22 Feb
2025
22 Feb
'25
1 p.m.
Hi all,
I am trying (and so far failing miserably) to set my VPS up to handle
mail. It only has to forward mail for about 5 domains.
google is rejecting everything, and I don't understand why.
According to this page https://support.google.com/a/answer/81126 I must
authenticate with EITHER spf or DKIM.
According to https://easydmarc.com/tools/spf-lookup?domain=ianhobson.com
the spf is set up correctly, and it has been for well over the TTL of 1
hour.
However when I send hobson42(a)gmail.com a message, from
ian(a)ianhobson.com, I get the following log entries...
2025-02-22T12:14:14.865917+00:00 ianhobson postfix/cleanup[4869]:
D306590480: message-id=<20250222121414.D306590480(a)ianhobson.com>
2025-02-22T12:14:14.868393+00:00 ianhobson postfix/qmgr[4763]:
D306590480: from=<>, size=3366, nrcpt=1 (queue active)
2025-02-22T12:14:14.870663+00:00 ianhobson postfix/bounce[4872]:
533129047F: sender non-delivery notification: D306590480
2025-02-22T12:14:14.870988+00:00 ianhobson postfix/qmgr[4763]:
533129047F: removed
2025-02-22T12:14:15.257167+00:00 ianhobson postfix/smtp[4871]:
D306590480: to=<hobson42(a)gmail.com>om>, orig_to=<ian(a)ianhobson.com>om>,
relay=gmail-smtp-in.l.google.com[64.233.184.27]:25, delay=0.39,
delays=0/0/0.08/0.3, dsn=5.7.26, status=bounced (host
gmail-smtp-in.l.google.com[64.233.184.27] said: 550-5.7.26 Your email
has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail
requires all senders to authenticate with either SPF or DKIM. 550-5.7.26
550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass
550-5.7.26 SPF [] with ip: [85.119.82.117] = did not pass 550-5.7.26
550-5.7.26 For instructions on setting up authentication, go to 550
5.7.26 https://support.google.com/mail/answer/81126#authentication
ffacd0b85a97d-38f25a3ee76si17083121f8f.811 - gsmtp (in reply to end of
DATA command))
2025-02-22T12:14:15.259036+00:00 ianhobson postfix/qmgr[4763]:
D306590480: removed
If I read this correctly, spf authentication failed.
The spf entry is TXT, NAME=@ DATA="v=spf1 ~all" no quotes.
Anyone got any idea what might be happening?
Regards
Ian
--
Ian Hobson
Tel (+66) 626 544 695
22 Feb
22 Feb
1:08 p.m.
On Sat, Feb 22, 2025 at 08:00:48PM +0700, Ian Hobson via BitFolk Users wrote:
Hi all,
I am trying (and so far failing miserably) to set my VPS up to handle mail.
It only has to forward mail for about 5 domains.
google is rejecting everything, and I don't understand why.
I find this email tester site very useful for clues as to why mail is
rejected:
https://www.mail-tester.com/
Warning: you'll only get about 3 free tests per day, after that they
want you to pay.
You'll have to temporarily redirect to the email address they give you
for the test, obviously.
--
Anahata
anahata(a)treewind.co.uk -+- http://www.treewind.co.uk
Home: 01535 501017 Mob: 07976 263827
1:09 p.m.
Looking just at your SPF you have currently:
john@knight:~$ host -t txt ianhobson.com
ianhobson.com descriptive text
"google-site-verification=-MkUVtcmPo8CzgFUnQoXcHAFSiofKRazwEANm-Iau_M"
ianhobson.com descriptive text "v=spf1 ~all"
john@knight:~$
There are no hosts listed as being authorised to send e-mails for your
domain. You need "v=spf1 a:mymailserver.wherever.com ~all".
If you send me an e-mail direct I can look at your DKIM configuration.
John
On 22/02/2025 13:00, Ian Hobson via BitFolk Users wrote:
Hi all,
I am trying (and so far failing miserably) to set my VPS up to handle
mail. It only has to forward mail for about 5 domains.
google is rejecting everything, and I don't understand why.
