google bouncing mails from @torproject.org

I tried sending email from my home server and eugeni, both bounce with an error like this:

Jan 25 21:25:22 eugeni/eugeni postfix/smtp[558]: DBF82E05E7: to=<[REDACTED]@gmail.com>, orig_to=<REDACTED@torproject.org>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c00::1a]:25, delay=2.1, delays=1.7/0/0.12/0.21, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c00::1a] said: 550-5.7.1 [2a01:4f8:fff0:4f:266:37ff:fe48:41b8      19] Our system has detected 550-5.7.1 that this message is likely suspicious due to the very low reputation 550-5.7.1 of the sending domain. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550 5.7.1  https://support.google.com/mail/answer/188131 for more information. e13si14120901wrq.457 - gsmtp (in reply to end of DATA command))

Seems like we'll need to deal with the dreaded Google Postmaster tools:

https://postmaster.google.com/managedomains?pli=1

It's going to be one of those weeks.

added Next label

mentioned in issue #33037 (moved)

added Doing label and removed Next label

I see a bunch of mails being delivered to google in eugeni's mail.log. So I think it is not the case that 'all' of them are being bounced.

Maybe it was just a transient reputation problem on the google side?

Yeah, I'm watching the mail logs still, and most mails to gmail are being delivered.

Excellent, then I'll update the status page to downgrade the severity, thanks!!

Yeah, I'm watching the mail logs still, and most mails to gmail are being delivered.

actually, now that you mention it, what I experience wasn't a refused mail, it was a bounced mail. I mean in the above log line I pasted, true, the mail was refused at the Google edge, but in another case, it was actually delivered then bounced as spam, through another mechanism. Here's what I received:

