, 2023 at 5:06 PM Christian via Mailman-users < mailman-users@mailman3.org> wrote:
Thank you for your reply. I'm being driven mad by Gmail rejecting my SPF record, this while I get SPF record approvals everywhere else.
I read that having two SPF records for the same server will generate errors. Is this true?
You can only have 1 SPF record.
SPF = Sender Permitted From. It's a list of hosts that are allowed to originate emails using your domain name. If your server sends out emails directly to the Internet, then you'll only have its name or IP in the SPF record. If your server uses a smarthost to relay mail, then you have that host's IP or name (must match a PTR record) in the SPF record. There are situations where you can have some mails sent out directly while some are sent out via a smarthost - depending on some criteria. In such a case you need to publish both hosts in SPF records.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On 5/17/23 07:20, Odhiambo Washington wrote:
You can only have 1 SPF record.
For a domain. But as Jeremy Stanley noted, mail.ccalternatives.org and lists.ccalternatives.org are different domains and it is fine for each to have its own spf record.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Domain vs subdomain. At least I never mentioned subdomain.
On Wed, May 17, 2023, 21:50 Mark Sapiro <mark@msapiro.net> wrote:
On 5/17/23 07:20, Odhiambo Washington wrote:
You can only have 1 SPF record.
For a domain. But as Jeremy Stanley noted, mail.ccalternatives.org and lists.ccalternatives.org are different domains and it is fine for each to have its own spf record.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to odhiambo@gmail.com
On 2023-05-17 22:59:16 +0300 (+0300), Odhiambo Washington wrote:
Domain vs subdomain. At least I never mentioned subdomain. [...]
It's a quirk of interpreting the tea leaves that are Internet standards. The term "subdomain" is relative and rarely used. In DNS every name is a domain, and every domain is a subdomain of another domain (except for the root domain ".").
Jeremy Stanley
Using https://www.spf-record.com/ I have checked my SPF records which are reported as 'SPF check passed'. My DKIM also passes various test suites. Yet, Google is still rejecting mailman messages to any and all gmail users. I have even filled out their short form for delisting at https://support.google.com/mail/contact/bulk_send_new all to no avail. Example of block logfile message:
May 18 12:53:11 lists postfix/smtp[28104]: C9D7A1005DA: to=<billb6951@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.138.27]:25, delay=0.69, delays=0.01/0.01/0.14/0.53, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.250.138.27] said: 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with 550-5.7.26 the ip: [192.46.218.224]. To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. p3-20020a056870868300b001926c1449a6si1393979oam.240 - gsmtp (in reply to end of DATA command))
Could the hard fail policy be implicated in the gmail rejection?
Other than readdressing my server, is there anything else I can do?
-----Original Message----- From: Mark Sapiro <mark@msapiro.net> Sent: Wednesday, May 17, 2023 11:50 AM To: mailman-users@mailman3.org Subject: [MM3-users] Re: spf/dkim/dmarc
On 5/17/23 07:20, Odhiambo Washington wrote:
You can only have 1 SPF record.
For a domain. But as Jeremy Stanley noted, mail.ccalternatives.org and lists.ccalternatives.org are different domains and it is fine for each to have its own spf record.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/ WAUVS6WWYOYQBJGIDP3HK6L3NHM4RGHF/
This message sent to csa@web-analysts.net
On Fri, May 19, 2023 at 7:09 PM Christian via Mailman-users < mailman-users@mailman3.org> wrote:
Using https://www.spf-record.com/ I have checked my SPF records which are reported as 'SPF check passed'. My DKIM also passes various test suites. Yet, Google is still rejecting mailman messages to any and all gmail users. I have even filled out their short form for delisting at https://support.google.com/mail/contact/bulk_send_new all to no avail. Example of block logfile message:
May 18 12:53:11 lists postfix/smtp[28104]: C9D7A1005DA: to=<billb6951@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.138.27]:25, delay=0.69, delays=0.01/0.01/0.14/0.53, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.250.138.27] said: 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with 550-5.7.26 the ip: [192.46.218.224]. To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. p3-20020a056870868300b001926c1449a6si1393979oam.240 - gsmtp (in reply to end of DATA command))
Could the hard fail policy be implicated in the gmail rejection?
Other than readdressing my server, is there anything else I can do?
Kindly use some sane MUA and try and learn how to hit the reply button. Having said that, here is a test for SPF records for my MM3 domain, versus a test for yours:
[19:26 ~ ]$ dig +short lists.kictanet.or.ke txt
"v=spf1 a mx ip4:41.212.32.14 -all"
[19:26 ~ ]$ dig +short lists.ccalternatives.org txt
"v=spf1 -all"
I have never seen an empty SPF record before. Yours is the first one I am seeing. I suppose there is something amiss with your SPF record, but I am not even sure.
