It is a M3AAWG best practice to not accept unauthenticated emails over IPv6, Microsoft does it, we do it, Google too... https://www.m3aawg.org/sites/default/files/document/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf
It is also likely that bad stuff (less visible for the sender) is also happening to unauthenticated emails over IPv4. There is only 3% of "good" emails that are unauthenticated (true it is from the long tail of sending domains but...): https://security.googleblog.com/2013/12/internet-wide-efforts-to-fight-email.html As people pointed out, an SPF record is easy to set and fast to solve the issue, DKIM can come later... On Thu, Jun 9, 2016 at 9:38 AM, Bernhard Schmidt <bernhard.schm...@lrz.de> wrote: > On 09.06.2016 18:18, Hugo Slabbert wrote: > > Hi, > > >> since around 13:00 UTC today all of the sudden we see massive rejects of > >> mails towards Google when delivering on IPv6 > >> > >> Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: > >> to=<x...@gmail.com>, > >> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, > >> delays=0.01/0/0.16 > >> /0.53, dsn=5.7.1, status=bounced (host > >> gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This > >> message does not have authentication information or fails to pass > >> 550-5.7.1 authentication checks. To best protect our users from spam, > >> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 > >> https://support.google.com/mail/answer/81126#authentication for m > >> ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end > >> of DATA command)) > >> > >> Header-From and Envelope-From are aligned, the sending domain does not > >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is > >> not rolled out for all domains yet. The hosts in question do have proper > >> FCrDNS, i.e. > >> > >> > http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html > >> > >> > >> Anyone seeing the same? From outside it looks like Google has > >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF > >> authenticated" previously done by Microsoft, but without the softfail. > > > > ...hasn't this been the case for some time? They want FCrDNS + at least > > one of SPF or DKIM to accept delivery over v6: > > > > https://support.google.com/mail/answer/81126?hl=en#authentication > > > > Did they just defer previously? > > Mail was accepted just fine until three hours ago. There is a large > difference between "The sending domain should pass either SPF check or > DKIM check. Otherwise, mail might be marked as spam." and outright > rejecting 100% of it. > > We've been working on SPF/DKIM for quite some time now. Unfortunately > this is not that easy with hundreds of faculty-operated servers/domains, > some of them not even on our nameservers. This has de-facto killed IPv6 > outbound completely for us. Microsoft tempfailing was annoying enough > but manageable. > > Best Regards, > Bernhard > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