Return-Path: <>
X-Original-To: anarcat+debian@orangeseeds.org
Delivered-To: anarcat+debian@orangeseeds.org
Received: from marcos.anarc.at (localhost [127.0.0.1])
	by delivery.anarc.at (Postfix) with ESMTP id 8D9FC10E16F
	for <anarcat+debian@orangeseeds.org>; Mon, 25 Jan 2021 16:48:53 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on marcos.anarc.at
X-Spam-Level: 
X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE,
	MIME_HEADER_CTYPE_ONLY,RCVD_IN_DNSWL_MED,SPF_HELO_NONE autolearn=ham
	autolearn_force=no version=3.4.2
Received: from muffat.debian.org (muffat.debian.org [209.87.16.33])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by marcos.anarc.at (Postfix) with ESMTPS id 5B40510E150
	for <anarcat+debian@orangeseeds.org>; Mon, 25 Jan 2021 16:48:53 -0500 (EST)
Authentication-Results: marcos.anarc.at;
	dkim=pass (2048-bit key; unprotected) header.d=googlemail.com header.i=@googlemail.com header.b="iuhYlKAR";
	dkim-atps=neutral
Received: from mail-ot1-x343.google.com ([2607:f8b0:4864:20::343]:44331)
	by muffat.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	id 1l49jA-0008SL-BX
	for anarcat+debian@orangeseeds.org; Mon, 25 Jan 2021 21:48:52 +0000
Received: by mail-ot1-x343.google.com with SMTP id e70so14267559ote.11
        for <anarcat@debian.org>; Mon, 25 Jan 2021 13:48:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20161025;
        h=to:auto-submitted:message-id:date:from:subject:references
         :in-reply-to;
        bh=HidT+mPOHBI/eq09ncdzcjtm1b10sQdAyyqId+BoSBM=;
        b=iuhYlKARscs6pxnfzUL02+ppiUOy1467UHB34IdbNvZMfjJJjv+ua7D0/P/JmZA/8f
         EAX6pHGfjw4HHRQ9ch6GwFNvNHEsHxhk14exqVvflLqshX9T6GEptjmn/AbAgGC3RnDo
         dWufBDe19WFggBrwjfWq+b+G2VXP4yfEIrXvrALdPUx9P0qB2rSrD5BtNRbmYoWhmvpS
         M8hemVZIUVYKWioivI8Jq8lwKlGhd+6V/5tjJJfUmfxaCIk+9cL0L4r8HqewbEybr1k2
         gkMzhuhrToscKwIoDHmu0cHbZtmh7G0Yny13MDvsDDGfq+vDmIGFoRWtDayZ/CY17PlX
         pNmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:auto-submitted:message-id:date:from:subject
         :references:in-reply-to;
        bh=HidT+mPOHBI/eq09ncdzcjtm1b10sQdAyyqId+BoSBM=;
        b=W+6JmQyOeX0p2VaX+/CuZ93EDCGEsqoBQG8JUjfUsat1GttpPOE8Gjd32ysfZF4nx+
         mYlCpxC5fVfJHNGUmcGJIi+aVBsgYtquCP6Q+uZt1HIlw5HVA5UY/uBGi4uOZp6AxiW4
         Elz+L6Bp8lXOrVhPuIRvai6+YhPz8TFIrgTU9VYuN+OpVKcw0lcG2diX9oXZDHwgycye
         5jcqslssJBCBfWarpBl5nPuCNcFNYPGl+8yA7psNkzYO85uzSXqC/51YlnH18gLXQZwi
         45nNGlgMA1CI0dBtVqq/sLwSdVrmIVpal1nEYqt/eOwnUrH9Y2F2JJ+Gd9G5D5BApf/l
         6KLg==
X-Gm-Message-State: AOAM532aJmYkaAScVoLIAKAE6IibsCC5dIPm7fIGjLAyCSv0uE0QYL4/
	aOa0UyPldSqJ4RE2ORNvpr95/nVDQOuul27wnSpWwQ==
X-Google-Smtp-Source: ABdhPJzF4s7qLi2ZfyNH7FVD+9be2kcJ94x9FdJzpY2ftbiPlilu0DFkahlXoRY7TLOIzdw1E5yu5Ij/mmz+Ve7IW3d70FkP8Bw8wpk=
X-Received: by 2002:a9d:d52:: with SMTP id 76mr1819319oti.67.1611611329423;
        Mon, 25 Jan 2021 13:48:49 -0800 (PST)
Content-Type: multipart/report; boundary="000000000000ce64fc05b9c08090"; report-type=delivery-status
To: anarcat@debian.org
Received: by 2002:a9d:d52:: with SMTP id 76mr1849310oti.67; Mon, 25 Jan 2021
 13:48:49 -0800 (PST)
Auto-Submitted: auto-replied
Message-ID: <600f3cc1.1c69fb81.e19f.c9ed.GMR@mx.google.com>
Date: Mon, 25 Jan 2021 13:48:49 -0800 (PST)
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
Subject: Delivery Status Notification (Failure)
References: <87lfcg7kn4.fsf@curie.anarc.at>
In-Reply-To: <87lfcg7kn4.fsf@curie.anarc.at>
X-Failed-Recipients: [REDACTED]

--000000000000ce64fc05b9c08090
Content-Type: multipart/related; boundary="000000000000ce653005b9c08093"

--000000000000ce653005b9c08093
Content-Type: multipart/alternative; boundary="000000000000ce653505b9c08094"

--000000000000ce653505b9c08094
Content-Type: text/plain; charset="UTF-8"


** Message not delivered **

There was a problem delivering your message to REDACTED. See the technical details below.

Learn more here: https://support.google.com/a/answer/168383

The response was:

Your email to group REDACTED was rejected due to spam classification.

The owner of the group can choose to enable message moderation instead of bouncing these emails.

More information can be found here: https://support.google.com/a/answer/168383.

