I tried sending email from my home server and eugeni, both bounce with an error like this:
Jan 25 21:25:22 eugeni/eugeni postfix/smtp[558]: DBF82E05E7: to=<[REDACTED]@gmail.com>, orig_to=<REDACTED@torproject.org>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c00::1a]:25, delay=2.1, delays=1.7/0/0.12/0.21, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c00::1a] said: 550-5.7.1 [2a01:4f8:fff0:4f:266:37ff:fe48:41b8 19] Our system has detected 550-5.7.1 that this message is likely suspicious due to the very low reputation 550-5.7.1 of the sending domain. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550 5.7.1 https://support.google.com/mail/answer/188131 for more information. e13si14120901wrq.457 - gsmtp (in reply to end of DATA command))
Seems like we'll need to deal with the dreaded Google Postmaster tools:
Yeah, I'm watching the mail logs still, and most mails to gmail are being delivered.
actually, now that you mention it, what I experience wasn't a refused mail, it was a bounced mail. I mean in the above log line I pasted, true, the mail was refused at the Google edge, but in another case, it was actually delivered then bounced as spam, through another mechanism. Here's what I received:
Return-Path: <>X-Original-To: anarcat+debian@orangeseeds.orgDelivered-To: anarcat+debian@orangeseeds.orgReceived: from marcos.anarc.at (localhost [127.0.0.1]) by delivery.anarc.at (Postfix) with ESMTP id 8D9FC10E16F for <anarcat+debian@orangeseeds.org>; Mon, 25 Jan 2021 16:48:53 -0500 (EST)X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on marcos.anarc.atX-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_IMAGE_ONLY_20,HTML_MESSAGE, MIME_HEADER_CTYPE_ONLY,RCVD_IN_DNSWL_MED,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2Received: from muffat.debian.org (muffat.debian.org [209.87.16.33]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by marcos.anarc.at (Postfix) with ESMTPS id 5B40510E150 for <anarcat+debian@orangeseeds.org>; Mon, 25 Jan 2021 16:48:53 -0500 (EST)Authentication-Results: marcos.anarc.at; dkim=pass (2048-bit key; unprotected) header.d=googlemail.com header.i=@googlemail.com header.b="iuhYlKAR"; dkim-atps=neutralReceived: from mail-ot1-x343.google.com ([2607:f8b0:4864:20::343]:44331) by muffat.debian.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) id 1l49jA-0008SL-BX for anarcat+debian@orangeseeds.org; Mon, 25 Jan 2021 21:48:52 +0000Received: by mail-ot1-x343.google.com with SMTP id e70so14267559ote.11 for <anarcat@debian.org>; Mon, 25 Jan 2021 13:48:51 -0800 (PST)DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=to:auto-submitted:message-id:date:from:subject:references :in-reply-to; bh=HidT+mPOHBI/eq09ncdzcjtm1b10sQdAyyqId+BoSBM=; b=iuhYlKARscs6pxnfzUL02+ppiUOy1467UHB34IdbNvZMfjJJjv+ua7D0/P/JmZA/8f EAX6pHGfjw4HHRQ9ch6GwFNvNHEsHxhk14exqVvflLqshX9T6GEptjmn/AbAgGC3RnDo dWufBDe19WFggBrwjfWq+b+G2VXP4yfEIrXvrALdPUx9P0qB2rSrD5BtNRbmYoWhmvpS M8hemVZIUVYKWioivI8Jq8lwKlGhd+6V/5tjJJfUmfxaCIk+9cL0L4r8HqewbEybr1k2 gkMzhuhrToscKwIoDHmu0cHbZtmh7G0Yny13MDvsDDGfq+vDmIGFoRWtDayZ/CY17PlX pNmg==X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:auto-submitted:message-id:date:from:subject :references:in-reply-to; bh=HidT+mPOHBI/eq09ncdzcjtm1b10sQdAyyqId+BoSBM=; b=W+6JmQyOeX0p2VaX+/CuZ93EDCGEsqoBQG8JUjfUsat1GttpPOE8Gjd32ysfZF4nx+ mYlCpxC5fVfJHNGUmcGJIi+aVBsgYtquCP6Q+uZt1HIlw5HVA5UY/uBGi4uOZp6AxiW4 