On 09.06.2016 18:20, Laura Atkins wrote: > >> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt <bernhard.schm...@lrz.de> wrote: >> >> Header-From and Envelope-From are aligned, the sending domain does not >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is >> not rolled out for all domains yet. The hosts in question do have proper >> FCrDNS, i.e. >> >> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html >> >> Anyone seeing the same? From outside it looks like Google has >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF >> authenticated" previously done by Microsoft, but without the softfail. > > Yes. They have. They do not accept unauthenticated mail over v6. All you need > to do is publish a SPF record and you should be good to go.
Adding an SPF record for some remote understaffed downstream university institute is not that easy if you don't know where their mail flows might come from. Forcing SPF on them might do more harm than good. I had experimented a bit this evening and was about to complain that an SPF record ending in ?all (and +all, but I expected that) did not help reverting to the previous behaviour, but all of the sudden all IPv6 mail seems to be accepted again. Even sending from hosts matching ~all or domains without SPF seem to be fine. They are properly tagged as spf=neutral or spf=softfail, but happily forwarded into the mailbox. Not sure yet whether my testhost has ended up on a whitelist or Google has reverted the behaviour. For the record, I'm not against tighening the rules for email delivery. We have been plainly rejecting mails not only on missing PTR but also on mismatching FCrDNS on SMTP level for years now, both in IPv4 and IPv6, and have been advocating this to others. Although I'm not happy about it I can also get and work around the Microsoft approach of tempfailing messages without DKIM/SPF, since I can get the mailer to retry on IPv4 while we sort out domain by domain. But the Google approach of hard-rejecting these mails places a huge burden of those who still have to run the classic smarthost relays for hundreds of on-campus MTAs with their own domains and own management, leaving them effectively no choice but to completely disable IPv6 outbound until all possible sender domains are fixed. Bernhard _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
