Hi all, There's a good chance that the people who most need to see this won't see it, but here goes anyway. Google is currently dropping a _lot_ of the mail we attempt to deliver to lists.fd.o subscribers. The immediate cause is sending on mail from domains with SPF/DKIM/DMARC policies which explicitly specify that lists.fd.o cannot relay mail on their behalf. Every time we do that, not only do those mails get dropped on the floor by Google, Outlook/Office, and pretty much every large mail provider, but at least for Google this seems to really push fd.o's sender reputation down. I have contacted those from the responsible domains (and temporarily blacklisted them from sending any mail as an urgent fix), as well as tried to make contact with Google directly, but until our reputation recovers, Google appears to be dropping a lot of the messages we attempt to deliver, even from domains which do not have restrictive sender policies. If this gets much worse, we might need to temporarily suspend all delivery to GMail for a while and hope that the policies time out and return to normal delivery. In the meantime, if you are on one of these hosts and missing random emails from lists, at least you know why. Cheers, Daniel
>>>>> "DS" == Daniel Stone <daniel at fooishbar.org> writes:DS> The immediate cause is sending on mail from DS> domains with SPF/DKIM/DMARC policies which explicitly specify that DS> lists.fd.o cannot relay mail on their behalf. Mailman has an option to rewrite the From: headers for such domains. In particular, the 'Munge From' dmarc_moderation_action. Cf: https://wiki.list.org/DEV/DMARC -JimC -- James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
Hi James, On Mon, 11 Feb 2019 at 19:32, James Cloos <cloos at jhcloos.com> wrote:> >>>>> "DS" == Daniel Stone <daniel at fooishbar.org> writes: > > DS> The immediate cause is sending on mail from > DS> domains with SPF/DKIM/DMARC policies which explicitly specify that > DS> lists.fd.o cannot relay mail on their behalf. > > Mailman has an option to rewrite the From: headers for such domains. > In particular, the 'Munge From' dmarc_moderation_action. > > Cf: https://wiki.list.org/DEV/DMARCThat's currently what I've done: we should now be stripping DKIM signatures, as well as munging the From address (which I've tried to avoid for the longest time, but, well ...) when there's any DMARC policy at all on the domain. We are seeing hard rejects from Google even when the DMARC policy is explicitly p=none (i.e. summarise/advise but do not quarantine or reject), so it seems we need to apply this everywhere. :( Cheers, Daniel