Elz+L6Bp8lXOrVhPuIRvai6+YhPz8TFIrgTU9VYuN+OpVKcw0lcG2diX9oXZDHwgycye 5jcqslssJBCBfWarpBl5nPuCNcFNYPGl+8yA7psNkzYO85uzSXqC/51YlnH18gLXQZwi 45nNGlgMA1CI0dBtVqq/sLwSdVrmIVpal1nEYqt/eOwnUrH9Y2F2JJ+Gd9G5D5BApf/l 6KLg==X-Gm-Message-State: AOAM532aJmYkaAScVoLIAKAE6IibsCC5dIPm7fIGjLAyCSv0uE0QYL4/ aOa0UyPldSqJ4RE2ORNvpr95/nVDQOuul27wnSpWwQ==X-Google-Smtp-Source: ABdhPJzF4s7qLi2ZfyNH7FVD+9be2kcJ94x9FdJzpY2ftbiPlilu0DFkahlXoRY7TLOIzdw1E5yu5Ij/mmz+Ve7IW3d70FkP8Bw8wpk=X-Received: by 2002:a9d:d52:: with SMTP id 76mr1819319oti.67.1611611329423; Mon, 25 Jan 2021 13:48:49 -0800 (PST)Content-Type: multipart/report; boundary="000000000000ce64fc05b9c08090"; report-type=delivery-statusTo: anarcat@debian.orgReceived: by 2002:a9d:d52:: with SMTP id 76mr1849310oti.67; Mon, 25 Jan 2021 13:48:49 -0800 (PST)Auto-Submitted: auto-repliedMessage-ID: <600f3cc1.1c69fb81.e19f.c9ed.GMR@mx.google.com>Date: Mon, 25 Jan 2021 13:48:49 -0800 (PST)From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>Subject: Delivery Status Notification (Failure)References: <87lfcg7kn4.fsf@curie.anarc.at>In-Reply-To: <87lfcg7kn4.fsf@curie.anarc.at>X-Failed-Recipients: [REDACTED]--000000000000ce64fc05b9c08090Content-Type: multipart/related; boundary="000000000000ce653005b9c08093"--000000000000ce653005b9c08093Content-Type: multipart/alternative; boundary="000000000000ce653505b9c08094"--000000000000ce653505b9c08094Content-Type: text/plain; charset="UTF-8"** Message not delivered **There was a problem delivering your message to REDACTED. See the technical details below.Learn more here: https://support.google.com/a/answer/168383The response was:Your email to group REDACTED was rejected due to spam classification.The owner of the group can choose to enable message moderation instead of bouncing these emails.More information can be found here: https://support.google.com/a/answer/168383.--000000000000ce653505b9c08094Content-Type: text/html; charset="UTF-8"<html>REDACTED</html>--000000000000ce653505b9c08094----000000000000ce653005b9c08093Content-Type: image/png; name="icon.png"Content-Disposition: attachment; filename="icon.png"Content-Transfer-Encoding: base64Content-ID: <icon.png>--000000000000ce653005b9c08093----000000000000ce64fc05b9c08090Content-Type: message/delivery-statusReporting-MTA: dns; googlemail.comReceived-From-MTA: dns; anarcat@debian.orgArrival-Date: Mon, 25 Jan 2021 13:48:48 -0800 (PST)X-Original-Message-ID: <87lfcg7kn4.fsf@curie.anarc.at>Final-Recipient: rfc822; REDACTEDAction: failedStatus: 5.0.0Diagnostic-Code: smtp; Your email to group REDACTED was rejected due to spam classification. The owner of the group can choose to enable message moderation instead of bouncing these emails. More information can be found here: https://support.google.com/a/answer/168383.Last-Attempt-Date: Mon, 25 Jan 2021 13:48:49 -0800 (PST)--000000000000ce64fc05b9c08090Content-Type: message/rfc822X-Google-Smtp-Source: ABdhPJxkLifNeHOuoFpCg1G06zXCDKzoFwwzviRhhAz3uGUcb/kRkqUpT4He9siDB3mQ0fLccebhX-Received: by 2002:a9d:d52:: with SMTP id 76mr1819304oti.67.1611611328928; Mon, 25 Jan 2021 13:48:48 -0800 (PST)ARC-Seal: i=1; a=rsa-sha256; t=1611611328; cv=none; d=google.com; s=arc-20160816; b=mMh1WzejpRP9JxRr6fl492YnI+ojYanrIhXlFsF43z9gPPkvsS6Tna0Y3Me4/4TR5F xKRxda9wUVNBcCm3Fn/SiLDXzbvlpXazVKOZjZyB0hEfF27ogtNsRDgMFpjutQegs/hh 5mSjbA0MYE92cKm/Gd2J9z0LvrYX5SmClnJo4Y3TwVOxPXcKOyug7YRt/ajKvVER46Uo LHEVYzpLwuS5ZZYLsOfYmbT5vd0iVFzAwFai38nh6qI4aV5K9PMcx3OLLKDHzWyJ7+JF CjTx6Ya5rZZnpywIVQavSf2bf+NtO304Kf6er2SQwyG4UtieopZ3Cn5syXtj6n4rlBEg XAkA==ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:organization :subject:cc:to:from:dkim-signature; bh=QW0PZdJCIzsGLG+exCDjqH550rYitzaVL6j+VGBSHmE=; b=N2dUj4PcYsYO4jZYXfFqneu/FNDSCs8fj8TzkIQxsV8PrcI1GEMyMXqtEU4P6ZKzw7 GIdPUI30NP1IGFVPSTTiJoH73UXvzPUP6wo0OMyn3Veb2GTi6liFvkjD/Xjuf4R31ss5 4DGC2XACZQLC5efJavoSCnkYEL5p1oTRdLkisrE+FY6GzAfabtHycMbjOqqD2eIjTTTK nXvpajGeflwyKn3x+ve3906rttzZuSel5Soo9uaR2B3Rixjz32pMQfPyz8+XCIC0xxYI uN3PCTtn7GUNMMWTUCoHSwxpOBGdv1+Nt9M13hEM9c4PG7veRV6ara7l8ULm5/ABmJf0 wdrw==ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@debian.org header.s=marcos-debian.anarcat.user header.b=K1l014Fl; spf=neutral (google.com: 206.248.172.91 is neither permitted nor denied by best guess record for domain of anarcat@debian.org) smtp.mailfrom=anarcat@debian.orgReturn-Path: <anarcat@debian.org>Received: from marcos.anarc.at (marcos.anarc.at. [206.248.172.91]) by mx.google.com with ESMTPS id t22si9921337otm.115.2021.01.25.13.48.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Jan 2021 13:48:48 -0800 (PST)Received-SPF: neutral (google.com: 206.248.172.91 is neither permitted nor denied by best guess record for domain of anarcat@debian.org) client-ip=206.248.172.91;Authentication-Results: mx.google.com; dkim=pass header.i=@debian.org header.s=marcos-debian.anarcat.user header.b=K1l014Fl; spf=neutral (google.com: 206.248.172.91 is neither permitted nor denied by best guess record for domain of anarcat@debian.org) smtp.mailfrom=anarcat@debian.orgReceived: by marcos.anarc.at (Postfix, from userid 1000) id 22AF110E16B; Mon, 25 Jan 2021 16:48:48 -0500 (EST)DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=debian.org; s=marcos-debian.anarcat.user; t=1611611328; bh=Mv0WZxK1ZltmioQJyWvTxeH2lo3WUeOmmwzAFXfuPNM=; h=From:To:Cc:Subject:Date:From; b=K1l014FlBb6PemWXDkGC11a/32x/OG+AiT4ToYNs7NKvj/Bqmq7Ge8bwNFet1MBlz ES3cX9toiSUmRkvA7b9j2JP1OyCiGvNRAT95r56t1gy5hi51M8cNd+Gf+jrbXB6NJ+ hC/O+3xQ+aFwBZhg4OiTox0kn5+dRXV78Z/LOZed2gHKrln5h9HU+4bE6oP/ia2CgD KrCxvm2EcP/h4I/TkyHYsv3vkuDBzkuZDPmAlVx4IQqF+9LbPxwncKoO3P6tfDr7uP 5hHXLvP0/3r3/PALja67KgyMSxFA1VzsUktFOSWy3NKq1YHdSRlN+eMzRCZBsrfoPg NM4CsiuiZExgw==Received: by curie.anarc.at (Postfix, from userid 1000) id 6AA1C125383; Mon, 25 Jan 2021 16:48:47 -0500 (EST)From: =?utf-8?Q?Antoine_Beaupr=C3=A9?= <anarcat@debian.org>[To, From, Cc, REDACTED]Organization: TorDate: Mon, 25 Jan 2021 16:48:47 -0500Message-ID: <87lfcg7kn4.fsf@curie.anarc.at>MIME-Version: 1.0Content-Type: text/plain; charset=utf-8Content-Transfer-Encoding: quoted-printable[actual email redacted]
So there might still be issues even if eugeni thinks it has delivered that email successfully. Note that, in the above, I tried to send with my @debian.org personna, which worked when writing to Richard directly. But it didn't work when writing to the google group.
I also tried sending the email directly from eugeni, and that's when I triggered the log line in the original report.
So it looks like that particular list was being a problem?
(It's good that we're not generally seeing bounces -- if alice@torproject.org mails bob@torproject.org but they both secretly point to gmail addresses, and gmail tries to bounce one of the mails, it could get ugly. But we're not seeing that, as far as I can tell.)
