Help! List traffic shunted to gmail/yahoo spam folders
Hello,
I've been through DKIM hell and back. Now I'm to the point where when I "show original" mail with gmail it says SPF, DKIM and DMARC all pass, but it's still going to the spam folders.
Has anyone sorted this?
thanks!
matt
show original:
Delivered-To: somebody@gmail.com Received: by 2002:a02:968f:0:0:0:0:0 with SMTP id w15csp1521828jai; Sat, 10 Jul 2021 14:33:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy72rM7rrvKmz7wlOVjj2M02l971IurhWQqYjQlhjZNhtJ1m7uph2Y/p85GAtq4x56KMLi4 X-Received: by 2002:a05:6830:270b:: with SMTP id j11mr3612659otu.352.1625952812813; Sat, 10 Jul 2021 14:33:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625952812; cv=none; d=google.com; s=arc-20160816; b=LSNHINAAV62ePpOJ85HzOKFKSRBzP4htN0SkBgG3HnZp7eVAUY7td/ibOWIsVDy0Iz AcAK6WoRhDKhHmlnx71LAo3COnbmD5TWGle/Kp8cx2tMS5bxRXw+Rb5FZYblTPIiwyFo 7u7zXTTxKCzbyCQgAmpvsQN55N41TRq1je6dTMdo1j4T6msO5pvLzfnJRT3Oo+ZP3sYY K3lOEEl1MNFcmVTxsHY73tdNMncq5TTLGdqdYvT+GDd5a6QnjrkWQvhk783kppNB6kFC dgiXst5Ql/jUbe4NnS1T+i/md+WcXTitmryEtY8lxzCjEnT6NFA5IcHw/tChpH4OqyPv MGIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:reply-to:from:list-unsubscribe :list-subscribe:list-post:list-help:list-archive:archived-at:list-id :subject:precedence:message-id-hash:content-language:mime-version :user-agent:date:message-id:to:dkim-signature:dmarc-filter :dkim-signature; bh=4HN4XCD73340TTta47Nw8NNNFEbWsNLm9zWdectMYcI=; b=K3ANa/+WBrM8ChcoYKIUkoRZ3sgDZB77S3BRFFu2WZCOBA5pGlG176jCzA1hOz7b+6 1ewP/Imzh16yBVGzugL+/JQZJlCWV1F5S6jq8xeoQIPbkM2JGKIUFAS9+Sk+JNKDTMl4 nMTFiDVfTMkgK6f1guKxBhqHroJKJ4eAUwxjHcX17nZwvY5SOeP0UqnyQaGmeRnJuXel fcdBoY5TqnDMxq7709anmcYRQuIahso/UPjzZrdMsrTJaRhScAxfa0ZQOVnjf4bkyf0D 1/eLCHEl+oZlzNXT06ghOzPFC91g/TxComGBLRWc1G5nk92gqBPrQh9690sbOuqmHZA8 ybPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sditdg.org header.s=mail header.b=BteyCkCY; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b="Kt/xXWZE"; spf=pass (google.com: domain of testing-bounces@sditdg.org designates 65.50.252.27 as permitted sender) smtp.mailfrom=testing-bounces@sditdg.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sditdg.org Return-Path: <testing-bounces@sditdg.org> Received: from sditdg.org ([65.50.252.27]) by mx.google.com with ESMTPS id w3si10563091oiv.8.2021.07.10.14.33.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jul 2021 14:33:32 -0700 (PDT) Received-SPF: pass (google.com: domain of testing-bounces@sditdg.org designates 65.50.252.27 as permitted sender) client-ip=65.50.252.27; Authentication-Results: mx.google.com; dkim=pass header.i=@sditdg.org header.s=mail header.b=BteyCkCY; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b="Kt/xXWZE"; spf=pass (google.com: domain of testing-bounces@sditdg.org designates 65.50.252.27 as permitted sender) smtp.mailfrom=testing-bounces@sditdg.