:: Re: [DNG] meta: list
Top Page
Delete this message
Reply to this message
Author: Alessandro Vesely
Date:  
To: dng
Subject: Re: [DNG] meta: list
On Thu 01/Sep/2022 23:22:13 +0200 marc wrote:
>
>> It's imperative that you have rdns, spf, dkim and dmarc set up and that it all matches.
>>
>> My MTA will reject you if your ptr doesn't match your a record and your helo/ehlo hostname. spf, dkim and dmarc are all scored via spamassassin. Google rejects, outright, if there is any sort of mismatch in any of that at all. Setting up dnssec for your domain is also helpful.
>>
>> DNG list traffic comes through just fine.
>
> But look here: This is the sending host for the DNG mailing list:
>
>    Received: from mail.dyne.org (ns3218761.ip-162-19-139.eu [162.19.139.95])



I think OVH allows classless delegation or at least setting PTRs for fixed IPs.
I'd guess it's laziness the reason why it isn't set. The list has no DKIM
signature, which is another sign of it. However, they have a good SPF record.


> As you can see that reverse IP doesn't match what the SMTP server
> connects as.
>
> So I am actually not quite sure if your MX is as strict as you
> claim it to be ? Or am I missing something ? Do you have a different
> Received header - it should be one of the first lines of every message ?
>
> And your server isn't alone in being not quite as strict as claimed:



Curtis said his MTA weights authentication along with a bunch of other factors
to get a message score. That's fuzzy, but sometimes works.


> Despite the received wisdom that one had to have
> SPF+DKIM+DMARC+YOLO+SPQR+WTF :) set up to send mail to the
> dominant email servers, this wasn't actually true: At least until last
> week I managed to get mail accepted reliably by google despite having
> only a proper MX and reverse DNS entry - nothing else, not even SPF.
> And given that real people answered to those mails, most of them
> did not end up in their spam folders either. But this seems to have
> changed recently... hence this thread.



Reverse DNS was already in use by some MTAs (and FTP servers) when I started to
connect to the Internet. SPF came short afterwards, in the early 2000. My
first DKIM filter appeared in 2010. DMARC still has no "standard" spec. It is
coming very slowly, not only for inertia and indolence of mail operators, but also.

The original anti-spam recipe, to block key words or phrases in the message
body, is faulty. Against phishing, it's definitely disastrous. The point of
domain-based authentication is to allow domains to earn a reputation, so that
good actors can be trusted and messages accepted or rejected on a solid basis.
The alternative for Internet mail is to go Bananas[*], methinks.


Best
Ale
--

[*] https://en.wikipedia.org/wiki/Bananas_(film)