So it looks like that particular list was being a problem?
Yeah, maybe it's just this one list and the severity of this can be downgraded.
(It's good that we're not generally seeing bounces -- if alice@torproject.org mails bob@torproject.org but they both secretly point to gmail addresses, and gmail tries to bounce one of the mails, it could get ugly. But we're not seeing that, as far as I can tell.)
What is special about what I've seen is that it's "backscatter bounces": the emails do get accepted by gmail, but get bounced later. In those situations, yes, this could get nasty, but normally MTAs are not supposed to bounce bounces, so in practice this should never get that bad...
These Google Workspace group lists that we use have much stronger spam blocking than the normal GMail accounts. It's also very intermittent. Once in awhile we'll get someone who has been sending emails to us normally just get blocked for a few hours. Also we are using grandfathered in free Google Workspace accounts so they don't let us adjust the spam settings on those. So I also think I wouldn't take these particular bounces too seriously.
I am curious as to why you guys aren't using any SPF records. We've had lots of clients complaining about their mailings going to spam (not bounces) and then we add SPF records and it gets a lot better.
We tend to recommend DKIM too, but I'm less sure how much an effect that has and it's more of a pain to setup.
So I also think I wouldn't take these particular bounces too seriously.
Yeah, I removed the notice in our status page because of that, but it would still be nice if we could mail you folks. :)
Alternatively, it's great that you're here! Maybe I will just start creating tickets here and assign them to you, would that work? (Actually, it wouldn't: because you're not a member of the group, you can't be assigned issues - just mention, at least as far as I understand. I'd need to create a group or project for giant rabbit i guess? Would you be okay with tracking issues here in general? or do you have your own issue tracker we should file issues into?)
I am curious as to why you guys aren't using any SPF records. We've had lots of clients complaining about their mailings going to spam (not bounces) and then we add SPF records and it gets a lot better.
We tend to recommend DKIM too, but I'm less sure how much an effect that has and it's more of a pain to setup.
It's a long-standing controversy in the admin teams. Some think that SPF break the way email used to work which is that, traditionally, other mail servers can send email for you and that we shouldn't break that expectation.
So for now we don't have those records, and are dealing with the consequences.. It's certainly something that's been on my mind for a while, but we don't even offer a clean interface for people to submit emails through @torproject.org right now, so I have to fix that before I make SPF records denying other servers to submit their mails. (And yes, i know about "blank allow" SPF records, but that's part of the controversy here...)
So, long story short: yeah, sorry about that, we're partly to blame for the email delivery. Thanks for the updates though. :)
anarcatchanged title from google bouncing all mails from @torproject.org to google bouncing mails from @torproject.org
changed title from google bouncing all mails from @torproject.org to google bouncing mails from @torproject.org
I authenticated our domain with Google Postmaster tools using my personal email account (how are we supposed to share those anyways?!). So far, all it says is "No data to display at this time. Please come back later." So I guess I'll just do that...
@susan had a similar problem with Office 360 one-time code confirmation emails from another source, which gmail is bouncing as spam when forwarding:
Feb 11 19:25:05 eugeni/eugeni postfix/slow/smtp[27550]: 7887FE060E: to=<[REDACTED]@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.71.26]:25, delay=0.34, delays=0.01/0/0.12/0.21, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[74.125.71.26] said: 550-5.7.1 [49.12.57.136 12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for more information. q10si6125449wmf.67 - gsmtp (in reply to end of DATA command))
Might be unrelated, but registering to the postmaster tools is what the error message says, so that's done...
Unfortunately, the chances of that giving us a magic epiphany are slim. :(
i can't seem to get any useful information out of gmail's postmaster tools. all they tell us is:
No data to display at this time. Please come back later.
Postmaster Tools requires that your domain satisfies certain conditions before data is visible for this chart. Refer to the help page for more details.
I've been seeing this for weeks now, so it's likely never going to change until we setup DKIM.
Hi Sue, no I think it's fine. You're receiving these notifications because you were mentioned in the history of this ticket as being affected, but you can unsubscribe from further notifications, no problem.
Bounced like permanently refused? Google's greylisting message makes it sound like it's our fault but actually after several tries the mails go through. At least, that's been how it was before.
i'm going to go ahead and close this ticket. we already have numerous other tickets about mail bouncing or getting marked as spam at google (#40959 (closed), #40765 (closed), #40640 (closed), #46032, #40170...) and this one here is actually pretty vague and really getting old. i actually can't find a trace of that message in my logs anymore, so it's actually pretty hard to diagnose as well...
if people still see deliverability issues with gmail, please comment on the above tickets or open a new one.