[Discuss] Need help with undelivered mail.

[david at thekramers.net (David Kramer)]

Dan, as always, that was massively helpful.? Thank you.

I have added AAAA records for my domain and mail server (which I'm 
standardizing the name on right now so I have both) and added a TXT SPF 
record.? I found it pretty hard to get DETAILED explanations of the 
modifiers in SPF records but finally found some at 
https://postmarkapp.com/blog/explaining-spf? No other page I found even 
explained what the a and mx options meant.

My current SPF record has some duplication in it now (since some of the 
explicit ones are covered by a and mx) but I will experiment with 
cutting it down once things work: "v=spf1 mx a a:thekramers.net 
a:mail.thekramers.net a:bantha.org a:zenyatta.thekramers.net ~all"

NOTE I have not tested it yet; I want to give the records a chance to 
propagate out before I do but I have high hopes you were right. And if 
this doesn't fix my problem, it's something I should have done anyway.

On 6/11/19 9:15 AM, Dan Ritter wrote:
> David Kramer wrote:
>> I am having trouble sending mail to GMail accounts, and I'm getting
>> inconsistent explanations. I could use some help figuring out the real
>> cause.
>>
>> Setup: I have a mail server running on Linode running
>> postfix/dovecot/clamav/etc ( I successfully moved mail off my home server
>> about a year ago).? I have Verizon FIOS at home.? I use Thunderbird for
>> email on my main Linux computer.
>>
>> When I send email to a gmail account, I am getting:
>>
>> host aspmx.l.google.com[2607:f8b0:400d:c0e::1a] said:
>>  ??? 550-5.7.1 [2600:3c03::f03c:91ff:fe62:5ea] Our system has detected that
>> this
>>  ??? 550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR
>>  ??? records 550-5.7.1 and authentication. Please review 550-5.7.1
>> https://support.google.com/mail/?p=IPv6AuthError for more information 550
>>
>> The link that goes to HAS ABSOLUTELY NOTHING to do with IPv6, it has to do
>> with bulk emails.? What I *THINK* it means is I need to set up IPv6 records,
>> but I'm not sure which ones.
>
> dig -t mx thekramers.net
> ...
> ;; ANSWER SECTION:
> thekramers.net.     3600    IN  MX  10 zenyatta.thekramers.net.
> thekramers.net.     3600    IN  MX  20 bantha.org.
> ...
> ;; ADDITIONAL SECTION:
> zenyatta.thekramers.NET. 3600   IN  A   104.237.150.41
>
> dig -t mx bantha.org
> ...
> ;; ANSWER SECTION:
> bantha.org.     3600    IN  MX  20 mail.azuen.net.
> bantha.org.     3600    IN  MX  10 bantha.org.
>
> dig -t a zenyatta.thekramers.net.
> ...
> ;; ANSWER SECTION:
> zenyatta.thekramers.net. 3600   IN  A   104.237.150.41
>
> dig -t a mail.azuen.net.
> ...
> ;; ANSWER SECTION:
> mail.azuen.net.     3600    IN  A   192.34.87.82
>
> dig -t a bantha.org
> ...
> ;; ANSWER SECTION:
> bantha.org.     1200    IN  A   173.66.162.52
>
> dig -t aaaa thekramers.net, zenyatta.thekramers.net,
> mail.azuen.net, dig -t aaaa bantha.org --- none of these have
> IPv6 addresses.
>
> So it's perfectly reasonable for Google to believe that mail
> from an IPv6 host is not from any of these mailservers.
>
> Anywhere you have IPv6 connectivity on a mailserver, publish
> a AAAA record and an MX record for that AAAA record.
>
> thekramers.net should also have an SPF txt record, most likely
> something like
> "v=spf1 mx a:thekramers.net a:bantha.org a:mail.azuen.net ~all"
>
> which will clue Google (and others) in to the fact that these
> are mailservers which are authorized to send for you, and
> others are more suspicious but not impossible. (-all would make
> others impossible).
>
>
>> According to https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3athekramers.net&run=toolpage
>> my IP address is on the SORBS DUHL list and the Spamhaus ZEN list. Digging
>> into Sorbs and https://www.spamhaus.org/pbl/query/PBL1637778 I get the
>> impression my whole IP range is blocked because outgoing mail should go to
>> smtp.verizon.net when I'm at home.? But if that's the case how does sent
>> mail get saved to my IMAP server?? Is it sent there too?
> Those are advisory lists that say that IPs in those ranges are
> probably not mailservers. There's nothing you can do to get off
> of them, basically, because VZ supplies the info.
>
> It has nothing to do with whether or not someone will actually
> deliver mail to smtp.verizon.net, and I'm sure smtp.verizon.net
> rejects mail bound for thekramers.net. That's what MX records
> are for.
>
>
>> So should I be sending mail through smtp.verizon.com or through my Linode
>> server?
> Through your linode server, and you should add its AAAA record
> to something like mail.thekramers.net and also as an MX for you,
> and add mail.thekramers.net to the SPF txt record.
>
>
>> If I'm sending mail through my Linode server, then why would a block on my
>> home IP address range matter when my MX records point to my? Linode server?
> It doesn't.
>
>> Does this have anything to do with IPv6?
> Yes, The Linode server has IPv4 and IPv6 addresses, and has been
> using the IPv6 address to contact Google. When Google tries to
> estimate the likelihood of it being a spammer, it sees no signs
> that this is a legitimate mailserver for thekramers.net.
>
> -dsr-