It is a M3AAWG best practice to not accept unauthenticated emails over
IPv6, Microsoft does it, we do it, Google too...
https://www.m3aawg.org/sites/default/files/document/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf

It is also likely that bad stuff (less visible for the sender) is also
happening to unauthenticated emails over IPv4. There is only 3% of "good"
emails that are unauthenticated (true it is from the long tail of sending
domains but...):
https://security.googleblog.com/2013/12/internet-wide-efforts-to-fight-email.html

As people pointed out, an SPF record is easy to set and fast to solve the
issue, DKIM can come later...

On Thu, Jun 9, 2016 at 9:38 AM, Bernhard Schmidt <bernhard.schm...@lrz.de>
wrote:

> On 09.06.2016 18:18, Hugo Slabbert wrote:
>
> Hi,
>
> >> since around 13:00 UTC today all of the sudden we see massive rejects of
> >> mails towards Google when delivering on IPv6
> >>
> >> Jun  9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn:
> >> to=<x...@gmail.com>,
> >> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7,
> >> delays=0.01/0/0.16
> >> /0.53, dsn=5.7.1, status=bounced (host
> >> gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This
> >> message does not have authentication information or fails to pass
> >> 550-5.7.1 authentication checks. To best protect our users from spam,
> >> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
> >> https://support.google.com/mail/answer/81126#authentication for m
> >> ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end
> >> of DATA command))
> >>
> >> Header-From and Envelope-From are aligned, the sending domain does not
> >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is
> >> not rolled out for all domains yet. The hosts in question do have proper
> >> FCrDNS, i.e.
> >>
> >>
> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html
> >>
> >>
> >> Anyone seeing the same? From outside it looks like Google has
> >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF
> >> authenticated" previously done by Microsoft, but without the softfail.
> >
> > ...hasn't this been the case for some time?  They want FCrDNS + at least
> > one of SPF or DKIM to accept delivery over v6:
> >
> > https://support.google.com/mail/answer/81126?hl=en#authentication
> >
> > Did they just defer previously?
>
> Mail was accepted just fine until three hours ago. There is a large
> difference between "The sending domain should pass either SPF check or
> DKIM check. Otherwise, mail might be marked as spam." and outright
> rejecting 100% of it.
>
> We've been working on SPF/DKIM for quite some time now. Unfortunately
> this is not that easy with hundreds of faculty-operated servers/domains,
> some of them not even on our nameservers. This has de-facto killed IPv6
> outbound completely for us. Microsoft tempfailing was annoying enough
> but manageable.
>
> Best Regards,
> Bernhard
>
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to