Can you please head to: http://www.appmaildev.com/ Run the SPF and DKIM tests and share the results here so that we can also see.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On 5/19/23 09:10, Christian via Mailman-users wrote:
May 18 12:53:11 lists postfix/smtp[28104]: C9D7A1005DA: to=<billb6951@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.138.27]:25, delay=0.69, delays=0.01/0.01/0.14/0.53, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[142.250.138.27] said: 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with 550-5.7.26 the ip: [192.46.218.224]. To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. p3-20020a056870868300b001926c1449a6si1393979oam.240 - gsmtp (in reply to end of DATA command))
dig txt lists.ccalternatives.org reports
"v=spf1 a mx ip4=192.46.218.224 -all"
It should be
"v=spf1 a mx ip4:192.46.218.224 -all"
i.e. :, not =
Could the hard fail policy be implicated in the gmail rejection?
Yes but only because the ip4 is not effective due to the syntax error. ~all could help, but I suspect replacing the = with : will do it.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Christian writes:
> 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record
This says it's parsing your mail session and using the MAIL FROM.
> 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with > 550-5.7.26 the ip: [192.46.218.224].
At least Google is seeing the mail arrive from the expected IP address.
To best protect our users from spam and > 550-5.7.26 phishing, the message has been blocked.
> Could the hard fail policy be implicated in the gmail rejection?
It certainly could. However I would expect the DSN to say "because of the hard fail specification we are rejecting your email" in that case. This looks like a Gmail policy to me.
> Other than readdressing my server, is there anything else I can do?
I don't think readdressing is going to help unless you're referring to the PTR issue mentioned below.
I see the same SPF record you have described before: lists.ccalternatives.org descriptive text "v=spf1 a mx ip4=192.46.218.224 -all" so I'm not sure what is going on with Odhiambo's lookup. However, there is an error (the '=' after ipv4 should be ':'), and it has some other problems:
- the 'mx' mechanism is a no-op because lists.ccalternatives.org has no MX record.
- the PTR for 192.46.218.224 points to mail.ccalternatives.org, not to lists.ccalternatives.org. Neither should cause an SPF check to fail but they make the check more expensive.
I would simplify your TXT record to "v=spf1 ip4:192.46.218.224 -all" because the 'a' mechanism isn't working and the 'mx' mechanism is a no-op. That's really all you need.
Steve
Like Odhiambo, I see "v=spf1 -all" and nothing else. I see you're using Linode for public DNS, and going through all 5 of their servers directly they're all replying with the record Stephen saw. If I had to guess we're seeing a transient from Linode when you were updating the record at some point that has now gotten cached somewhere unfortunate (like Google...) and has a TTL you now wish were shorter.
As for the record itself, I fully agree with Stephen with his recommendation. Get the extra stuff out and that '=' is currently breaking the IP clause, and the IP clause is what you need most.
-Joel
On 5/20/2023 10:36 AM, Stephen Turnbull wrote:
Christian writes:
> 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record
This says it's parsing your mail session and using the MAIL FROM.
> 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with > 550-5.7.26 the ip: [192.46.218.224].
At least Google is seeing the mail arrive from the expected IP address.
To best protect our users from spam and > 550-5.7.26 phishing, the message has been blocked.
> Could the hard fail policy be implicated in the gmail rejection?
It certainly could. However I would expect the DSN to say "because of the hard fail specification we are rejecting your email" in that case. This looks like a Gmail policy to me.
> Other than readdressing my server, is there anything else I can do?
I don't think readdressing is going to help unless you're referring to the PTR issue mentioned below.
I see the same SPF record you have described before: lists.ccalternatives.org descriptive text "v=spf1 a mx ip4=192.46.218.224 -all" so I'm not sure what is going on with Odhiambo's lookup. However, there is an error (the '=' after ipv4 should be ':'), and it has some other problems:
- the 'mx' mechanism is a no-op because lists.ccalternatives.org has no MX record.
- the PTR for 192.46.218.224 points to mail.ccalternatives.org, not to lists.ccalternatives.org. Neither should cause an SPF check to fail but they make the check more expensive.
I would simplify your TXT record to "v=spf1 ip4:192.46.218.224 -all" because the 'a' mechanism isn't working and the 'mx' mechanism is a no-op. That's really all you need.
Steve
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to jpl@ilk.org
-- Joel Lord
participants (8)
-
Andrew Hodgson -
Christian -
Jeremy Stanley -
Joel Lord -
Mark Sapiro -
Odhiambo Washington -
Stephen Daniel -
Stephen Turnbull