--000000000000ce653505b9c08094
Content-Type: text/html; charset="UTF-8"


<html>
REDACTED
</html>

--000000000000ce653505b9c08094--
--000000000000ce653005b9c08093
Content-Type: image/png; name="icon.png"
Content-Disposition: attachment; filename="icon.png"
Content-Transfer-Encoding: base64
Content-ID: <icon.png>

--000000000000ce653005b9c08093--
--000000000000ce64fc05b9c08090
Content-Type: message/delivery-status

Reporting-MTA: dns; googlemail.com
Received-From-MTA: dns; anarcat@debian.org
Arrival-Date: Mon, 25 Jan 2021 13:48:48 -0800 (PST)
X-Original-Message-ID: <87lfcg7kn4.fsf@curie.anarc.at>

Final-Recipient: rfc822; REDACTED
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp; Your email to group REDACTED was rejected due to spam classification.
 The owner of the group can choose to enable message moderation instead of bouncing these emails.
 More information can be found here: https://support.google.com/a/answer/168383.
Last-Attempt-Date: Mon, 25 Jan 2021 13:48:49 -0800 (PST)

--000000000000ce64fc05b9c08090
Content-Type: message/rfc822

X-Google-Smtp-Source: ABdhPJxkLifNeHOuoFpCg1G06zXCDKzoFwwzviRhhAz3uGUcb/kRkqUpT4He9siDB3mQ0fLccebh
X-Received: by 2002:a9d:d52:: with SMTP id 76mr1819304oti.67.1611611328928;
        Mon, 25 Jan 2021 13:48:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611611328; cv=none;
        d=google.com; s=arc-20160816;
        b=mMh1WzejpRP9JxRr6fl492YnI+ojYanrIhXlFsF43z9gPPkvsS6Tna0Y3Me4/4TR5F
         xKRxda9wUVNBcCm3Fn/SiLDXzbvlpXazVKOZjZyB0hEfF27ogtNsRDgMFpjutQegs/hh
         5mSjbA0MYE92cKm/Gd2J9z0LvrYX5SmClnJo4Y3TwVOxPXcKOyug7YRt/ajKvVER46Uo
         LHEVYzpLwuS5ZZYLsOfYmbT5vd0iVFzAwFai38nh6qI4aV5K9PMcx3OLLKDHzWyJ7+JF
         CjTx6Ya5rZZnpywIVQavSf2bf+NtO304Kf6er2SQwyG4UtieopZ3Cn5syXtj6n4rlBEg
         XAkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:message-id:date:organization
         :subject:cc:to:from:dkim-signature;
        bh=QW0PZdJCIzsGLG+exCDjqH550rYitzaVL6j+VGBSHmE=;
        b=N2dUj4PcYsYO4jZYXfFqneu/FNDSCs8fj8TzkIQxsV8PrcI1GEMyMXqtEU4P6ZKzw7
         GIdPUI30NP1IGFVPSTTiJoH73UXvzPUP6wo0OMyn3Veb2GTi6liFvkjD/Xjuf4R31ss5
         4DGC2XACZQLC5efJavoSCnkYEL5p1oTRdLkisrE+FY6GzAfabtHycMbjOqqD2eIjTTTK
         nXvpajGeflwyKn3x+ve3906rttzZuSel5Soo9uaR2B3Rixjz32pMQfPyz8+XCIC0xxYI
         uN3PCTtn7GUNMMWTUCoHSwxpOBGdv1+Nt9M13hEM9c4PG7veRV6ara7l8ULm5/ABmJf0
         wdrw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@debian.org header.s=marcos-debian.anarcat.user header.b=K1l014Fl;
       spf=neutral (google.com: 206.248.172.91 is neither permitted nor denied by best guess record for domain of anarcat@debian.org) smtp.mailfrom=anarcat@debian.org
Return-Path: <anarcat@debian.org>
Received: from marcos.anarc.at (marcos.anarc.at. [206.248.172.91])
        by mx.google.com with ESMTPS id t22si9921337otm.115.2021.01.25.13.48.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 Jan 2021 13:48:48 -0800 (PST)
Received-SPF: neutral (google.com: 206.248.172.91 is neither permitted nor denied by best guess record for domain of anarcat@debian.org) client-ip=206.248.172.91;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@debian.org header.s=marcos-debian.anarcat.user header.b=K1l014Fl;
       spf=neutral (google.com: 206.248.172.91 is neither permitted nor denied by best guess record for domain of anarcat@debian.org) smtp.mailfrom=anarcat@debian.org
Received: by marcos.anarc.at (Postfix, from userid 1000)
	id 22AF110E16B; Mon, 25 Jan 2021 16:48:48 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=debian.org;
	s=marcos-debian.anarcat.user; t=1611611328;
	bh=Mv0WZxK1ZltmioQJyWvTxeH2lo3WUeOmmwzAFXfuPNM=;
	h=From:To:Cc:Subject:Date:From;
	b=K1l014FlBb6PemWXDkGC11a/32x/OG+AiT4ToYNs7NKvj/Bqmq7Ge8bwNFet1MBlz
	 ES3cX9toiSUmRkvA7b9j2JP1OyCiGvNRAT95r56t1gy5hi51M8cNd+Gf+jrbXB6NJ+
	 hC/O+3xQ+aFwBZhg4OiTox0kn5+dRXV78Z/LOZed2gHKrln5h9HU+4bE6oP/ia2CgD
	 KrCxvm2EcP/h4I/TkyHYsv3vkuDBzkuZDPmAlVx4IQqF+9LbPxwncKoO3P6tfDr7uP
	 5hHXLvP0/3r3/PALja67KgyMSxFA1VzsUktFOSWy3NKq1YHdSRlN+eMzRCZBsrfoPg
	 NM4CsiuiZExgw==
Received: by curie.anarc.at (Postfix, from userid 1000)
	id 6AA1C125383; Mon, 25 Jan 2021 16:48:47 -0500 (EST)
From: =?utf-8?Q?Antoine_Beaupr=C3=A9?= <anarcat@debian.org>
[To, From, Cc, REDACTED]
Organization: Tor
Date: Mon, 25 Jan 2021 16:48:47 -0500
Message-ID: <87lfcg7kn4.fsf@curie.anarc.at>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[actual email redacted]

