On 09.06.2016 18:18, Hugo Slabbert wrote: Hi,
>> since around 13:00 UTC today all of the sudden we see massive rejects of >> mails towards Google when delivering on IPv6 >> >> Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: >> to=<x...@gmail.com>, >> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, >> delays=0.01/0/0.16 >> /0.53, dsn=5.7.1, status=bounced (host >> gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This >> message does not have authentication information or fails to pass >> 550-5.7.1 authentication checks. To best protect our users from spam, >> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 >> https://support.google.com/mail/answer/81126#authentication for m >> ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end >> of DATA command)) >> >> Header-From and Envelope-From are aligned, the sending domain does not >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is >> not rolled out for all domains yet. The hosts in question do have proper >> FCrDNS, i.e. >> >> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html >> >> >> Anyone seeing the same? From outside it looks like Google has >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF >> authenticated" previously done by Microsoft, but without the softfail. > > ...hasn't this been the case for some time? They want FCrDNS + at least > one of SPF or DKIM to accept delivery over v6: > > https://support.google.com/mail/answer/81126?hl=en#authentication > > Did they just defer previously? Mail was accepted just fine until three hours ago. There is a large difference between "The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam." and outright rejecting 100% of it. We've been working on SPF/DKIM for quite some time now. Unfortunately this is not that easy with hundreds of faculty-operated servers/domains, some of them not even on our nameservers. This has de-facto killed IPv6 outbound completely for us. Microsoft tempfailing was annoying enough but manageable. Best Regards, Bernhard _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop