Unable to email anyone from my primary domain name; thanks Google Mail and G Suite.

Joe Hamelin joe at nethead.com
Thu Oct 24 00:27:29 UTC 2019


zip up the log before you send it. -Joe
--
Joe Hamelin, W7COM, Tulalip, WA, +1 (360) 474-7474


On Wed, Oct 23, 2019 at 5:20 PM Constantine A. Murenin <mureninc at gmail.com>
wrote:

> Dear NANOG@,
>
> I'm not sure where else to post this, and this is not really new, either,
> but I think I have a new take here.
>
> I use my own personal domain name for various UNIX stuff, including
> sending log-related things to myself out of cron, which end up in my own
> Gmail.com account, either directly, or through forwarding (w/o SRS).  (I do
> not use G Suite for my own domain name, for obvious reasons; just the
> consumer-based gmail.com email address from the old times of
> invitation-based registrations.)
>
> Over the years, I sometimes had certain messages rejected by Gmail, but it
> was a very low rate of rejection (less than 5% for any mail I cared about),
> and wasn't a major problem (usually only some automated messages would be
> rejected).
>
> A couple of months ago, I setup some new scripts that would send me new
> nightly emails.  It's all plain text, but had a few dozen of domain names
> present (it's logs).  Absolutely no links, just plenty of domains which I
> don't control.  So, Gmail has been presenting most of these messages with
> their red warning label that the email contains malicious links, even
> though all of these emails contained zero links, zero URLs to any of these
> unknown domain names, zero URL schemes, zero "http://", zero "https://"
> etc.  You get the idea.
>
> Since about a few weeks ago, I am now seeing at least a 95% rejection rate
> for my domain name, for ALL email, including the forwards.  Including
> emails which I send to myself from within Google, and which get forwarded
> back to Gmail by my UNIX machine (which is not known to break Gmail's DKIM,
> either, although it's also difficult to test, because when it does get
> through, it's automatically marked as a duplicate by Gmail, so, you don't
> get DKIM status from Gmail by looking at the headers, since you only get to
> examine the original copy that was sent, not the forwarded duplicate that
> was subsequently accepted).  I.e., emails with a passing DMARC still get
> rejected.
>
> The funny thing is, Google doesn't actually blacklist my primary IPv6
> address in my own /48 from which all of my messages originate; even though
> the rDNS resolves to a subdomain on the very same domain name which they've
> blacklisted "due to the very low reputation".  They've blacklisted just the
> main domain name that I use for my own non-Gmail-hosted mail.  Sending the
> same messages into my Gmail.com from a different domain name in MAIL FROM,
> which is served from the same zone file DNS-wise (e.g., an SPF pass),
> through sendmail's `-f` option, or with Mutt, makes the messages go through
> (even with rDNS being "low reputation"); sending it from my primary domain
> name in MAIL FROM results in the following:
>
> >>> DATA
> <<< 550-5.7.1 [2001:470:xxxx::      19] Our system has detected that this
> message is
> <<< 550-5.7.1 likely suspicious due to the very low reputation of the
> sending
> <<< 550-5.7.1 domain. To best protect our users from spam, the message has
> been
> <<< 550-5.7.1 blocked. Please visit
> <<< 550 5.7.1  https://support.google.com/mail/answer/188131 for more
> information. 135si403977wma.43 - gsmtp
> 554 5.0.0 Service unavailable
>
> The support article suggests using Postmaster Tools; great, never heard of
> it, sounds cool; let's verify our domain, and try it out, hopefully,
> there's a solution right there.
>
> However, after verifying my domain name through DNS for Postmaster Tools,
> it is revealed that Postmaster Tools cannot tell me anything at all, with
> all tabs and screens being 100% blank, allegedly because I'm not actually a
> mass email sender (I don't send hundreds of emails a day or whatnot), and
> they're too afraid that I'll figure out why my mail doesn't actually go
> through, instead of signing up for G Suite.
>
> Right now, I've had a business need to reply to a work-related email from
> some other business.
>
> This is what I got after sending my reply from my primary domain name