So there might still be issues even if eugeni thinks it has delivered that email successfully. Note that, in the above, I tried to send with my @debian.org personna, which worked when writing to Richard directly. But it didn't work when writing to the google group.

I also tried sending the email directly from eugeni, and that's when I triggered the log line in the original report.

So it looks like that particular list was being a problem?

(It's good that we're not generally seeing bounces -- if alice@torproject.org mails bob@torproject.org but they both secretly point to gmail addresses, and gmail tries to bounce one of the mails, it could get ugly. But we're not seeing that, as far as I can tell.)

So it looks like that particular list was being a problem?

Yeah, maybe it's just this one list and the severity of this can be downgraded.

(It's good that we're not generally seeing bounces -- if alice@torproject.org mails bob@torproject.org but they both secretly point to gmail addresses, and gmail tries to bounce one of the mails, it could get ugly. But we're not seeing that, as far as I can tell.)

What is special about what I've seen is that it's "backscatter bounces": the emails do get accepted by gmail, but get bounced later. In those situations, yes, this could get nasty, but normally MTAs are not supposed to bounce bounces, so in practice this should never get that bad...

added Icebox label and removed Doing label

These Google Workspace group lists that we use have much stronger spam blocking than the normal GMail accounts. It's also very intermittent. Once in awhile we'll get someone who has been sending emails to us normally just get blocked for a few hours. Also we are using grandfathered in free Google Workspace accounts so they don't let us adjust the spam settings on those. So I also think I wouldn't take these particular bounces too seriously.

I am curious as to why you guys aren't using any SPF records. We've had lots of clients complaining about their mailings going to spam (not bounces) and then we add SPF records and it gets a lot better.