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sditdg.org Received: from sditdg.org (localhost [127.0.0.1]) by sditdg.org (Postfix) with ESMTP id 9079DC1DF0; Sat, 10 Jul 2021 14:33:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sditdg.org; s=mail; t=1625952811; bh=4HN4XCD73340TTta47Nw8NNNFEbWsNLm9zWdectMYcI=; h=To:Date:Subject:List-Id:List-Archive:List-Help:List-Post: List-Subscribe:List-Unsubscribe:From:Reply-To:From; b=BteyCkCYE4gLRLEUV+nsoK7PM5Ayj0ce+ZgWkUdqtbwQynND4zs1PLPwebsALsP5k NYVnZLBJGHoXOA256v+imGl4BD8IFXe1onyY6VSKcJfx/2vYwfwwnDyB3zkc9s9BYO K0B4EPVOepbjClhUg5Z5JnOSyZhoIWjQHZwFsXpY+di5B2y5sDMvDyWLJHh3GGhw8y zijl2IJZDCaF3iVq4EFlxP4UfHvQ+bmfkGGmjYVJvkmsQWAsTFUb7UawK3w3m9Z6LN W+hV9H3L+95O+CIfUz0q7kG7T5gwz/eoce9ewv7xhimpVPjuatgLt4hFJcvzwaohmp S/u54SwGh0iVA== Received: from cat.efs.org (cat.efs.org [10.128.128.46]) by sditdg.org (Postfix) with ESMTPS id 0D110C1DF0 for <testing@sditdg.org>; Sat, 10 Jul 2021 14:33:29 -0700 (PDT) X-Spam-Status: No Authentication-Results: cat.efs.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Kt/xXWZE" X-EFS-MailScanner-EFA-Watermark: 1626557599.13472@k3T7MnvZ29zIPokD4fCFrg X-EFS-MailScanner-EFA-From: somebody-else@gmail.com X-EFS-MailScanner-EFA: Found to be clean X-EFS-MailScanner-EFA-ID: 4GMjtw2R5xzYrqBb X-EFS-MailScanner-EFA-Information: Please contact matt@efs.org for more information Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (no client certificate requested) by cat.efs.org (MailScanner Milter) with SMTP id 4GMjtw2R5xzYrqBb for <testing@sditdg.org>; Sat, 10 Jul 2021 14:33:12 -0700 (PDT) DMARC-Filter: OpenDMARC Filter v1.4.1 cat.efs.org 4GMjtw2R5xzYrqBb Authentication-Results: cat.efs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: cat.efs.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f180.google.com with SMTP id v14so9940plg.9 for <testing@sditdg.org>; Sat, 10 Jul 2021 14:33:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; b=Kt/xXWZEIVQlTx1hyx4VeQlW8OZc+z5Uxz8vkIaQJkK5PhHmc6/0safN0MGVJcXoBe ii3/LXmMTkbbZEztKBdVIV5TI8ZqvMOS2uvJk//lFVgq/AbcKOGcrNTfg7tTpfL7knQY 79CWtAE/etBKni0pONNORAevyCQq07YwJRFvSuZDEB2mWnk+SxQpkudgEX6ngXtNKqiW OroAx3fTcEO/tEQEVCKCdJAOSi5T1gmk/nTonU1zpmw+LJTOBcgCYZu4ppIwsss1eRbH TgaZO8yhoHztSP8MCjF2fwG5GYdcgYtI1Scq8XQVVe9f7mdrOU1NMDT6+8fiZltvSg0y KaUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; b=Jdlw1Ajc3T80d9gzMNci+0GYQ1vI7B1AzIc+4qv4t/x57S1l6PkmwmtiDV9HqJIVcA wUE9Fuih0yFJHMRwSQX/nsPLIKwmC4HO34V3Diy0NltMDSTBQFjTJ8xJY6kSmX8IXSN5 fBBvQkS9AjQbLZUm7a4ttfK6o4A5gBKSaj60I7+sc5hUxCLK+hEcb7F1pnD0AoE2/Zlz nLfyg2FNA+/BclTgRI7kgjY0+ro67BdU4KS3/E5ltSngLRSMijouKzAp9ITzzms1pBKT OkFPwRPQ3PBzcBPGF4SrQK7pcUKhdsmua7upMia3pOBjh/HvC9aUgsGUsj+T5xqOe0xU ANcA== X-Gm-Message-State: AOAM531v1T1CpYQn1gzRqHpER9tizVVsXfwKmSdvQBkSgRi3IBxptEIl Vhgt9h0ndeYsYoGUJOo+P1ttSeVVslSmlA== X-Received: by 2002:a17:90b:798:: with SMTP id l24mr46030558pjz.141.1625952789010; Sat, 10 Jul 2021 14:33:09 -0700 (PDT) Received: from [192.168.86.248] (cpe-76-93-161-126.san.res.rr.com. [76.93.161.126]) by smtp.gmail.com with ESMTPSA id d2sm8574671pjo.50.2021.07.10.14.33.08 for <testing@sditdg.