[dns-operations] creeping poorness of judgement

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Mar 14 01:48:35 UTC 2020

On Sat, Mar 14, 2020 at 01:16:09AM +0000, Paul Vixie wrote:

> Today I got mail including this:
>     <jabley at hopcount.ca>: host aspmx.l.google.com[2607:f8b0:400e:c08::1b] said:
>     550-5.7.26 This message does not have authentication information or fails to
>     550-5.7.26 pass authentication checks. To best protect our users from spam, the
>     550-5.7.26 message has been blocked. Please visit
>     550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more
>     550 5.7.26 information. l73si7852706pfd.109 - gsmtp
>     (in reply to end of DATA command)
> This is because I had no SPF record in my domain's TXT RRset.

Yes, this is by now a long-standing issue with the Google-operated
inbound MTAs that serve not only gmail.com, but also millions of
additional hosted domains, such as "hopcount.ca", making it difficult
to get by with exceptions just for e.g. google.com and gmail.com.

> Now, SPF is a bone headed idea and badly implemented, but I never
> cared until today because the lack of an SPF record inside my domain's
> TXT RRset never mattered.

Google have chosen to apply the requirement to have SPF and/or DKIM
records only on the IPv6 SMTP servers.  The IPv4 servers continue to
accept "classic" email not saddled with SPF and DKIM baggage...  [ A
fine way to promote IPv6 adoption, by putting up new barriers for any
foolish enough to try it. :-( ]

But you don't actually have to hinder forwarding of your email by
publishing SPF, another option is to use only IPv4 when sending email
via google's MX hosts.  This can be done by hiding the AAAA records of
the Google MTAs from Postfix (my below adaptation of the example uses
the PCRE "x" option to make the filter more readable):


        pcre = pcre:${config_directory}/
        smtp_dns_reply_filter = ${pcre}smtp_dns_reply_filter

        # /domain ttl IN AAAA address/ action, all case-insensitive.
        # Note: the domain name ends in ".".
        /^\S+\.google\.com\. \s+ \S+ \s+ IN \s+ AAAA \s+/x IGNORE
        /^\S+\.smtp\.goog\.  \s+ \S+ \s+ IN \s+ AAAA \s+/x IGNORE

Alternatively, you can disable IPv6 globally, and route only selected
ipv6-only domains via a dedicated IPv6-enabled transport.

        indexed = ${default_database_type}:${config_directory}/
        transport_maps = ${indexed}transport

        ipv6-only.example   smtp6

        smtp       unix  -       -       n       -       -       smtp
            -o inet_protocols=ipv4
        smtp6      unix  -       -       n       -       -       smtp
            -o inet_protocols=ipv6
        smtpany    unix  -       -       n       -       -       smtp
            -o inet_protocols=all


More information about the dns-operations mailing list