According to this page https://support.google.com/a/answer/81126 I must
authenticate with EITHER spf or DKIM.
According to https://easydmarc.com/tools/spf-lookup?domain=ianhobson.com
the spf is set up correctly, and it has been for well over the TTL of 1
hour.
However when I send hobson42(a)gmail.com a message, from
ian(a)ianhobson.com, I get the following log entries...
2025-02-22T12:14:14.865917+00:00 ianhobson postfix/cleanup[4869]:
D306590480: message-id=<20250222121414.D306590480(a)ianhobson.com>
2025-02-22T12:14:14.868393+00:00 ianhobson postfix/qmgr[4763]:
D306590480: from=<>, size=3366, nrcpt=1 (queue active)
2025-02-22T12:14:14.870663+00:00 ianhobson postfix/bounce[4872]:
533129047F: sender non-delivery notification: D306590480
2025-02-22T12:14:14.870988+00:00 ianhobson postfix/qmgr[4763]:
533129047F: removed
2025-02-22T12:14:15.257167+00:00 ianhobson postfix/smtp[4871]:
D306590480: to=<hobson42(a)gmail.com>om>, orig_to=<ian(a)ianhobson.com>om>,
relay=gmail-smtp-in.l.google.com[64.233.184.27]:25, delay=0.39,
delays=0/0/0.08/0.3, dsn=5.7.26, status=bounced (host gmail-smtp-
in.l.google.com[64.233.184.27] said: 550-5.7.26 Your email has been
blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires
all senders to authenticate with either SPF or DKIM. 550-5.7.26
550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass
550-5.7.26 SPF [] with ip: [85.119.82.117] = did not pass 550-5.7.26
550-5.7.26 For instructions on setting up authentication, go to 550
5.7.26 https://support.google.com/mail/answer/81126#authentication
ffacd0b85a97d-38f25a3ee76si17083121f8f.811 - gsmtp (in reply to end of
DATA command))
2025-02-22T12:14:15.259036+00:00 ianhobson postfix/qmgr[4763]:
D306590480: removed
If I read this correctly, spf authentication failed.
The spf entry is TXT, NAME=@ DATA="v=spf1 ~all" no quotes.
Anyone got any idea what might be happening?
Regards
Ian
--
i = (free(NULL), i++);
1:32 p.m.
Thanks John
The spf is now "v=spf1 a:ianhobson.com ~all" - its still failing, but
maybe it a propergation problem. Will try again before bed.
Ian
On 22/02/2025 20:09, John Winters via BitFolk Users wrote:
Looking just at your SPF you have currently:
john@knight:~$ host -t txt ianhobson.com
ianhobson.com descriptive text "google-site-verification=-
MkUVtcmPo8CzgFUnQoXcHAFSiofKRazwEANm-Iau_M"
ianhobson.com descriptive text "v=spf1 ~all"
john@knight:~$
There are no hosts listed as being authorised to send e-mails for your
domain. You need "v=spf1 a:mymailserver.wherever.com ~all".
--
Ian Hobson
Tel (+66) 626 544 695
1:38 p.m.
I'm still seeing the old version so yes, almost certainly a propagation
issue. Send me an e-mail direct and I can comment on your DKIM
configuration.
Cheers,
John
On 22/02/2025 13:32, Ian Hobson via BitFolk Users wrote:
Thanks John
The spf is now "v=spf1 a:ianhobson.com ~all" - its still failing, but
maybe it a propergation problem. Will try again before bed.
Ian
On 22/02/2025 20:09, John Winters via BitFolk Users wrote:
--
i = (free(NULL), i++);
Looking just at your SPF you have currently:
john@knight:~$ host -t txt ianhobson.com
ianhobson.com descriptive text "google-site-verification=-
MkUVtcmPo8CzgFUnQoXcHAFSiofKRazwEANm-Iau_M"
ianhobson.com descriptive text "v=spf1 ~all"
john@knight:~$
There are no hosts listed as being authorised to send e-mails for your
domain. You need "v=spf1 a:mymailserver.wherever.com ~all".
2:03 p.m.
