On Sat, Mar 14, 2020 at 01:16:09AM +0000, Paul Vixie wrote: > Today I got mail including this: > > <jab...@hopcount.ca>: host aspmx.l.google.com[2607:f8b0:400e:c08::1b] > said: > 550-5.7.26 This message does not have authentication information or fails > to > 550-5.7.26 pass authentication checks. To best protect our users from > spam, the > 550-5.7.26 message has been blocked. Please visit > 550-5.7.26 https://support.google.com/mail/answer/81126#authentication > for more > 550 5.7.26 information. l73si7852706pfd.109 - gsmtp > (in reply to end of DATA command) > > This is because I had no SPF record in my domain's TXT RRset.
Yes, this is by now a long-standing issue with the Google-operated inbound MTAs that serve not only gmail.com, but also millions of additional hosted domains, such as "hopcount.ca", making it difficult to get by with exceptions just for e.g. google.com and gmail.com. > Now, SPF is a bone headed idea and badly implemented, but I never > cared until today because the lack of an SPF record inside my domain's > TXT RRset never mattered. Google have chosen to apply the requirement to have SPF and/or DKIM records only on the IPv6 SMTP servers. The IPv4 servers continue to accept "classic" email not saddled with SPF and DKIM baggage... [ A fine way to promote IPv6 adoption, by putting up new barriers for any foolish enough to try it. :-( ] But you don't actually have to hinder forwarding of your email by publishing SPF, another option is to use only IPv4 when sending email via google's MX hosts. This can be done by hiding the AAAA records of the Google MTAs from Postfix (my below adaptation of the example uses the PCRE "x" option to make the filter more readable): http://www.postfix.org/postconf.5.html#smtp_dns_reply_filter /etc/postfix/main.cf: pcre = pcre:${config_directory}/ smtp_dns_reply_filter = ${pcre}smtp_dns_reply_filter /etc/postfix/smtp_dns_reply_filter: # /domain ttl IN AAAA address/ action, all case-insensitive. # Note: the domain name ends in ".". /^\S+\.google\.com\. \s+ \S+ \s+ IN \s+ AAAA \s+/x IGNORE /^\S+\.smtp\.goog\. \s+ \S+ \s+ IN \s+ AAAA \s+/x IGNORE Alternatively, you can disable IPv6 globally, and route only selected ipv6-only domains via a dedicated IPv6-enabled transport. main.cf: indexed = ${default_database_type}:${config_directory}/ transport_maps = ${indexed}transport transport: ipv6-only.example smtp6 master.cf: smtp unix - - n - - smtp -o inet_protocols=ipv4 smtp6 unix - - n - - smtp -o inet_protocols=ipv6 smtpany unix - - n - - smtp -o inet_protocols=all -- Viktor. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations