> On Jun 9, 2016, at 2:07 PM, Bernhard Schmidt <bernhard.schm...@lrz.de> wrote: > > On 09.06.2016 18:20, Laura Atkins wrote: >> >>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt <bernhard.schm...@lrz.de> >>> wrote: >>> >>> Header-From and Envelope-From are aligned, the sending domain does not >>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is >>> not rolled out for all domains yet. The hosts in question do have proper >>> FCrDNS, i.e. >>> >>> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html >>> >>> Anyone seeing the same? From outside it looks like Google has >>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF >>> authenticated" previously done by Microsoft, but without the softfail. >> >> Yes. They have. They do not accept unauthenticated mail over v6. All you >> need to do is publish a SPF record and you should be good to go. > > Adding an SPF record for some remote understaffed downstream university > institute is not that easy if you don't know where their mail flows > might come from. Forcing SPF on them might do more harm than good.
I didn’t notice it was a university. That I know how problematic it is to get control of a .edu domain and all the different campus servers and individual servers run by faculty and staff and such. Had I know I probably wouldn’t have recommended that. > I had experimented a bit this evening and was about to complain that an > SPF record ending in ?all (and +all, but I expected that) did not help > reverting to the previous behaviour, but all of the sudden all IPv6 mail > seems to be accepted again. Even sending from hosts matching ~all or > domains without SPF seem to be fine. They are properly tagged as > spf=neutral or spf=softfail, but happily forwarded into the mailbox. > > Not sure yet whether my testhost has ended up on a whitelist or Google > has reverted the behaviour. There was a report earlier that Google was experiencing authentication problems on the inbound and a lot of mail was failing. I’m guessing what you saw was related to that and it’s been fixed now. > For the record, I'm not against tighening the rules for email delivery. > We have been plainly rejecting mails not only on missing PTR but also on > mismatching FCrDNS on SMTP level for years now, both in IPv4 and IPv6, > and have been advocating this to others. Although I'm not happy about it > I can also get and work around the Microsoft approach of tempfailing > messages without DKIM/SPF, since I can get the mailer to retry on IPv4 > while we sort out domain by domain. But the Google approach of > hard-rejecting these mails places a huge burden of those who still have > to run the classic smarthost relays for hundreds of on-campus MTAs with > their own domains and own management, leaving them effectively no choice > but to completely disable IPv6 outbound until all possible sender > domains are fixed. That may be a solution. Route the bulk of your mail through your v4 IPs and then only move them to v6 as they are authenticated. laura -- Having an Email Crisis? 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: http://wordtothewise.com/blog _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
