1. 27
  1. 6

    Pretty slick UI, and maybe people find it helpful, considering all the “self hosting e-mail is doomed” stories and comments we’ve been seeing lately.

    1. 2

      This is very well done. Explaining all the checks step-by-step is definitely a good way to help people understand this tedious and complex process that is validating email senders.

      There seems to be a bug with DKIM key retrieval though, because it states that my email doesn’t pass DKIM verification. However, it does pass it successfully on https://mail-tester.com. This could be a problem in the DNS record parsing, as I formatted mine with multiple chunks enclosed in “” (for the multi-line public key).
      Now I’m genuinely curious to know if that’s a bug in the tester (which I hope!), or if my emails would eventually be dropped by some other mailers because of that formatting. Would anyone have an insight on this ?

      1. 2

        I got the same error - it claimed that no DKIM was present, even though it is (and parties like Google seem to accept it).

        1. 0

          I got a bug where I’ve used a:mail.example.com in my SPF policy, and the IPv6 address I sent from doesn’t match according to the tester. The mail is still accepted due to DKIM (I don’t have the problem you mentioned).

          I didn’t try if it works better with IPv4, but it seems there are some disturbances in the force.

          So apparently there was something wrong with my SPF policy after all; it had a syntax error. But learndmarc just told me that my mail matched -all, so it just hopped over tokens it didn’t understand instead of telling me my SPF policy was syntactically wrong. When you press the looking glass next to the domain on the right side, you get sent to a page that checks your SPF policy and shows the error.

        2. 2

          I posted this in another thread that was deleted for some reason, but it’s sad to see that websites like this (and the mentioned mail-tester.com present SPF as a requirement, rather than as a deprecated standard that is superseded by DKIM.

          SPF has as its core assumption that mail originating from a domain is always delivered by a mail server designated by that domain. In that world, mailing lists and forwards don’t exist. This was noted even when it was introduced, and DKIM doesn’t share its failings. Because mail server practices seem to be dominated by cargo culting, The recommendation to use SPF remains, long after the reasonable timeframe during which server operators could’ve switched to DKIM.

          And yes, there are certain use cases for SPF, but they are limited to scenarios where delivery is less important than spam prevention.

          1. 3

            I don’t know about SPF as a whole being deprecated, but I do know that the specific SPF DNS RR has been deprecated in favor of serving up SPF via the TXT RR.

            1. 2

              SPF is still widespread and covers a different scenario. SPF does not inhibit mailing-lists. I don’t like SPF and the externalization of cost it set a precedent for, in a pattern followed by DMARC.

              Mailing-list managers rewrite the SMTP Envelope Sender to point to an address which will feed back to the MLM, for bounce processing. SPF is enforced on the SMTP Envelope Sender. This is why SPF breaks .forward files which don’t use SRS to rewrite the sender to chain back through the forwarder. It’s unfortunate, but a pragmatic reality today that if you’re doing forwarding, then (a) you probably regret it; (b) you should use SRS.

              Now, DMARC enforcement breaks mailing-lists and leads to privacy violations of the list’s subscriber base and required MLMs to take some kind of action because people verifying DKIM signatures and then enforcing the DMARC policy would reject the mail through the mailing-list, bouncing it, causing one sender from a p=reject domain to cause a lot of other mailing-list subscribers to get disabled.

              In weighing whether or not linking to one of my old blog posts here is self-pimping, I decided that since I wrote some things above which someone is sure to dispute and claim is FUD, I’d better link to a starting-point for understanding; note that the two earlier posts referenced cover the privacy violations. https://bridge.grumpy-troll.org/2014/04/dmarc-stance/

              1. 1

                That blog is interesting, because I realize now I’ve seen the behavior you mentioned - by a message sender using SPF. As far as I can tell, it’s almost impossible to do Return-path rewriting on a message originating from an SPF domain, without also doing From rewriting. DKIM, at least, leaves the Return-path alone, and typically only imposes restrictions on the Subject field, which I find more acceptable.

                It’s interesting to me that you single out DKIM moreso than SPF in this instance.

                1. 1

                  DKIM != DMARC. DKIM is fine, it’s the policy decisions for DMARC around forcing only using From: as the verifier. The big webmail providers didn’t want to change their UI to present List headers or Sender or anything, so they forced the rest of the world to overload From instead and change the semantics of authorship.

                  I think DKIM is fine, I think DMARC is Very Flawed But Sometimes Necessary (if you disable the privacy violations).

              2. 1

                I’m hosting my business email with Runbox (self hosting my private email) and got an email from them saying this (among other things):

                We’ve recently become aware that Google via its Gmail service has started filtering messages from domains that do not have a SPF (Sender Policy Framework) record to the spam folder of their users. We’ve had a steady stream of reports about this so we are confident this is a new policy they have in place. This will also affect people using their own domain with Google’s email service and not just people with @gmail.com addresses.

                This would make not using SPF less of an option. Just adding this here in case someone stumbles upon this thread later on.

                1. 1

                  Is this an official announcement by Google, does it apply to people with no SPF, but DKIM, etc? I’m filing this under the “email shamanism” that self-hosting administrators do to appease the mysterious gods.

                  For what it’s worth, I’ve been exchanging emails with people on Gmail today, from my personal, SPF-less email domain, without issue.

                  1. 1

                    It’s not an official announcement from Google, but rather observed behavior as seen by a lot of support tickets sent to Runbox.

              3. 1

                This is really interesting - I ran my domain/server through it and got a full pass on all counts, kind of what I expected, yet Gmail still either junks or silently blackholes my emails to accounts that don’t have history with my domain, and sometimes on new threads even with those that do. Yay gmail.

                I like the UI & flow for this tool. Neat.

                1. 1

                  Gmail Postmaster Tools let you directly check your domain and IP reputations. That might be your problem. (‘course, that doesn’t tell you how to fix it…)

                  1. 2

                    I’ve found it worse than useless, really, if you run your own mailserver. I have a friend who I periodically forward things like, say, cinema bookings to, and without fail, Gmail will drop my mail (from my domain and IP with a spotless reputation) into her spam folder with no explanation, and nothing ever shows up in postmaster tools. It feels like such a waste of time.

                    1. 1

                      Thanks! Already verified both domains in there, it doesn’t show any data for either, presumably because not enough volume of emails - but that’s kinda the point, I don’t send hundreds or thousands of mails a day, it’s a personal domain and it’s already dropping plenty of the ones I do send without me adding mail volume to the “probable cause” list, so … I don’t get to see anything on the reputation pages, even after several months ¯\_(ツ)_/¯