From e55c1e2250bb7a8a4ea6f27faeba3a3bc25c9d40 Mon Sep 17 00:00:00 2001 From: Marcin Chrzanowski Date: Wed, 17 Jan 2024 11:59:23 +0100 Subject: Add SPF article --- src/blog/sending-mail-to-gmail.html | 103 ++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 src/blog/sending-mail-to-gmail.html diff --git a/src/blog/sending-mail-to-gmail.html b/src/blog/sending-mail-to-gmail.html new file mode 100644 index 0000000..9963de2 --- /dev/null +++ b/src/blog/sending-mail-to-gmail.html @@ -0,0 +1,103 @@ +title: Sending mail to gmail +date: January 17, 2024 +--- +

+If you're a selfhosting enjoyer like me, you may have been using Luke Smith's +wonderful emailwiz to +host your very own email server. It's a simple script that allows you to not +think much: just run it on your Debian box, and it will install everything, and +then tell you all the DNS records you need to set for your email server to work +correctly. This includes records for the DMARC, DKIM, and SPF protocols, which +increase security and help prevent spam. So just make sure to follow these +instructions, and you can send mail anywhere. +

+ +

+Or can you? +

+ +

+It's a common complaint you hear from people selfhosting their email server: the +server works fine, you can send and receive email for the most part, but there +are several email hosts that just will never accept mail from you, replying with +those dreaded "Undelivered Mail Returned to Sender" messages. The biggest +culprit being gmail, which also happens to have the biggest market share of +personal emails. Meaning you can't send anything to your friends, or even less +established businesses and organizations that simply keep using their personal +gmail accounts for communications. +

+ +

+The error message gmail will return contains something like this: + +

+The IP address sending this 550-5.7.25 message does not have a PTR record setup,
+or the corresponding 550-5.7.25 forward DNS entry does not point to the sending
+IP. As a policy, 550-5.7.25 Gmail does not accept messages from IPs with missing
+PTR records. 550-5.7.25 For more information, go to 550 5.7.25
+
+ +Which is not very helpful if you do have a reverse DNS PTR record set up +correctly. +

+ +

+My, and probably many others', conspiracy theory has always been that gmail is +just malicious towards new email hosts, especially small selfhosting landchads. +Turns out that it's something different: gmail just happens to be more strict +about SPF records! Something that Luke missed. +

+ +

+SPF (the Sender Policy Framework) specifies several mechanisms. You can read +more about them here. +Luke's script only specifies a and mx mechanisms (plus +the general -all to reject anything not matching those). But you +can also explicitly specify the IP addresses allowed to send mail from your +domain with ip4 and ip6 mechanisms. And it looks like +gmail requires these to be specified to accept your email. I guess you could +look for some maliciousness in the fact that they're not clearer about what one +has to fix to comply with their policies. But in the end, the solution is... +

+ +

TL;DR

+ +

+If you're getting 550-5.7.25 errors from gmail, make sure you do +have your PTR record set up correctly, but also that your SPF record looks +something like this: + +

+v=spf1 mx a:<your mail host> ip4:<your IPv4 address> ip6:<your IPv6 address> -all
+
+

+ +

Credits

+

+I got to this solution after the owner of +storin.nl emailed me about +nocss.club. When I tried to reply to him, I +got an "Undelivered Mail Returned to Sender" reply, but with a different error +message than gmail's: + +

+not allowed to send mail from 550 m-chrzan.xyz: Please see
+http://www.open-spf.org/Why : Reason: mechanism (in reply to RCPT TO command)
+
+ +This led me to reading more about the SPF spec, finding + + this + article, and formulating the hypothesis that maybe gmail's policy has +something to do with SPF mechanisms used. +

+ +

+Tom from tfaz.xyz is working on a PR to emailwiz +to correct the SPF record. +

+ +

+And big thanks to Luke for emailwiz, +without it I wouldn't even have my own mail server to begin with. +

-- cgit v1.2.3