> through mutt — a nice double rejection by both the G Suite and Gmail in a
> single bounce generated by my server:
>
>
>    ----- Transcript of session follows -----
> ... while talking to aspmx.l.google.com.:
> >>> DATA
> <<< 550-5.7.1 [2001:470:xxxx::      19] Our system has detected that this
> message is
> <<< 550-5.7.1 likely suspicious due to the very low reputation of the
> sending
> <<< 550-5.7.1 domain. To best protect our users from spam, the message has
> been
> <<< 550-5.7.1 blocked. Please visit
> <<< 550 5.7.1  https://support.google.com/mail/answer/188131 for more
> information. z11si12494671wrw.137 - gsmtp
> 554 5.0.0 Service unavailable
> ... while talking to gmail-smtp-in.l.google.com.:
> >>> DATA
> <<< 550-5.7.1 [2001:470:xxxx::      19] Our system has detected that this
> message is
> <<< 550-5.7.1 likely suspicious due to the very low reputation of the
> sending
> <<< 550-5.7.1 domain. To best protect our users from spam, the message has
> been
> <<< 550-5.7.1 blocked. Please visit
> <<< 550 5.7.1  https://support.google.com/mail/answer/188131 for more
> information. 135si403977wma.43 - gsmtp
> 554 5.0.0 Service unavailable
>
>
> Changing MAIL FROM into a non-primary domain name (served out of an
> identical zone file, basically) gets the message accepted, without DKIM,
> without the 4-minute delay that many "suspicious" messages have had for
> months now, from the very same IPv6 address with the rDNS pointing to the
> domain name with "the very low reputation", and it shows up in both my own
> Gmail as well as, presumably, in the G Suite account of the business
> partner I was replying to.  (Note that this trick where the rDNS domain
> gets ignored works only for new emails with a passing SPF; I presume the
> rDNS still prevails in bringing the "low reputation of the sending domain"
> for forwards, as they don't seem to succeed any longer now.)
>
>
> There are a number of possible tl;dr: takeaways here:
>
> * don't spread the monoculture — don't use G Suite for your organisation;
>
> * don't send crontab output to your Gmail from your primary domain name;
>
> * don't use Gmail.
>
>
> What is my own takeaway here?
>
> * Without being an anti-Google zealot, from a purely practical
> perspective, since my Gmail account no longer contains the mail I care most
> about, as it gets rejected on the SMTP layer, I'll have fewer reasons to
> use it.
>
> * I'll now have no other choice but to modify my setup to stop forwarding
> to Gmail, because my business contacts don't need to see all these bounces
> that are now taking place.
>
> * Since so many businesses are G Suite useds, I'm still looking for a
> solution to get rid of the "the very low reputation of the sending domain"
> from a domain name I've been using since 2007, and which I'm 100% convinced
> was blacklisted by Google entirely for me sending crontab with system logs
> (zero HTML, zero URLs) to my own Gmail.  I have SPF and DMARC all setup and
> passing since years ago, which doesn't stop this issue from occurring.
> Merely switching the name of the domain in From and MAIL FROM to any other
> domain I own (which points to the very same MX) appears to be my workaround
> for now.
>
>
> Some possible suggestions for Google, if I may:
>
> * Maybe don't convert schemeless domain names which are non-URLs into
> "malicious" URLs?  (They already do seem to block them from being presented
> as links in the UI in such an instance, but there's little reason for
> trying to convert these domain names into links in the first place.)
>
> * Maybe don't consider harmless plain text emails with a bunch of domain
> names to contain malicious links when they don't?
>
> * Maybe don't assume everyone with a domain name runs a G Suite?  (Their
> whole troubleshooting guide is built around it.)
>
> * Maybe don't assume everyone with a domain name sends hundreds of emails
> from their domain name per day?  (They seem to limit Postmaster Tools based
> on such a criterion.)
>
> * Maybe don't blacklist a domain name for sending harmless logs to a Gmail
> account that lists said domain name as an alternative From address?
>
>
> Cheers,
> Constantine.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191023/69cc3a39/attachment.html>


More information about the NANOG mailing list