because people are just fundamentally assholes
jeroen at massar.ch
Sat Nov 13 14:45:45 PST 2021
On 20211112, at 20:33, Dirk Hohndel via subsurface <subsurface at subsurface-divelog.org> wrote:
> And I finally broke down and implemented DKIM on the server (as Linus and I speculated that that might help to not be "disappeared" by gmail).
Yeah, these are sucky tactics, and in many cases, unless you have personal contacts at the big orgs you are going to be stuck not delivering.
DKIM is not going to be enough, and as you are already doing you are rewriting the From header (which is annoying as reply-to gets munged etc.)
In order to be 'accepted' by the large orgs, a combo of at least:
- don't be in a /24 or /48 with spammers, IP neighborhood matters
- IP/domain reputation matters (high volume can thus spam 1%, low volume means with 1 'spam' mail you might be out...)
- have forward + reverse DNS matching (forward verified reverse or whatever it is called)
- SPF (-all)
- DMARC (strict)
- ARC (Authenticated Receiver Chain aka DMARC for forwarders)
- List-Unsubscribe + Precendence: List
- Signup to google postmaster + outlook SNDS if you have your own IPs, so that it indicates that you 'care'...
And that is the bare minimum.... most of those boxes are being ticked already.
Note that proper big spammers have that all setup nicely, places like Gmail where most spam come from of course have such high volumes that any 'small spamrun' just comes through.
If you need any help with the above don't hesitate to ask.
Oh, please note that because of the header:
From: Dirk Hohndel via subsurface <subsurface at subsurface-divelog.org>
MUAs that auto-add people you reply to in the address book.... auto-complete for your name, becomes the mailinglist.
Add to that that Safari and Outlook both are stupid and then auto-fills the name of a person based on that entry... voila, first mail somebody replies to, all subsequent mails come from that person for the list...
The way around that, as I implemented for Trident, is the <jeroen%massar.ch at via.domain> format, as then there is a unique address that can be reversed to the original address; but that also implies that for Reply to the From address needs to arrive at the original recipient and thus has to be rewritten.
Note that the following:
dkim=pass (2048-bit key; unprotected) header.d=subsurface-divelog.org email@example.com header.a=rsa-sha256 header.s=2021 header.b=T84KKRk5;
dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=hohndel.org firstname.lastname@example.org header.a=rsa-sha256 header.s=2021 header.b=oEnVr5CJ;
Shows that the hohndel.org DKIM header was still present. ARC covers that part, to make Google a bit happier in your host declaring that you verified, but then broke that sig.
The big orgs are making it on-purpose hard to do your own, as they know that they then get more of the mail on their platforms, and every bit of data helps :( [not that something like 80% of mail ends up there anyway, thus they effectively see it all unfortunately, and with domain hosting and forwarding one never knows where your mail ends up; PGP oh meh... to protect sensitive stuff...]
As for Mailman: one thing that really helps is changing the standard URLs for the signup page, makes it harder for bots to get there, and script kiddies would then have to manually change the scripts they have, and that, is hard for them.
... still running my own mail servers, and hope that it remains possible...
More information about the subsurface