lazy jail server admin forced to act
Mails from my domain have started to be rejected by gmail. To placate gmail, I've added an SPF record to my doman: mimosa.com. IN TXT "v=spf1 mx ~all" How to read this: v=spf1: this TXT record is an SPF version 1 record mx: email sent by mimosa.com should only come from its servers declared in MX DNS records ~all: any other mail from mimosa.com is bogus. (~ and - are slightly different.) That seemed pretty painless. I guess I should have done this a decade ago. I hope this works.
You may find that you need DKIM and DMARC as well. If you’re using postfix it’s fairly easy to hook opendkim in. My biggest hurdle was trying to find clear concise guides. John
| From: John Sellens via talk <talk@gtalug.org> | You may find that you need DKIM and DMARC as well. If you’re using | postfix it’s fairly easy to hook opendkim in. Yeah. | My biggest hurdle was trying to find clear concise guides. Links?
D. Hugh Redelmeier via talk wrote on 2024-01-07 10:10:
| You may find that you need DKIM and DMARC as well. If you’re using | postfix it’s fairly easy to hook opendkim in.
| My biggest hurdle was trying to find clear concise guides.
Links?
https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
| How to read this:
| mx: | email sent by mimosa.com should only come from its servers | declared in MX DNS records
In other words, this test only marks good things. Then the "~all" says anything that isn't good is bad.
More "untrustworthy, use your own judgment" than out-and-out bad (as I understand it). The link above has me reconsidering my choice of -all, I need to review my domains and SPF records to ensure I'm using ~all instead of -all. rb
| From: D. Hugh Redelmeier via talk <talk@gtalug.org> | How to read this: | mx: | email sent by mimosa.com should only come from its servers | declared in MX DNS records More accurately, this means that mail that says it is from mimosa.com is OK if it comes from one of the SMTP servers listend in MX records. In other words, this test only marks good things. Then the "~all" says anything that isn't good is bad.
On Sun, 7 Jan 2024 13:43:38 -0500 (EST) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
| From: D. Hugh Redelmeier via talk <talk@gtalug.org> | How to read this: | mx: | email sent by mimosa.com should only come from its servers | declared in MX DNS records
More accurately, this means that mail that says it is from mimosa.com is OK if it comes from one of the SMTP servers listend in MX records.
In other words, this test only marks good things. Then the "~all" says anything that isn't good is bad.
no, you have it the wrong way around. it is the reverse of that. the ~ means if it is not from your servers it is also okay. the - means ONLY from your severs. Your SPF "should" maybe say: mimosa.com. IN TXT "v=spf1 +a +mx +ip4:206.248.139.113 +ip4:98.158.128.23" or maybe just: mimosa.com. IN TXT "v=spf1 +mx -all" or even mimosa.com. IN TXT "v=spf1 +a +mx -all" (Your post did not include the "+" BEFORE the mx in the entry...) https://ascams.com/info/domain-anti-forgery/ https://www.rfc-editor.org/rfc/rfc7208.txt imnsho you can add dkim etc - but ALL Cyber Criminals have DKIM & DMARC in fact ALL SPAMMERS also have DKIM & DMARC so it is a fairly useless thing/loop to jump through and disables privacy and has more minusses than plusses for general society. anyway, ymmv Andre
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 2024-01-07 12:27, D. Hugh Redelmeier via talk wrote:
Mails from my domain have started to be rejected by gmail. To placate gmail, I've added an SPF record to my doman:
Some of my email messages were winding up in other peoples spam folders. I added SPF, DKIM, and google authentication records. I still have messages occasionally winding up in a recipients spam folder for no apparent reason. You probably need to add a google authentication record to your domain name to reduce the chance of your email messages being rejected by gmail. -- Cheers! Kevin. https://www.patreon.com/KevinCozens | "Nerds make the shiny things that | distract the mouth-breathers, and Owner of Elecraft K2 #2172 | that's why we're powerful" #include <disclaimer/favourite> | --Chris Hardwick
| From: Kevin Cozens via talk <talk@gtalug.org> | You probably need to add a google authentication record to your domain name to | reduce the chance of your email messages being rejected by gmail. I don't know what that is. Googling responses suggest you might be talking about a Google Worspace thing. I don't have a Google Workspace.
On 2024-01-07 22:29, D. Hugh Redelmeier via talk wrote:
| From: Kevin Cozens via talk <talk@gtalug.org>
| You probably need to add a google authentication record to your domain name to | reduce the chance of your email messages being rejected by gmail.
I don't know what that is.
I had to check the TXT records associated with my domain name to remember that it is called google-site-verification. There was some page in a Google website that explained how to set it up. I haven't heard of Google Workspace before seeing your reply. I don't know anything about it. I added the site verification record for my domain some years ago. Google may have changed things since then. -- Cheers! Kevin. https://www.patreon.com/KevinCozens | "Nerds make the shiny things that | distract the mouth-breathers, and Owner of Elecraft K2 #2172 | that's why we're powerful" #include <disclaimer/favourite> | --Chris Hardwick
D. Hugh Redelmeier via talk wrote on 2024-01-07 19:29:
You probably need to add a google authentication record to your domain name to | reduce the chance of your email messages being rejected by gmail.
I don't know what that is.
Googling responses suggest you might be talking about a Google Worspace thing. I don't have a Google Workspace.
Yeah, I don't think Google authentication is useful for email: https://support.google.com/a/answer/183895?hl=en.
Verify your domain with a TXT record
Why do I need to do this?
We don't want someone else to use your domain to sign up for Google Workspace. You can help us keep your domain safe by showing us that you are the owner.
Have you verified your SPF and DKIM via some online site such as: https://mxtoolbox.com/dkim.aspx ? Also, do you have IPv6 on your server? Is postfix using it? That'll probably fix Gmail spam issues, seems most Gmail is via IPv6. rb
participants (5)
-
ac -
D. Hugh Redelmeier -
John Sellens -
Kevin Cozens -
Ron / BCLUG