Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On Thu, Jun 9, 2016 at 2:59 PM, Laura Atkinswrote: > > > On Jun 9, 2016, at 2:07 PM, Bernhard Schmidt > wrote: > > > > On 09.06.2016 18:20, Laura Atkins wrote: > >> > >>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt > wrote: > >>> > >>> Header-From and Envelope-From are aligned, the sending domain does not > >>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is > >>> not rolled out for all domains yet. The hosts in question do have > proper > >>> FCrDNS, i.e. > >>> > >>> > http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html > >>> > >>> Anyone seeing the same? From outside it looks like Google has > >>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF > >>> authenticated" previously done by Microsoft, but without the softfail. > >> > >> Yes. They have. They do not accept unauthenticated mail over v6. All > you need to do is publish a SPF record and you should be good to go. > > > > Adding an SPF record for some remote understaffed downstream university > > institute is not that easy if you don't know where their mail flows > > might come from. Forcing SPF on them might do more harm than good. > > I didn’t notice it was a university. That I know how problematic it is to > get control of a .edu domain and all the different campus servers and > individual servers run by faculty and staff and such. Had I know I probably > wouldn’t have recommended that. > > Yes it is hard to know the IPs of where all the emails are coming from but you can start by an SPF record with the IPs you know about and terminate it by ~all. the ~all just says, if it does not pass it may be still ok. You complete the SPF as you learn more about your infrastructure and what is not working. I don't think you need the gift of omniscience to get started with SPF. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
Hi, >> Not sure yet whether my testhost has ended up on a whitelist or >> Google has reverted the behaviour. > > There was a report earlier that Google was experiencing > authentication problems on the inbound and a lot of mail was failing. > I’m guessing what you saw was related to that and it’s been fixed > now. I guess you're talking about this one https://www.google.com/appsstatus#hl=en=issue=1=0f5b953ffaa833f29d02c532e2faf79b TimeDescription 6/9/16, 9:45 PM The problem with Gmail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better. We have confirmed that this issue only affected messages sent to consumer Gmail accounts, and that messages sent to Google Apps accounts were not rejected. 6/9/16, 8:46 PM We are continuing to investigate this issue. We will provide an update by 6/9/16, 9:46 PM detailing when we expect to resolve the problem. Some messages sent to consumer Gmail accounts are being rejected due to authentication enforcement 6/9/16, 7:56 PM We're investigating reports of an issue with Gmail. We will provide more information shortly. -- Bernhard Schmidt Netzbetrieb / IPv6 / DNSSEC Leibniz-Rechenzentrum Leibniz Supercomputing Centre Boltzmannstr. 1 D-85748 Garching b. Muenchen Tel: +49 89 35831-7885 E-Mail/Jabber: bernhard.schm...@lrz.de smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
> On Jun 9, 2016, at 2:07 PM, Bernhard Schmidtwrote: > > On 09.06.2016 18:20, Laura Atkins wrote: >> >>> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidt >>> wrote: >>> >>> Header-From and Envelope-From are aligned, the sending domain does not >>> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is >>> not rolled out for all domains yet. The hosts in question do have proper >>> FCrDNS, i.e. >>> >>> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html >>> >>> Anyone seeing the same? From outside it looks like Google has >>> implemented the "all mail delivered over IPv6 has to be DKIM/SPF >>> authenticated" previously done by Microsoft, but without the softfail. >> >> Yes. They have. They do not accept unauthenticated mail over v6. All you >> need to do is publish a SPF record and you should be good to go. > > Adding an SPF record for some remote understaffed downstream university > institute is not that easy if you don't know where their mail flows > might come from. Forcing SPF on them might do more harm than good. I didn’t notice it was a university. That I know how problematic it is to get control of a .edu domain and all the different campus servers and individual servers run by faculty and staff and such. Had I know I probably wouldn’t have recommended that. > I had experimented a bit this evening and was about to complain that an > SPF record ending in ?all (and +all, but I expected that) did not help > reverting to the previous behaviour, but all of the sudden all IPv6 mail > seems to be accepted again. Even sending from hosts matching ~all or > domains without SPF seem to be fine. They are properly tagged as > spf=neutral or spf=softfail, but happily forwarded into the mailbox. > > Not sure yet whether my testhost has ended up on a whitelist or Google > has reverted the behaviour. There was a report earlier that Google was experiencing authentication problems on the inbound and a lot of mail was failing. I’m guessing what you saw was related to that and it’s been fixed now. > For the record, I'm not against tighening the rules for email delivery. > We have been plainly rejecting mails not only on missing PTR but also on > mismatching FCrDNS on SMTP level for years now, both in IPv4 and IPv6, > and have been advocating this to others. Although I'm not happy about it > I can also get and work around the Microsoft approach of tempfailing > messages without DKIM/SPF, since I can get the mailer to retry on IPv4 > while we sort out domain by domain. But the Google approach of > hard-rejecting these mails places a huge burden of those who still have > to run the classic smarthost relays for hundreds of on-campus MTAs with > their own domains and own management, leaving them effectively no choice > but to completely disable IPv6 outbound until all possible sender > domains are fixed. That may be a solution. Route the bulk of your mail through your v4 IPs and then only move them to v6 as they are authenticated. laura -- Having an Email Crisis? 