New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DKIM now mandatory. Gmail/Outlook blocking email from VPS
trycatchthis
Member
For what appears to be the last month or so (FEB 1) Gmail has been rejecting email from senders without a DKIM record.
The emails don't go to inbox, another folder, spam, or to trash. The user will never see them.
https://support.google.com/a/answer/81126?hl=en#zippy=%2Crequirements-for-all-senders
- Set up SPF or DKIM email authentication for your domain.
- Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
- Use a TLS connection for transmitting email. For steps to set up TLS in Google Workspace, visit Require a secure connection for email.
- Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher. Learn more about spam rates.
- Format messages according to the Internet Message Format standard (RFC 5322).
- Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
- If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.
For Directadmin this helped me send to gmail:
cd /usr/local/directadmin/custombuild
./build update
./build set exim yes
./build set eximconf yes
./build set spamassassin yes
/usr/local/directadmin/directadmin config-set dkim 1 # dkim
./build exim
./build exim_conf
Outlook is still rejecting it so I still have to work on that.
Comments
Well, wasn't DKIM really a requirement for years already to be at least just dumped into the spam folder and aren't you screwed trying to deliver mail to the big players on your own anyways? Maybe i'm missing something but this doesn't really seem news to me.
With SPF it would reach the inbox or be marked as spam. Now it never reaches anything.
Places I send most email to are outlook, gmail, zoho, yahoo.
I think its fair that:
So technically there is a choice if spf or dkim is used.
Only if you go above 5k messages per day, then the critera becomes more:
Set up SPF and DKIM email authentication for your domain.
Both of those make a lot of sense. i dont see any big surprises there.
SPF alone didnt work for me, you need both. And outlook is still rejecting my emails.
I think you also need to configure a DMARC policy in DNS, which can be 'none', then SPF alone might work for some of the services implementing these new rules.
Any reason not to implement DKIM as well though?
Today is 5000/day, tomorrow it can be 1/day. Precedent is set.
Just to be clear, for <5000 messages a day to Gmail addresses, DKIM isn't needed, i.e., or doesn't mean 'and'
For >=5000 messages a day to Gmail addresses, both SPF and DKIM are needed:
See https://support.google.com/a/answer/81126?hl=en#requirements-5k
That said, setting up both SPF and DKIM is a good idea in general
I'm honestly more positively surprised than anything that there is consideration for smaller email senders like that. When I used to self-host my email I was always anxious that my emails would end up in spam despite sending <100/week and having everything set up optimally. Can't change IP, domain, etc. score or whatever other metrics they use.
You can't do anything for Outlook, very hard.
https://www.nerd-quickies.net/2020/10/20/microsoft-silently-dropping-emails-a-sad-but-true-story/
@jar maybe can help with workarounds.
for directadmin, I just went with mail.baby
Dirt cheap, 1$ min cost, 1$/1000 emails.
https://blog.paranoidpenguin.net/2020/08/outlook-com-is-no-longer-blocking-my-mail-server/
Opening a ticket on https://sendersupport.olc.protection.outlook.com/snds/ worked for my smol mailserver, just copying the request mentioned on the above blog post.
For about 6 months... Then the remove the 'mitigation' they apply and it needs to be done again. Delivering emails to Outlook domains is the biggest PITA we have right now.. Previous biggest issue was a financial institution accepting and silently deleting emails because our servers' domain name was similar to one that is/was sending them nothing but SPAM.. That issue took a bit to figure out..
SPF and DKIM don't bother me as requirements, DMARC does though.. I just don't see how it helps. It can tell you if other servers are sending emails from your domain, but if they don't pass SPF and/or DKIM, they should be treated as SPAM to begin with. If other servers are using my domains to send email, there is very little I can do to make them stop if they don't want to.
Just sent to my Gmail from a VPS having only SPF configured, no DKIM, received absolutely fine, and not into spam. I suggest that you edit the thread title so it doesn't clickbait with the false information.
I suspect that it is too late to be edited.. A mod should be able to though.
I thought sending to Gmail long required DKIM. I understood requiring DMARC was the new requirement.
Why does it bother you to set DMARC?
Why is it needed? What does it accomplish?
Because the reports are endless and if someone is using one of our domains to send emails, there isn't really anything we can do about it.
Oh damn. I wonder how long it's been for me. Then again, I also havent sent an email to any outlook/microsoft server in a while.
Lmao, that is seriously dumb. Imagine blocking google.com because gogol.tk sends spam.
The domain names were closer than that, but yes...
Not just blocking though, accepting and then silently deleting. The biggest PITA email issue I have dealt with to date. Employee could email our mail client while on the phone with them, our client replies, and the response never arrived, yet everything on our end says it did.
That issue was eventually figured out, once we found an escalation path..
Now back to just Outlook being difficult.. 'User reported email as SPAM' is fun, when it is an email that I sent myself that never arrived, especially after they removed all the abilities to actually contact support.
Is there any downside to setting the DMARC?
Yes, the additional emails DMARC generates.
I'm not overly familiar with the technicalities; what emails does it generate, and would setting DMARC to None still have that problem?
What additional emails? The reports you explicitly ask receivers to generate? Just don't ask for reports if you don't want them.
Then what is the point of turning it on?
I had the same issue. The following tools were helpful:
As Wikipedia puts it, it allows a sender's domain to indicate that their email messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as to reject the message or quarantine it.
Reporting is an optional feature that you can choose to use or ignore.
To make the receiving mail server (i.e. Google/Microsoft) happy and it will then deliver your mail to the recipients inbox?
And maybe
v=DMARC1; p=quarantineshould be the default, but adding it doesn't hurt.This is already built into both SPF and DKIM..
I use -all on my SPF records for example.
But why are they demanding it? What does it add that SPF and DKIM doesn't.
I feel like I'm missing some component, but everything discussed is already built into the existing tools.
DMARC's primary feature is to tell you if other mail senders are using your domain.
What the mail receivers are to do with mail that doesn't pass SPF and/or DKIM, is already built into them.
But DMARC doesn't evaluate mail to pass/fail.