Hi,
On Sat, Feb 22, 2025 at 08:00:48PM +0700, Ian Hobson via BitFolk Users wrote:
It only has to forward mail for about 5 domains.
Aside from what others have said about your SPF record, forwarding
emails into large mailbox providers is not going to work reliably ever,
so just give up trying to do that.
The problem is that when you do a basic forward, for the connection to
the next email provider (gmail in this case), you are pretending to be
the original sender.
For example, if I send an email to ian(a)ianhobson.com from
andy(a)bitfolk.com, your VPS 85.119.82.117 will connect to gmail and try
to send an email from andy(a)bitfolk.com to hobson42(a)gmail.com. gmail will
do an SPF check against the envelop sender domain (bitfolk.com) and see
that 85.119.82.117 isn't there, so this ia an SPF fail.
If you are *lucky*, DKIM will still work, and we do DKIM sign our
emails, so DMARC will pass and gmail will accept that mail anyway since
DKIM worked even though SPF didn't. But this is not reliable, and
doesn't help you for those who don't DKIM sign.
Forwarding email is a year 2000s idea that SPF killed.
The only way you will get this to somewhat reliably work is if you do
Sender Rewriting Scheme (SRS) so that your Postfix rewrites the envelope
sender so that it's in the ianhobson.com domain, causing the SPF to be
checked against your record. You'll also then want to do DKIM because
you'll break the original DKIM signature if any.
I've never done it with Postfix but:
https://github.com/roehling/postsrsd
There's probably other solutions.
google is rejecting everything, and I don't
understand why.
Welcome to email in the 21st century. Even after you get everything
right, this will still happen sometimes, and the people who don't get
your emails will blame you, not gmail.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
2:09 p.m.
On Sat, Feb 22, 2025 at 02:03:08PM +0000, Andy Smith via BitFolk Users wrote:
I've never done it with Postfix but:
https://github.com/roehling/postsrsd
There's probably other solutions.
Oh I forgot to mention: The other approach that large mailbox providers
are obviously in favour of is you giving them your login credentials for
a POP/IMAP server on your VPS, and them pulling the mails in that way.
If you're going to do that then of course you are going to want to
ensure that these credentials are solely for pulling email (preferably,
solely by them) and aren't connected to, for example, an SSH login or
anything else.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
2:10 p.m.
On 22/02/2025 14:03, Andy Smith via BitFolk Users wrote:
[snip]
Welcome to email in the 21st century. Even after you
get everything
right, this will still happen sometimes, and the people who don't get
your emails will blame you, not gmail.
At least with Gmail it's reasonably deterministic. Yahoo/BT will reject
e-mail because there's an 'r' in the month.
John
--
i = (free(NULL), i++);
26 Feb
26 Feb
12:56 p.m.
Hi All,
First, thanks to everybody for their input.
Second, found a solution.
See https://www.youtube.com/watch?v=NmXWA08ly_s
It is working fine, as I write.
Ian
On 22/02/2025 21:03, Andy Smith via BitFolk Users wrote:
Hi,
On Sat, Feb 22, 2025 at 08:00:48PM +0700, Ian Hobson via BitFolk Users wrote:
--
Ian Hobson
Tel (+66) 626 544 695
It only has to forward mail for about 5 domains.
Aside from what others have said about your SPF record, forwarding
emails into large mailbox providers is not going to work reliably ever,
so just give up trying to do that.
The problem is that when you do a basic forward, for the connection to
the next email provider (gmail in this case), you are pretending to be
the original sender.
For example, if I send an email to ian(a)ianhobson.com from
andy(a)bitfolk.com, your VPS 85.119.82.117 will connect to gmail and try
to send an email from andy(a)bitfolk.com to hobson42(a)gmail.com. gmail will
do an SPF check against the envelop sender domain (bitfolk.com) and see
that 85.119.82.117 isn't there, so this ia an SPF fail.
If you are *lucky*, DKIM will still work, and we do DKIM sign our
emails, so DMARC will pass and gmail will accept that mail anyway since
DKIM worked even though SPF didn't. But this is not reliable, and
doesn't help you for those who don't DKIM sign.