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: http://wordtothewise.com/blog ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On 09.06.2016 18:20, Laura Atkins wrote: > >> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidtwrote: >> >> Header-From and Envelope-From are aligned, the sending domain does not >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is >> not rolled out for all domains yet. The hosts in question do have proper >> FCrDNS, i.e. >> >> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html >> >> Anyone seeing the same? From outside it looks like Google has >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF >> authenticated" previously done by Microsoft, but without the softfail. > > Yes. They have. They do not accept unauthenticated mail over v6. All you need > to do is publish a SPF record and you should be good to go. Adding an SPF record for some remote understaffed downstream university institute is not that easy if you don't know where their mail flows might come from. Forcing SPF on them might do more harm than good. I had experimented a bit this evening and was about to complain that an SPF record ending in ?all (and +all, but I expected that) did not help reverting to the previous behaviour, but all of the sudden all IPv6 mail seems to be accepted again. Even sending from hosts matching ~all or domains without SPF seem to be fine. They are properly tagged as spf=neutral or spf=softfail, but happily forwarded into the mailbox. Not sure yet whether my testhost has ended up on a whitelist or Google has reverted the behaviour. For the record, I'm not against tighening the rules for email delivery. We have been plainly rejecting mails not only on missing PTR but also on mismatching FCrDNS on SMTP level for years now, both in IPv4 and IPv6, and have been advocating this to others. Although I'm not happy about it I can also get and work around the Microsoft approach of tempfailing messages without DKIM/SPF, since I can get the mailer to retry on IPv4 while we sort out domain by domain. But the Google approach of hard-rejecting these mails places a huge burden of those who still have to run the classic smarthost relays for hundreds of on-campus MTAs with their own domains and own management, leaving them effectively no choice but to completely disable IPv6 outbound until all possible sender domains are fixed. Bernhard ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On Thu, Jun 9, 2016 at 11:48 AM, Michael Peddemorswrote: > On 16-06-09 11:26 AM, Franck Martin via mailop wrote: > >> As people pointed out, an SPF record is easy to set and fast to solve >> the issue, DKIM can come later... >> > > Hehehe... 'easy' is a relative word, amazing how many poor SPF records are > out there, and sometimes it is hard enough to get email operators to even > have proper PTR records.. > > There has been little pain so far, stupid things have happened and there were barely any difference... ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On 16-06-09 11:26 AM, Franck Martin via mailop wrote: As people pointed out, an SPF record is easy to set and fast to solve the issue, DKIM can come later... Hehehe... 'easy' is a relative word, amazing how many poor SPF records are out there, and sometimes it is hard enough to get email operators to even have proper PTR records.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
It is a M3AAWG best practice to not accept unauthenticated emails over IPv6, Microsoft does it, we do it, Google too... https://www.m3aawg.org/sites/default/files/document/M3AAWG_Inbound_IPv6_Policy_Issues-2014-09.pdf It is also likely that bad stuff (less visible for the sender) is also happening to unauthenticated emails over IPv4. There is only 3% of "good" emails that are unauthenticated (true it is from the long tail of sending domains but...): https://security.googleblog.com/2013/12/internet-wide-efforts-to-fight-email.html As people pointed out, an SPF record is easy to set and fast to solve the issue, DKIM can come later... On Thu, Jun 9, 2016 at 9:38 AM, Bernhard Schmidtwrote: > On 09.06.2016 18:18, Hugo Slabbert wrote: > > Hi, > > >> since around 13:00 UTC today all of the sudden we see massive rejects of > >> mails towards Google when delivering on IPv6 > >> > >> Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: > >> to= , > >> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, > >> delays=0.01/0/0.16 > >> /0.53, dsn=5.7.1, status=bounced (host > >> gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This > >> message does not have authentication information or fails to pass > >> 550-5.7.1 authentication checks. To best protect our users from spam, > >> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 > >> https://support.google.com/mail/answer/81126#authentication for m > >> ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end > >> of DATA command)) > >> > >> Header-From and Envelope-From are aligned, the sending domain does