You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "David F. Skoll" <df...@roaringpenguin.com> on 2014/07/25 19:40:43 UTC
Google, IPv6 and SPF (was Re: No SPF/DKIM/DMARC rule)
On Fri, 25 Jul 2014 13:30:43 -0400
"Kevin A. McGrail" <KM...@PCCC.com> wrote:
> Even with ptr records and static IPs, etc. we had to add an SPF
> record to at least 2 domains in April to get Google to accept the
> email over IPv6. Using IPv4, they did not reject. Not sure what
> triggers, etc. but that's the reject notice from the SMTP level at
> Google logged above.
Huh! That's interesting. We have about 320 domains relaying outbound
via our service and I'm sure the vast majority do not have SPF records.
Our outbound machines always use IPv6 when possible.
Google must be using some secret algorithm to decide whether or not to
be strict.
> Since that time, as a best practice, we have
> been adding an SPF record to all domains because our servers are dual
> configured with IPv6 and IPv4.
I'd love to do that, but we don't control the domains. Try getting
320+ domain owners to understand SPF, let alone implement it. :( I'd
rather herd cats...
Regards,
David.
Re: Google, IPv6 and SPF (was Re: No SPF/DKIM/DMARC rule)
Posted by Robert Schetterer <rs...@sys4.de>.
Am 26.07.2014 um 15:47 schrieb Mark Martinec:
> David F. Skoll wrote:
>> Google must be using some secret algorithm to decide whether or not to
>> be strict.
>
> https://support.google.com/mail/answer/81126?p=ipv6_authentication_error&rd=1#authentication
>
> (September 2013)
>
> - Sign messages with DKIM. We do not authenticate messages signed
> with keys using fewer than 1024 bits.
>
> Additional guidelines for IPv6
>
> - The sending IP must have a PTR record (i.e., a reverse DNS of the
> sending IP) and it should match the IP obtained via the forward
> DNS resolution of the hostname specified in the PTR record.
> Otherwise, mail will be marked as spam or possibly rejected.
> - The sending domain should pass either SPF check or DKIM check.
> Otherwise, mail might be marked as spam.
Hi Marc, i know that, but it was reported plausible to fail with ipv6
anything setup right way sometimes. I guess google has/had "hidden"
additional checks on ipv6 mail by whatever reason.
Anyway most people dont forget ipv6 ptr , but fail with including ipv6
SPF, if DKIM is used it should not relate to ipv4/ipv6 transport.
>
>
> 2014-07-25 20:05 Robert Schetterer wrote:
>> its simply a bug, but they dont care, spam tagging was reported
>> with all settings good ipv6 SPF/DKIM/DMARC/PTR
>> however it might fixed recent or will fixed some day, i never retested
>> it ,now using ipv4 transport only ,for them
>
> Our mail to google over IPv6 is still being accepted
> (have it all: SPF/DKIM/DMARC/PTR).
>
> Consider enabling DMARC daily reports, google and some other
> big players are sending them, can be insightful.
i have DMARC since it was anounced, i dont saw very usefull report info
since then, and it didnt stop bots fake our most spam loved domains
after all hotmail sometimes failed total with DMARC report policy, also
google sub mailsystems forwarded spam from some hacked accounts meanwhile
>
> Here is our DNS record:
> $ host -t txt _dmarc.ijs.si
> _dmarc.ijs.si "v=DMARC1\; p=none\; rua=mailto:mailauth-reports@ijs.si"
>
> Mark
>
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Re: Google, IPv6 and SPF (was Re: No SPF/DKIM/DMARC rule)
Posted by Mark Martinec <Ma...@ijs.si>.
David F. Skoll wrote:
> Google must be using some secret algorithm to decide whether or not to
> be strict.
https://support.google.com/mail/answer/81126?p=ipv6_authentication_error&rd=1#authentication
(September 2013)
- Sign messages with DKIM. We do not authenticate messages signed
with keys using fewer than 1024 bits.
Additional guidelines for IPv6
- The sending IP must have a PTR record (i.e., a reverse DNS of the
sending IP) and it should match the IP obtained via the forward
DNS resolution of the hostname specified in the PTR record.
Otherwise, mail will be marked as spam or possibly rejected.
- The sending domain should pass either SPF check or DKIM check.
Otherwise, mail might be marked as spam.
2014-07-25 20:05 Robert Schetterer wrote:
> its simply a bug, but they dont care, spam tagging was reported
> with all settings good ipv6 SPF/DKIM/DMARC/PTR
> however it might fixed recent or will fixed some day, i never retested
> it ,now using ipv4 transport only ,for them
Our mail to google over IPv6 is still being accepted
(have it all: SPF/DKIM/DMARC/PTR).
Consider enabling DMARC daily reports, google and some other
big players are sending them, can be insightful.
Here is our DNS record:
$ host -t txt _dmarc.ijs.si
_dmarc.ijs.si "v=DMARC1\; p=none\;
rua=mailto:mailauth-reports@ijs.si"
Mark
Re: Google, IPv6 and SPF (was Re: No SPF/DKIM/DMARC rule)
Posted by Robert Schetterer <rs...@sys4.de>.
Am 25.07.2014 um 19:40 schrieb David F. Skoll:
> Google must be using some secret algorithm to decide whether or not to
> be strict.
its simply a bug, but they dont care, spam tagging was reported
with all settings good ipv6 SPF/DKIM/DMARC/PTR
however it might fixed recent or will fixed some day, i never retested
it ,now using ipv4 transport only ,for them
i.e read
http://postfix.1071664.n5.nabble.com/disable-ipv6-when-sending-to-gmail-td60672.html
http://blog.hqcodeshop.fi/archives/122-Fixing-Googles-new-IPv6-mail-policy-with-Postfix.html
you may find more reports like that , do search with google *g
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Re: Google, IPv6 and SPF (was Re: No SPF/DKIM/DMARC rule)
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/25/2014 1:40 PM, David F. Skoll wrote:
> Google must be using some secret algorithm to decide whether or not to
> be strict.
Agreed and/or they've modified things since but as you can imagine, an
rptr/static IP has been best-practice for our firm for at least a
decade, probably going back 16 years. Would have to figure out when
AOL's postmaster made the recommendation as an anti-abuse measure.
Regards,
KAM