Forwarding email is a year 2000s idea that SPF killed.
The only way you will get this to somewhat reliably work is if you do
Sender Rewriting Scheme (SRS) so that your Postfix rewrites the envelope
sender so that it's in the ianhobson.com domain, causing the SPF to be
checked against your record. You'll also then want to do DKIM because
you'll break the original DKIM signature if any.
I've never done it with Postfix but:
https://github.com/roehling/postsrsd
There's probably other solutions.
google is rejecting everything, and I don't
understand why.
Welcome to email in the 21st century. Even after you get everything
right, this will still happen sometimes, and the people who don't get
your emails will blame you, not gmail.
Thanks,
Andy
_______________________________________________
BitFolk Users mailing list <users(a)mailman.bitfolk.com>
You're subscribed as <hobson42(a)gmail.com>
Unsubscribe:
<https://mailman.bitfolk.com/mailman/postorius/lists/users.mailman.bitfolk.com/>
or send an email to <users-leave(a)mailman.bitfolk.com>
27 Feb
27 Feb
2:48 p.m.
Hi,
On Wed, Feb 26, 2025 at 07:56:02PM +0700, Ian Hobson via BitFolk Users wrote:
Second, found a solution.
See https://www.youtube.com/watch?v=NmXWA08ly_s
For those who haven't clicked, it's a tutorial for setting up mail
forwarding with Cloudflare.
The first demonstration email ends up in gmail's spam folder. Good to
see that even Cloudflare cannot reliably deliver to gmail!
It looks like Cloudflare are doing SRS on this because when he hovers
over the received email in gmail's web interface, a popup says
"mailed-by: aircursor.com" (his demo domain) even though his from
address was hungrypy(a)gmail.com. So I think that is checking SPF, which is
envelope sender, so implies the envelope sender was set to aircursor.com.
The popup also says "signed-by: gmail.com". I think that will be gmail's
DKIM, which went through unmolested.
So even with passing SPF and DKIM this mail still went to spam folder.
As it's Cloudflare it does also require you to have your DNS with them.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
2:58 p.m.
On Thu, Feb 27, 2025 at 02:48:06PM +0000, Andy Smith via BitFolk Users wrote:
Hi,
On Wed, Feb 26, 2025 at 07:56:02PM +0700, Ian Hobson via BitFolk Users wrote:
Ah, thanks. I hate suggestions to follow a link without even a tiny summary;
even more so when the link is to some video that I will need to waste time
sitting through.
Regards
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information:
https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>
Second, found a solution.
See https://www.youtube.com/watch?v=NmXWA08ly_s
For those who haven't clicked, it's a tutorial for setting up mail
forwarding with Cloudflare. 
22 Feb
22 Feb
2:30 p.m.
Hi,
According to
https://easydmarc.com/tools/spf-lookup?domain=ianhobson.com the
spf is set up correctly, and it has been for well over the TTL
of 1 hour.
This may not be enough for all of gmail's infrastructure to catch up. I
don't know what they do in there.
If I read this correctly, spf authentication failed.
The spf entry is TXT, NAME=@ DATA="v=spf1 ~all" no quotes.
Anyone got any idea what might be happening?
I have heard (not sure if read or assumed somehow over the years) that
Google prefers to see "-all" (hard fail) rather than "~all" (soft
fail).
Anecdotally, of the domains I run all from my Bitfolk VPS, the ones with
"-all" policies do better than the ones with "~all" policies wrt gmail
delivery and gmail inbox (rather than spam folder) delivery.
I draw that anecdata from domains that don't do DKIM or DMARC but I'm not
sure how much "reputation" I've got from having sent mail consistently from
those domains over years and across multiple gmail policy changes. I send
little enough mail that Google's postmaster tools has nothing to say about
my domains.
Best wishes,
@ndy
--
andyjpb(a)ashurst.eu.org
http://www.ashurst.eu.org/
0x7EBA75FF
35
days inactive
40
days old
11 comments
6 participants
participants (6)
-
Alain D D Williams -
Anahata -
Andy Bennett -
Andy Smith -
Ian Hobson -
John Winters