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 10 Jul 2021 14:33:08 -0700 (PDT) To: testing@sditdg.org Message-ID: <fb1474b0-27d5-65ed-26b2-1753b95994c0@gmail.com> Date: Sat, 10 Jul 2021 14:33:07 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 Content-Language: en-US Message-ID-Hash: ZY5T327H5SEXWCMGQQMQCDSJ6IYBLNHA X-Message-ID-Hash: ZY5T327H5SEXWCMGQQMQCDSJ6IYBLNHA X-MailFrom: somebody-else@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list Subject: [Testing] test List-Id: <testing.sditdg.org> Archived-At: <https://sditdg.org/mailman3/hyperkitty/list/testing@sditdg.org/message/ZY5T327H5SEXWCMGQQMQCDSJ6IYBLNHA/> List-Archive: <https://sditdg.org/mailman3/hyperkitty/list/testing@sditdg.org/> List-Help: <mailto:testing-request@sditdg.org?subject=help> List-Post: <mailto:testing@sditdg.org> List-Subscribe: <mailto:testing-join@sditdg.org> List-Unsubscribe: <mailto:testing-leave@sditdg.org> From: Matt Wilbur gmail via Testing <testing@sditdg.org> Reply-To: Matt Wilbur gmail <somebody-else@gmail.com> Content-Type: text/plain; charset="us-ascii"; format="flowed" Content-Transfer-Encoding: 7bit
test
Testing mailing list -- testing@sditdg.org To unsubscribe send an email to testing-leave@sditdg.org
On 7/10/21 2:42 PM, Matt Wilbur EFS via Mailman-users wrote:
Hello,
I've been through DKIM hell and back. Now I'm to the point where when I "show original" mail with gmail it says SPF, DKIM and DMARC all pass, but it's still going to the spam folders.
Does your list domain publish a DMARC record? If not publishing a DMARC record with policy of none may help, but it seems you are probably doing that.
Beyond that, it is probably filtering based on something in the message content and the recipient ISPs will never tell you what because they consider that kind of information proprietary.
Setting up feedback loops with gmail and yahoo also may help, but there's really not much else you can do.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Matt Wilbur EFS via Mailman-users writes:
I've been through DKIM hell and back. Now I'm to the point where when I "show original" mail with gmail it says SPF, DKIM and DMARC all pass, but it's still going to the spam folders.
ARC would help get you through Google, Google participates in ARC:
ARC-Seal: i=1; a=rsa-sha256; t=1625952812; cv=none; d=google.com; s=arc-20160816;
The idea is that you can have your incoming MTA attest that the signature was valid on the way in, and have that testimony signed by the outgoing MTA. I don't know offhand who else give gold stars for a valid ARC signature, though.
