1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
title: Sending mail to gmail
date: January 17, 2024
---
<p>
<i>
Update: it has been brought to my attention that I may have been incorrect
in identifying a potential Google policy around SPF mechanics as the root
cause of the issue. If you were in a similar situation as me and this
approach resolves your problem - great! But it's likely that this is a
workaround rather than fundamentally addressing the issue.
</i>
</p>
<p>
If you're a selfhosting enjoyer like me, you may have been using Luke Smith's
wonderful <a href="https://github.com/LukeSmithxyz/emailwiz">emailwiz</a> to
host your very own email server. It's a simple script that allows you to not
think much: just run it on your Debian box, and it will install everything, and
then tell you all the DNS records you need to set for your email server to work
correctly. This includes records for the DMARC, DKIM, and SPF protocols, which
increase security and help prevent spam. So just make sure to follow these
instructions, and you can send mail anywhere.
</p>
<p>
Or can you?
</p>
<p>
It's a common complaint you hear from people selfhosting their email server: the
server works fine, you can send and receive email for the most part, but there
are several email hosts that just will never accept mail from you, replying with
those dreaded "Undelivered Mail Returned to Sender" messages. The biggest
culprit being gmail, which also happens to have the biggest market share of
personal emails. Meaning you can't send anything to your friends, or even less
established businesses and organizations that simply keep using their personal
gmail accounts for communications.
</p>
<p>
The error message gmail will return contains something like this:
<code><pre>
The IP address sending this 550-5.7.25 message does not have a PTR record setup,
or the corresponding 550-5.7.25 forward DNS entry does not point to the sending
IP. As a policy, 550-5.7.25 Gmail does not accept messages from IPs with missing
PTR records. 550-5.7.25 For more information, go to 550 5.7.25
</pre></code>
Which is not very helpful if you do have a reverse DNS PTR record set up
correctly.
</p>
<p>
My, and probably many others', conspiracy theory has always been that gmail is
just malicious towards new email hosts, especially small selfhosting landchads.
Turns out that it's something different: gmail just happens to be more strict
about SPF records! Something that Luke missed.
</p>
<p>
SPF (the Sender Policy Framework) specifies several mechanisms. You can read
more about them <a href="http://www.open-spf.org/SPF_Record_Syntax/">here</a>.
Luke's script only specifies <code>a</code> and <code>mx</code> mechanisms (plus
the general <code>-all</code> to reject anything not matching those). But you
can also explicitly specify the IP addresses allowed to send mail from your
domain with <code>ip4</code> and <code>ip6</code> mechanisms. And it looks like
gmail requires these to be specified to accept your email. I guess you could
look for some maliciousness in the fact that they're not clearer about what one
has to fix to comply with their policies. But in the end, the solution is...
</p>
<h3>TL;DR</h3>
<p>
If you're getting <code>550-5.7.25</code> errors from gmail, make sure you do
have your PTR record set up correctly, but also that your SPF record looks
something like this:
<code><pre>
v=spf1 mx a:<your mail host> ip4:<your IPv4 address> ip6:<your IPv6 address> -all
</pre></code>
</p>
<h3>Credits</h3>
<p>
I got to this solution after the owner of
<a href="https://storin.nl/">storin.nl</a> emailed me about
<a href="https://nocss.club/">nocss.club</a>. When I tried to reply to him, I
got an "Undelivered Mail Returned to Sender" reply, but with a different error
message than gmail's:
<code><pre>
not allowed to send mail from 550 m-chrzan.xyz: Please see
http://www.open-spf.org/Why : Reason: mechanism (in reply to RCPT TO command)
</pre></code>
This led me to reading more about the SPF spec, finding
<a href="https://bobcares.com/blog/550-is-not-allowed-to-send-mail-from/">
this
</a> article, and formulating the hypothesis that maybe gmail's policy has
something to do with SPF mechanisms used.
</p>
<p>
Tom from <a href="https://tfaz.xyz/">tfaz.xyz</a> is working on a PR to emailwiz
to correct the SPF record.
</p>
<p>
And big thanks to <a href="https://lukesmith.xyz/">Luke</a> for emailwiz,
without it I wouldn't even have my own mail server to begin with.
</p>
|