We tend to recommend DKIM too, but I'm less sure how much an effect that has and it's more of a pain to setup.

So I also think I wouldn't take these particular bounces too seriously.

Yeah, I removed the notice in our status page because of that, but it would still be nice if we could mail you folks. :)

Alternatively, it's great that you're here! Maybe I will just start creating tickets here and assign them to you, would that work? (Actually, it wouldn't: because you're not a member of the group, you can't be assigned issues - just mention, at least as far as I understand. I'd need to create a group or project for giant rabbit i guess? Would you be okay with tracking issues here in general? or do you have your own issue tracker we should file issues into?)

I am curious as to why you guys aren't using any SPF records. We've had lots of clients complaining about their mailings going to spam (not bounces) and then we add SPF records and it gets a lot better. We tend to recommend DKIM too, but I'm less sure how much an effect that has and it's more of a pain to setup.

It's a long-standing controversy in the admin teams. Some think that SPF break the way email used to work which is that, traditionally, other mail servers can send email for you and that we shouldn't break that expectation.

So for now we don't have those records, and are dealing with the consequences.. It's certainly something that's been on my mind for a while, but we don't even offer a clean interface for people to submit emails through @torproject.org right now, so I have to fix that before I make SPF records denying other servers to submit their mails. (And yes, i know about "blank allow" SPF records, but that's part of the controversy here...)

So, long story short: yeah, sorry about that, we're partly to blame for the email delivery. Thanks for the updates though. :)

changed title from google bouncing all mails from @torproject.org to google bouncing mails from @torproject.org

I authenticated our domain with Google Postmaster tools using my personal email account (how are we supposed to share those anyways?!). So far, all it says is "No data to display at this time. Please come back later." So I guess I'll just do that...

@susan had a similar problem with Office 360 one-time code confirmation emails from another source, which gmail is bouncing as spam when forwarding:

Feb 11 19:25:05 eugeni/eugeni postfix/slow/smtp[27550]: 7887FE060E: to=<[REDACTED]@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.71.26]:25, delay=0.34, delays=0.01/0/0.12/0.21, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.71.26] said: 550-5.7.1 [49.12.57.136      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. q10si6125449wmf.67 - gsmtp (in reply to end of DATA command))

Might be unrelated, but registering to the postmaster tools is what the error message says, so that's done...

Unfortunately, the chances of that giving us a magic epiphany are slim. :(

i can't seem to get any useful information out of gmail's postmaster tools. all they tell us is:

No data to display at this time. Please come back later. Postmaster Tools requires that your domain satisfies certain conditions before data is visible for this chart. Refer to the help page for more details.

I've been seeing this for weeks now, so it's likely never going to change until we setup DKIM.

unassigned @anarcat

We seem to be having an episode today, with several mails from eugeni to gmail being bounced on account that our messages aren't authenticated.

Jerome,

Thank you, am I supposed to do something with this?

Sue

Hi Sue, no I think it's fine. You're receiving these notifications because you were mentioned in the history of this ticket as being affected, but you can unsubscribe from further notifications, no problem.

Bounced like permanently refused? Google's greylisting message makes it sound like it's our fault but actually after several tries the mails go through. At least, that's been how it was before.

Yeah I think that's correct, the messages seem to eventually go through, for now.

mentioned in issue #40363 (closed)

mentioned in issue #40494

marked this issue as related to #40640 (closed)

added Email label

I sent an email from torproject.org to gmail.com and it was returned to me as spam - can post headers etc. on request!

i'm going to go ahead and close this ticket. we already have numerous other tickets about mail bouncing or getting marked as spam at google (#40959 (closed), #40765 (closed), #40640 (closed), #46032, #40170...) and this one here is actually pretty vague and really getting old. i actually can't find a trace of that message in my logs anymore, so it's actually pretty hard to diagnose as well...

if people still see deliverability issues with gmail, please comment on the above tickets or open a new one.

closed