Despite what you wrote, this isn't a pass:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sditdg.org header.s=mail header.b=BteyCkCY; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b="Kt/xXWZE"; spf=pass (google.com: domain of testing-bounces@sditdg.org designates 65.50.252.27 as permitted sender) smtp.mailfrom=testing-bounces@sditdg.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sditdg.org
Your body hash did not verify, I don't know why. It could be that you're signing it on the way in so the footer breaks the signature on the way out (seems unlikely, but at least it's easy to find and to fix), or that the signing function is incorrect (harder to diagnose) or Google's verifier is broken (unlikely in the extreme, but logically possible) or your MTA (Postfix) is corrupting the message (ditto). Or maybe cosmic rays aren't random, they're targeting your mail. :-)
DMARC passes because the policy is NONE.
Note that "neutral" is actually a failure, but the term "neutral" is used because a failure should not be a reason to treat your mail as more suspicious than unsigned mail.
I assume the signature below is supposed to be from the outgoing MTA at your Mailman site.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sditdg.org; s=mail; t=1625952811; bh=4HN4XCD73340TTta47Nw8NNNFEbWsNLm9zWdectMYcI=; h=To:Date:Subject:List-Id:List-Archive:List-Help:List-Post:
Here's a DKIM pass at your site, but I assume this is incoming to Mailman:
Authentication-Results: cat.efs.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Kt/xXWZE"
Hope this helps, Steve
Thank you Steve
This is very helpful. I've seen the hash not verifying and am chasing that through the hellish postfix/mailscanner/etc path we have. Something's modifying the body and I haven't found it yet.
Again. Thank you!
matt
On 7/11/21 11:02 AM, Stephen J. Turnbull wrote:
Matt Wilbur EFS via Mailman-users writes:
I've been through DKIM hell and back. Now I'm to the point where when I "show original" mail with gmail it says SPF, DKIM and DMARC all pass, but it's still going to the spam folders.
ARC would help get you through Google, Google participates in ARC:
ARC-Seal: i=1; a=rsa-sha256; t=1625952812; cv=none; d=google.com; s=arc-20160816;
The idea is that you can have your incoming MTA attest that the signature was valid on the way in, and have that testimony signed by the outgoing MTA. I don't know offhand who else give gold stars for a valid ARC signature, though.
Despite what you wrote, this isn't a pass:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sditdg.org header.s=mail header.b=BteyCkCY; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b="Kt/xXWZE"; spf=pass (google.com: domain of testing-bounces@sditdg.org designates 65.50.252.27 as permitted sender) smtp.mailfrom=testing-bounces@sditdg.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sditdg.org
Your body hash did not verify, I don't know why. It could be that you're signing it on the way in so the footer breaks the signature on the way out (seems unlikely, but at least it's easy to find and to fix), or that the signing function is incorrect (harder to diagnose) or Google's verifier is broken (unlikely in the extreme, but logically possible) or your MTA (Postfix) is corrupting the message (ditto). Or maybe cosmic rays aren't random, they're targeting your mail. :-)
DMARC passes because the policy is NONE.
Note that "neutral" is actually a failure, but the term "neutral" is used because a failure should not be a reason to treat your mail as more suspicious than unsigned mail.
I assume the signature below is supposed to be from the outgoing MTA at your Mailman site.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sditdg.org; s=mail; t=1625952811; bh=4HN4XCD73340TTta47Nw8NNNFEbWsNLm9zWdectMYcI=; h=To:Date:Subject:List-Id:List-Archive:List-Help:List-Post:
Here's a DKIM pass at your site, but I assume this is incoming to Mailman:
Authentication-Results: cat.efs.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Kt/xXWZE"
Hope this helps, Steve
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Matt Wilbur EFS via Mailman-users writes:
This is very helpful.
Love to hear that! :-)
I've seen the hash not verifying and am chasing that through the hellish postfix/mailscanner/etc path we have. Something's modifying the body and I haven't found it yet.
That sucks, of course, and I guess you wouldn't have known about that bug if you weren't having this problem :-/, but it should be possible to avoid the signature failure, if the boundary MTA does the signing -- then it would be signing the (slightly) corrupted message. A few random suggestions: Maybe Postfix milters are in the wrong order, or the DKIM signature is done on the "wrong" host?
Good hunting!
Steve
participants (3)
-
Mark Sapiro -
Matt Wilbur EFS -
Stephen J. Turnbull