Spamhaus And their Ridiculous Rules

reikuzan

Hello LET.

i was wanting to learn and setting up simple mail server, nothing fancy only capabilities for send and recieve mail from other server like gmail and such.

setting up postfix, dovecot, dkim spf dmarc and such.
Port 25 open. (Thank you generous provider)

yet my ip get flagged by spamhaus for css listing after a week.

Making my port 25 force closed by my VPS provider
(good job spamhaus)

Spamhaus saying my server need setting and follow mail config like big evil tech google,
and test to the mail test at

https://aboutmy.email

then i decide send email using gmail there to get general setting needed,

yet it says email Sent using gmail are Doesn't comply with Yahoo / Google requirements.

Its clear atleast for me, spamhaus and their strict rules are just wanting to punch small mail server operator. xD

MikeA

You must have a misconfiguration or something. How did you setup your email server, did you do it all manually by hand or use a mail server suite software and if so which one? Spamhaus doesn't blacklist IPs for no reason, despite what some people like to think.

You shouldn't run a mail server if you're not familiar with the setup, configuration, and security. If not use a "AIO" suite like Mailcow.

reikuzan

yes im still learn. so it all manual. dovecot postfix and such.

im still learning on dkim spf smarc thing.

luckypenguin

if you didn't set FcRDNS, SPF, DKIM, and lately DMARC, you can forget about mailing big corps. Running my own mailserver nearly 20 years and never had issues with blocklists.

reikuzan

@luckypenguin said:
set FcRDNS, SPF, DKIM, and lately DMARC

yes. im still new to those feature and setting it up slow but sure. but yet spamhaus still decide to punch me out

luckypenguin

@reikuzan said: yes. im still new to those feature and setting it up slow but sure. but yet spamhaus still decide to punch me out

You misconfigured your server to act like a typical spambot and complain about them?
They are cunts but for whole different reasons than this. Fix your shit and they will delist.

MikeA

@reikuzan said:

@luckypenguin said:
set FcRDNS, SPF, DKIM, and lately DMARC

yes. im still new to those feature and setting it up slow but sure. but yet spamhaus still decide to punch me out

I'd recommend using a mail server suite that handles everything for you then. Your issues with the blacklist are due to your misconfiguration. The Spamhaus listing usually has general information about some reasons it could be.

reikuzan

yes im still learning, yes i may misconfigure DKIM and such. and will fix those up.

but the other point:

email sent to the email tester service provided by spamhaus saying email sent from gmail are not following gmail requirement

luckypenguin

@reikuzan said: email sent to the email tester service provided by spamhaus saying email sent from gmail are not following gmail requirement

For bulk mail senders.
First, it should not be a free email like gmail. Then you need a visible unsubscribe link,
and List-Unsubscribe header for a one-click unsubscribe. Those are your missing 3.

reikuzan

@luckypenguin said:

@reikuzan said: email sent to the email tester service provided by spamhaus saying email sent from gmail are not following gmail requirement

For bulk mail senders.
First, it should not be a free email like gmail. Then you need a visible unsubscribe link,
and List-Unsubscribe header for a one-click unsubscribe. Those are your missing 3.

Thanks, but i wont setup relay and such for bulk.

only basic email capabilities send recieve. and from other mail server too. will look it up.

reikuzan

On side note, mail client like thunderbird and k-9 mail (espesially on android) , when setting up account server,

at login method , when choose "Encrypted Password" it keep ask server to support CRAM-MD5 thing when server already support SCRAM.

anyone knows something about this?
when i ask ai CRAM over tls are producing no additional sakkurity compared PLAIN LOGIN over TLS.

and adviced to use SCRAM instead.

but mail client said "No, i need CRAM"

reikuzan

Bump

Netralex

@reikuzan said:
Bump

No, fix/secure your mail server and tell them you fixed your stuff. No bump needed, spamhaus is annoying but you probably misconfigured your stuff which abusers abused.

Levi

No spam no cry as per Bob Marley.

Andreix

The non-negotiable checklist for any self-hosted mail in 2026

SPF record in DNS that authorizes every IP that sends mail for your domain. This includes your VPS, your web server if it sends notifications, and any third-party services.
DKIM signing on outbound mail, with the public key published in DNS. The selector in your MTA configuration must match the selector in DNS exactly.
DMARC policy (start with p=none, verify alignment, then tighten to quarantine or reject).
TLS everywhere. Inbound and outbound. Valid certificates, not self-signed. Let's Encrypt works.
Reverse DNS (PTR record) for your sending IP that matches the hostname in your HELO/EHLO.
Monitoring. You need to know when mail stops being delivered, not find out weeks later when someone mentions they never got your reply.

If any of these are missing, the architecture will fail at some point. Not maybe. Will.

https://www.serverspan.com/en/blog/self-hosting-email-2026-architectures-that-still-work

reikuzan

@Andreix said:
The non-negotiable checklist for any self-hosted mail in 2026

SPF record in DNS that authorizes every IP that sends mail for your domain. This includes your VPS, your web server if it sends notifications, and any third-party services.
DKIM signing on outbound mail, with the public key published in DNS. The selector in your MTA configuration must match the selector in DNS exactly.
DMARC policy (start with p=none, verify alignment, then tighten to quarantine or reject).
TLS everywhere. Inbound and outbound. Valid certificates, not self-signed. Let's Encrypt works.
Reverse DNS (PTR record) for your sending IP that matches the hostname in your HELO/EHLO.
Monitoring. You need to know when mail stops being delivered, not find out weeks later when someone mentions they never got your reply.

If any of these are missing, the architecture will fail at some point. Not maybe. Will.

https://www.serverspan.com/en/blog/self-hosting-email-2026-architectures-that-still-work

Wow. Thank you very much. will look into it

TimboJones

@reikuzan said:
yes im still learning, yes i may misconfigure DKIM and such. and will fix those up.

but the other point:

email sent to the email tester service provided by spamhaus saying email sent from gmail are not following gmail requirement

Why are you intentionally not being helpful? Post the 6/9 things it found, duh. That should be the only purpose of this thread.

reikuzan

@TimboJones said:

@reikuzan said:

Why are you intentionally not being helpful? Post the 6/9 things it found, duh. That should be the only purpose of this thread.

luckypenguin says its needed for bulk mail sender. for persone who want basic email send receive from other server too, its not needed if i understand it correctly.

Still funny tough, to see gmail email are not following google / yahoo requirement.

anyway what am steel need to know. is when mail client still need CRAM-MD5 (to use encrypted oassword in mail client) When the server already configured with SCRAM

luckypenguin

@reikuzan said: Still funny tough, to see gmail email are not following google / yahoo requirement.

Nothing is funny, this tool is used for bulk mail senders.
So obviously, for a small personal mail you don't include those missing 3 checks.
But you have way many more problems with your self hosted server.

Also, you have to register on https://postmaster.google.com and verify your DMARC.