Slashdot Mirror
The Hostile Email Landscape (liminality.xyz)
An anonymous reader writes: As we consolidate on just a few major email services, it becomes more and more difficult to launch your own mail server. From the article: "Email perfectly embodies the spirit of the internet: independent mail hosts exchanging messages, no host more or less important than any other. Joining the network is as easy as installing Sendmail and slapping on an MX record. At least, that used to be the case. If you were to launch a new mail server right now, many networks would simply refuse to speak to you. The problem: reputation. ... Earlier this year I moved my personal email from Google Apps to a self-hosted server, with hopes of launching a paid mail service à la Fastmail on the same infrastructure. ... I had no issues sending to other servers running Postfix or Exim; SpamAssassin happily gave me a 0.0 score, but most big services and corporate mail servers were rejecting my mail, or flagging it as spam: Outlook.com accepted my email, but discarded it. GMail flagged me as spam. MimeCast put my mail into a perpetual greylist. Corporate networks using Microsoft's Online Exchange Protection bounced my mail."
More likely, the original poster simply has his DNS misconfigured in some weird way, and doesn't know it.
I've been running my own mailserver since 2003, and I have seen my share of problems.
1: mailservers blocking mail based on spamhaus DUL. You can delist your IP. But still, blocking exclusively on that?
2: hotmail.com accepting emails and then discarding them silently. No trace of them. No bounce. Recipient did not have it in their spam folder or anything. This was several years ago, so perhaps it's better now. But discarding emails after promising to deliver them without any possibility for the recipient to control it: bad idea.
3: Various greylisting email servers. Not really a problem as my MTA will retry and the email is only delayed for a few minutes.
4: gmail.com rejecting emails sent over IPv6 but happily accepting them over IPv4. It turned out to be a problem with their parsing of SPF records, and apparently fixed now. But I did find out that there is no reasonable way to contact the gmail team.
5: outlook.com rejects emails due to FBLW15, whatever that means. It seems you can get whitelisted, but it appears that a lot of hosts are being hit by it for no reason.
6: office365 bouncing emails due to "protection" with no explanation given, and direction to contact the recipient by other means to get whitelisted. This was for a the official email address listen on a company website. I decided that my email wasn't important enough. Their loss.
Bottom line: If you run your own email server then expect to occasionally do some manual whitelisting etc. And expect some email servers to be uncooperative and/or RFC-clueless.
I second that emotion. Current *big* players are trying to limit spam and phishing, and require a few ducks in a row before you stop getting caught in their filters. I suspect proper analysis of the configurations and logs would pinpoint the issue. DNS would be a quick start but the problem could be in a few places depending on what mail implementation he's using. On another note, is it possible OPs domain has been used for spam/phishing in the past? The UNI I work has dealt with blacklists in the past and it was merely a case of spoofing and those adding us to blacklists didn't do their diligence in tacking it down properly. *Posted anon as to not get fired*
It's usually the case when the reverse lookup don't point back to the same domain/name as the server identifies itself with.
And it's the ISP that need to change the pointer from some generic name to a specific.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
+1
Rejections in my experience have nearly always always been related to the PTR record needs to be pointing to the domain actually sending the email, not the domain name in the email address. My limited understanding is this:
So if my email address matt@example.com uses mail.isp.com on port 25 to send email then the PTR needs for the ip address isp,com sends from needs to say mail.isp.com... not example.com as you might expect.
when isp.com talks to another smtp server it will be asked to id itself. The server should reply with its FQDN and it is this that the PTR record for the servers id needs to point to . Even if that server hosts hundreds of websites and email accounts.
I believe most VPS hosts allow this to be changed to whatever you want if you are given a fixed ip address. If they don't allow this to be changed then problems will occur and if you are handling emails you need to check before signing up. The PTR record is not applicable to a domain but to an IP address. You can only have one PTR record for an IP address.
That is if my memory serves correctly. When I set up email servers, I always seem to forget this until I do sending tests to yahoo and other big boys. Then I set it properly and things behave.
Other problems happen if using microsoft exchange and the srv fields in txt records for the dns are not set exactly right. Though I don't have to fiddle with this for obvious reasons.
So what you need is some means of sending large amounts of email to outlook.com addresses to build reputation.
There are several factors that I've seen with my mail server.
1) Do not try to work over a standard ISP service - one that assigns your IP dynamically - because most blacklists and major corporations blacklist dynamic IP pools
2) Don't host in any of those cheap virtual hosting services - many of them are also blacklisted
2) Setup DKIM signing (sendmail config and DNS record)
3) Setup SPF DNS record
Basically, one has to avoid running one's mail server someplace that is cheap because that is where the SPAMers put their mail servers as well (because they are cheap and easier to do anonymously).