diff options
| author | Marcin Chrzanowski <m@m-chrzan.xyz> | 2024-01-17 11:59:23 +0100 |
|---|---|---|
| committer | Marcin Chrzanowski <m@m-chrzan.xyz> | 2024-01-17 11:59:23 +0100 |
| commit | e55c1e2250bb7a8a4ea6f27faeba3a3bc25c9d40 (patch) | |
| tree | d30c4a9f5acb146bf178328746d5f2a99445e462 | |
| parent | a52dd25f445fcaaba83462b19032f84ff7eb955c (diff) | |
Add SPF article
| -rw-r--r-- | src/blog/sending-mail-to-gmail.html | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/src/blog/sending-mail-to-gmail.html b/src/blog/sending-mail-to-gmail.html new file mode 100644 index 0000000..9963de2 --- /dev/null +++ b/src/blog/sending-mail-to-gmail.html @@ -0,0 +1,103 @@ +title: Sending mail to gmail +date: January 17, 2024 +--- +<p> +If you're a selfhosting enjoyer like me, you may have been using Luke Smith's +wonderful <a href="https://github.com/LukeSmithxyz/emailwiz">emailwiz</a> to +host your very own email server. It's a simple script that allows you to not +think much: just run it on your Debian box, and it will install everything, and +then tell you all the DNS records you need to set for your email server to work +correctly. This includes records for the DMARC, DKIM, and SPF protocols, which +increase security and help prevent spam. So just make sure to follow these +instructions, and you can send mail anywhere. +</p> + +<p> +Or can you? +</p> + +<p> +It's a common complaint you hear from people selfhosting their email server: the +server works fine, you can send and receive email for the most part, but there +are several email hosts that just will never accept mail from you, replying with +those dreaded "Undelivered Mail Returned to Sender" messages. The biggest +culprit being gmail, which also happens to have the biggest market share of +personal emails. Meaning you can't send anything to your friends, or even less +established businesses and organizations that simply keep using their personal +gmail accounts for communications. +</p> + +<p> +The error message gmail will return contains something like this: + +<code><pre> +The IP address sending this 550-5.7.25 message does not have a PTR record setup, +or the corresponding 550-5.7.25 forward DNS entry does not point to the sending +IP. As a policy, 550-5.7.25 Gmail does not accept messages from IPs with missing +PTR records. 550-5.7.25 For more information, go to 550 5.7.25 +</pre></code> + +Which is not very helpful if you do have a reverse DNS PTR record set up +correctly. +</p> + +<p> +My, and probably many others', conspiracy theory has always been that gmail is +just malicious towards new email hosts, especially small selfhosting landchads. +Turns out that it's something different: gmail just happens to be more strict +about SPF records! Something that Luke missed. +</p> + +<p> +SPF (the Sender Policy Framework) specifies several mechanisms. You can read +more about them <a href="http://www.open-spf.org/SPF_Record_Syntax/">here</a>. +Luke's script only specifies <code>a</code> and <code>mx</code> mechanisms (plus +the general <code>-all</code> to reject anything not matching those). But you +can also explicitly specify the IP addresses allowed to send mail from your +domain with <code>ip4</code> and <code>ip6</code> mechanisms. And it looks like +gmail requires these to be specified to accept your email. I guess you could +look for some maliciousness in the fact that they're not clearer about what one +has to fix to comply with their policies. But in the end, the solution is... +</p> + +<h3>TL;DR</h3> + +<p> +If you're getting <code>550-5.7.25</code> errors from gmail, make sure you do +have your PTR record set up correctly, but also that your SPF record looks +something like this: + +<code><pre> +v=spf1 mx a:<your mail host> ip4:<your IPv4 address> ip6:<your IPv6 address> -all +</pre></code> +</p> + +<h3>Credits</h3> +<p> +I got to this solution after the owner of +<a href="https://storin.nl/">storin.nl</a> emailed me about +<a href="https://nocss.club/">nocss.club</a>. When I tried to reply to him, I +got an "Undelivered Mail Returned to Sender" reply, but with a different error +message than gmail's: + +<code><pre> +not allowed to send mail from 550 m-chrzan.xyz: Please see +http://www.open-spf.org/Why : Reason: mechanism (in reply to RCPT TO command) +</pre></code> + +This led me to reading more about the SPF spec, finding +<a href="https://bobcares.com/blog/550-is-not-allowed-to-send-mail-from/"> + this +</a> article, and formulating the hypothesis that maybe gmail's policy has +something to do with SPF mechanisms used. +</p> + +<p> +Tom from <a href="https://tfaz.xyz/">tfaz.xyz</a> is working on a PR to emailwiz +to correct the SPF record. +</p> + +<p> +And big thanks to <a href="https://lukesmith.xyz/">Luke</a> for emailwiz, +without it I wouldn't even have my own mail server to begin with. +</p> |