not > >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is > >> not rolled out for all domains yet. The hosts in question do have proper > >> FCrDNS, i.e. > >> > >> > http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html > >> > >> > >> Anyone seeing the same? From outside it looks like Google has > >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF > >> authenticated" previously done by Microsoft, but without the softfail. > > > > ...hasn't this been the case for some time? They want FCrDNS + at least > > one of SPF or DKIM to accept delivery over v6: > > > > https://support.google.com/mail/answer/81126?hl=en#authentication > > > > Did they just defer previously? > > Mail was accepted just fine until three hours ago. There is a large > difference between "The sending domain should pass either SPF check or > DKIM check. Otherwise, mail might be marked as spam." and outright > rejecting 100% of it. > > We've been working on SPF/DKIM for quite some time now. Unfortunately > this is not that easy with hundreds of faculty-operated servers/domains, > some of them not even on our nameservers. This has de-facto killed IPv6 > outbound completely for us. Microsoft tempfailing was annoying enough > but manageable. > > Best Regards, > Bernhard > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On 09.06.2016 18:18, Hugo Slabbert wrote: Hi, >> since around 13:00 UTC today all of the sudden we see massive rejects of >> mails towards Google when delivering on IPv6 >> >> Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: >> to=, >> relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, >> delays=0.01/0/0.16 >> /0.53, dsn=5.7.1, status=bounced (host >> gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This >> message does not have authentication information or fails to pass >> 550-5.7.1 authentication checks. To best protect our users from spam, >> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 >> https://support.google.com/mail/answer/81126#authentication for m >> ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end >> of DATA command)) >> >> Header-From and Envelope-From are aligned, the sending domain does not >> have any DKIM/SPF/DMARC published. We're working on DKIM, but this is >> not rolled out for all domains yet. The hosts in question do have proper >> FCrDNS, i.e. >> >> http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html >> >> >> Anyone seeing the same? From outside it looks like Google has >> implemented the "all mail delivered over IPv6 has to be DKIM/SPF >> authenticated" previously done by Microsoft, but without the softfail. > > ...hasn't this been the case for some time? They want FCrDNS + at least > one of SPF or DKIM to accept delivery over v6: > > https://support.google.com/mail/answer/81126?hl=en#authentication > > Did they just defer previously? Mail was accepted just fine until three hours ago. There is a large difference between "The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam." and outright rejecting 100% of it. We've been working on SPF/DKIM for quite some time now. Unfortunately this is not that easy with hundreds of faculty-operated servers/domains, some of them not even on our nameservers. This has de-facto killed IPv6 outbound completely for us. Microsoft tempfailing was annoying enough but manageable. Best Regards, Bernhard ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On Thu 2016-Jun-09 18:21:17 +0200, Sebastian Hagedornwrote: Hi, since around 13:00 UTC today all of the sudden we see massive rejects of mails towards Google when delivering on IPv6 Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: to= , relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, delays=0.01/0/0.16 /0.53, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This message does not have authentication information or fails to pass 550-5.7.1 authentication checks. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/answer/81126#authentication for m ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end of DATA command)) Header-From and Envelope-From are aligned, the sending domain does not have any DKIM/SPF/DMARC published. We're working on DKIM, but this is not rolled out for all domains yet. The hosts in question do have proper FCrDNS, i.e. http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Af f89.html Anyone seeing the same? From outside it looks like Google has implemented the "all mail delivered over IPv6 has to be DKIM/SPF authenticated" previously done by Microsoft, but without the softfail. FWIW: we deliver via IPv6 to Google, and we are currently not affected. We don't yet use DKIM, but we do have an SPF record that advertises both our IPv4 and our IPv6 subnets. Of course I don't know if that's the reason our mails are accepted. Yes, it is. It's right there in their policy: https://support.google.com/mail/answer/81126?hl=en#authentication Additional guidelines for IPv6 ... The sending domain should pass ***either*** SPF check or DKIM check. Otherwise, mail might be marked as spam. (emphasis mine) Cheers Sebastian -- Sebastian Hagedorn - Postmaster - Weyertal 121, Zimmer 2.02 Regionales Rechenzentrum (RRZK) Universität zu Köln / Cologne University - Tel. +49-221-470-89578 -- Hugo ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On 6/9/2016 11:21 AM, Sebastian Hagedorn wrote: Hi, since around 13:00 UTC today all of the sudden we see massive rejects of mails towards Google when delivering on IPv6 Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: to=, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, delays=0.01/0/0.16 /0.53, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This message does not have authentication information or fails to pass 550-5.7.1 authentication checks. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/answer/81126#authentication for m ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end of DATA command)) Header-From and Envelope-From are aligned, the sending domain does not have any DKIM/SPF/DMARC published. We're working on DKIM, but this is not rolled out for all domains yet. The hosts in question do have proper FCrDNS, i.e. http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Af f89.html Anyone seeing the same? From outside it looks like Google has implemented the "all mail delivered over IPv6 has to be DKIM/SPF authenticated" previously done by Microsoft, but without the softfail. FWIW: we deliver via IPv6 to Google, and we are currently not affected. We don't yet use DKIM, but we do have an SPF record that advertises both our IPv4 and our IPv6 subnets. Of course I don't know if that's the reason our mails are accepted. Cheers Sebastian -- Sebastian Hagedorn - Postmaster - Weyertal 121, Zimmer 2.02 Regionales Rechenzentrum (RRZK) Universität zu Köln / Cologne University - Tel. +49-221-470-89578 Here, we have always had proper reverse entries for IPv4 and IPv6 and have been delivering to gmail for a couple of years over IPv6. And yes today we are also effected. Looks like publishing an SPF record is enough to clear this issue. Lyle Giese LCR Computer Services, Inc. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
> On Jun 9, 2016, at 9:06 AM, Bernhard Schmidtwrote: > > Header-From and Envelope-From are aligned, the sending domain does not > have any DKIM/SPF/DMARC published. We're working on DKIM, but this is > not rolled out for all domains yet. The hosts in question do have proper > FCrDNS, i.e. > > http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html > > Anyone seeing the same? From outside it looks like Google has > implemented the "all mail delivered over IPv6 has to be DKIM/SPF > authenticated" previously done by Microsoft, but without the softfail. Yes. They have. They do not accept unauthenticated mail over v6. All you need to do is publish a SPF record and you should be good to go. laura -- Having an Email Crisis? 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: http://wordtothewise.com/blog ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
Hi, since around 13:00 UTC today all of the sudden we see massive rejects of mails towards Google when delivering on IPv6 Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: to=, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, delays=0.01/0/0.16 /0.53, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This message does not have authentication information or fails to pass 550-5.7.1 authentication checks. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/answer/81126#authentication for m ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end of DATA command)) Header-From and Envelope-From are aligned, the sending domain does not have any DKIM/SPF/DMARC published. We're working on DKIM, but this is not rolled out for all domains yet. The hosts in question do have proper FCrDNS, i.e. http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Af f89.html Anyone seeing the same? From outside it looks like Google has implemented the "all mail delivered over IPv6 has to be DKIM/SPF authenticated" previously done by Microsoft, but without the softfail. FWIW: we deliver via IPv6 to Google, and we are currently not affected. We don't yet use DKIM, but we do have an SPF record that advertises both our IPv4 and our IPv6 subnets. Of course I don't know if that's the reason our mails are accepted. Cheers Sebastian -- Sebastian Hagedorn - Postmaster - Weyertal 121, Zimmer 2.02 Regionales Rechenzentrum (RRZK) Universität zu Köln / Cologne University - Tel. +49-221-470-89578 pgpiY09z_WZZe.pgp Description: PGP signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Messages over IPv6 rejected by Google for failed authentication checks
On Thu 2016-Jun-09 18:06:30 +0200, Bernhard Schmidtwrote: Hi, since around 13:00 UTC today all of the sudden we see massive rejects of mails towards Google when delivering on IPv6 Jun 9 15:12:07 lxmhs52 postfix-postout/smtp[50664]: 3rQQgp3VQTzyWn: to= , relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b]:25, delay=0.7, delays=0.01/0/0.16 /0.53, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0a::1b] said: 550-5.7.1 This message does not have authentication information or fails to pass 550-5.7.1 authentication checks. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/answer/81126#authentication for m ore 550 5.7.1 information. d7si7802319wjc.145 - gsmtp (in reply to end of DATA command)) Header-From and Envelope-From are aligned, the sending domain does not have any DKIM/SPF/DMARC published. We're working on DKIM, but this is not rolled out for all domains yet. The hosts in question do have proper FCrDNS, i.e. http://multirbl.valli.org/fcrdns-test/2001%3A4ca0%3A0%3A103%3A%3A81bb%3Aff89.html Anyone seeing the same? From outside it looks like Google has implemented the "all mail delivered over IPv6 has to be DKIM/SPF authenticated" previously done by Microsoft, but without the softfail. ...hasn't this been the case for some time? They want FCrDNS + at least one of SPF or DKIM to accept delivery over v6: https://support.google.com/mail/answer/81126?hl=en#authentication Did they just defer previously? Best Regards, Bernhard -- Hugo ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop