31 Jul
2020
31 Jul
'20
5:54 a.m.
Hi,
I?ve been managing our corporate mail system at $work for many years and can say several
things:
A lot of providers rely on SPF and DKIM to verify authorised sending servers now because
other methods of identity are no longer reliable such as RDNS and such. If you don?t have
it some large mail providers will flat out refuse to accept mail past any kind of volume
from your server. Although I don?t know for sure I suspect Apple are one of those. I know
BT (UK phone monopoly an ISP) do rely on it heavily, as do hosting & mail server
management systems like CPanel. We recently had to inform an off-site service provider
that they needed to update their records because they use SalesForce for support
infrastructure and hadn?t updated the record to include new sending servers, so our mail
stack was just yeeting their support emails because it couldn?t verify their origin vs the
sending domain. Ahhh fun times ;-D
Visa-vis the above, it?s worthy of note, that neither SPF or DKIM restrict you to your own
IP as a verified sender, you can add 3rd party servers to the record too (most of you
probably already knew that).
I am still baffled how many servers both use SBLs (spam block-lists) and not only are they
indeed not worth two damns also a lot of the services are subscription based and a
significant number of organisations let the subscription lapse and just leave an out of
date list of SBL targets on their security system, meaning even if you waste countless
hours removing your server from said SBLs (ask me how I know!) some places will still list
your server and you?ll effectively always have issues delivering there, until someone
pulls a head out of ass manoeuvre and removes said outdated SBL. We still get an
occasional SBL bounce 15 odd years after we got listed on a bunch when someone compromised
our web hosting server with a spam script. For a long time a certain recently mentioned US
ISP also kept rejecting all our outgoing mail, likely because their system was setup at
one time to autoblock anything that ever appeared on an SBL. They fixed that recently,
like about 2 years ago.
I like many others here have had a fair share of BS regards ?anti-spam? systems (which in
reality were more akin to arbitrary anti-delivery systems) over the years. It?s not
something I enjoy, and I feel your pain.
Mark
On 30 Jul 2020, at 22:39, Johnny Billquist <bqt at
softjar.se> wrote:
?Hi, all.
I have an issue with some mail servers/providers that some people use. I'm open to
some suggestions, but also want to point out something to people who are subscribed.
Sometimes I start getting mails bouncing for some subscribers. I do try to check why, and
occasionally there have been something I could do about it, but many times it's simply
what I would call a broken mail server for which there isn't much I can do. So
occasionally I unsubscribe people for which I'm just getting bounces all the time.
One such example is one server who claims that 130.238.19.25 don't have reverse DNS.
Which is clearly incorrect. It have had proper DNS setup for at least 20 years. I have no
idea how that mail server is set up, but I can't do much about it.
Other times mails gets denied because of some blocking service who thinks the hecnet
mails are just spam, or the host (Update) is untrustworthy, or have a bad reputation or
what not. Usually not much I can do about those either. If people (or companies) decide to
make use of such services, and such services give that kind of information, it essentially
just means that you'll not be getting the hecnet mails any more.
There is only so much I'm willing to do to try and sort such things out. I do
consider such services and solutions to be fundamentally broken to start with, but I will
of course not say that people can't use them if they want to. But chances are that
you'll get dropped from the HECnet mailing list sooner or later, unless you are using
some service/technology that actually do work (not sure if any such exists).
An example I got today (actual mailbox names redacted):
<XXXXXX at xs4all.nl> (expanded from
<hecnet-list>): host
mx4.xs4all.nl[194.109.24.139] said: 550 5.7.1 Spam message rejected by
06ULCRRd021949 on mxdrop301.xs4all.net, reason=CH (in reply to end of DATA
command)
reason=CH ?
What does that mean. The mail is rejected because it came from Switzerland? (Yes, I do
live in Switzerland, and yes, it was a mail I sent to the list, but really? Is all mail
from Switzerland suspect now?)
<XXXXXX at me.com> (expanded from
<hecnet-list>): host
mx01.mail.icloud.com[17.57.152.9] said: 554 5.7.1 [CS01] Message rejected
due to local policy. Please visit https://support.apple.com/en-us/HT204137
(in reply to end of DATA command)
<XXXXXX at me.com> (expanded from <hecnet-list>): host
mx01.mail.icloud.com[17.57.152.9] said: 554 5.7.1 [CS01] Message rejected
due to local policy. Please visit https://support.apple.com/en-us/HT204137
(in reply to end of DATA command)
Rejected due to local policy?
Following the link don't really give an answer, but just various recommendation.
Most of those recommendations are already done (and have been the whole time) by the
HECnet list. SPF and DKIM we don't use. I had that setup for a while on a mail server
of my own, and came to realize that it hurt more than it helped, so I removed it again. I
doubt this will be setup on Update any time soon, but either way, it's not there now,
and it's not even clear if that is the reason for the rejects, or some other thing.
There is also no way to even get in touch with Apple in this case, to fix this. So there
is a fair chance I'll have to unsubscribe a few more addresses in the near future...
I am not really interested in moving the mailing list to some other host. Any suggestions
from anyone on this topic?
Johnny
--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: bqt at softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol