On Thu 01/Sep/2022 23:22:13 +0200 marc wrote:
It's imperative that you have rdns, spf, dkim and dmarc set up and that it all matches.
My MTA will reject you if your ptr doesn't match your a record and your helo/ehlo hostname. spf, dkim and dmarc are all scored via spamassassin. Google rejects, outright, if there is any sort of mismatch in any of that at all. Setting up dnssec for your domain is also helpful.
DNG list traffic comes through just fine.
But look here: This is the sending host for the DNG mailing list:
Received: from mail.dyne.org (ns3218761.ip-162-19-139.eu [162.19.139.95])
I think OVH allows classless delegation or at least setting PTRs for fixed IPs.
I'd guess it's laziness the reason why it isn't set. The list has no DKIM
signature, which is another sign of it. However, they have a good SPF record.
As you can see that reverse IP doesn't match what the SMTP server
connects as.
So I am actually not quite sure if your MX is as strict as you
claim it to be ? Or am I missing something ? Do you have a different
Received header - it should be one of the first lines of every message ?
And your server isn't alone in being not quite as strict as claimed:
Curtis said his MTA weights authentication along with a bunch of other factors
to get a message score. That's fuzzy, but sometimes works.
Despite the received wisdom that one had to have
SPF+DKIM+DMARC+YOLO+SPQR+WTF :) set up to send mail to the
dominant email servers, this wasn't actually true: At least until last
week I managed to get mail accepted reliably by google despite having
only a proper MX and reverse DNS entry - nothing else, not even SPF.
And given that real people answered to those mails, most of them
did not end up in their spam folders either. But this seems to have
changed recently... hence this thread.
Reverse DNS was already in use by some MTAs (and FTP servers) when I started to
connect to the Internet. SPF came short afterwards, in the early 2000. My
first DKIM filter appeared in 2010. DMARC still has no "standard" spec. It is
coming very slowly, not only for inertia and indolence of mail operators, but also.
The original anti-spam recipe, to block key words or phrases in the message
body, is faulty. Against phishing, it's definitely disastrous. The point of
domain-based authentication is to allow domains to earn a reputation, so that
good actors can be trusted and messages accepted or rejected on a solid basis.
The alternative for Internet mail is to go Bananas[*], methinks.
Best
Ale
--
[*] https://en.wikipedia.org/wiki/Bananas_(film)
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
