Skip to content

Gmail and their IPv6 Security is spaghetti

I’ve been running a mail servers for 15 years. I’ve held on to the same domain names and IP addresses since .com opened up to the public. But with Google’s implementation of IPv6 security policies, I am now shut out from 26% of the e-mail network in America – that’s Gmail’s market share.

As Tanguy points out in his blog, Gmail servers are blocking incoming messages for no good reasons. Jari, has a different approach, but the same source of problem. Gmail gives zero consideration to non-gmail email. I have a Comcast e-mail address that cannot send messages through a Comcast SMTP server to a Gmail account… and Comcast is the LARGEST supplier of Internet service in the continental United States.

And according to actual people that work in the department at Google in charge of this mess, they have no better reasons. One of them hypothesizes that there is not enough “good” traffic between our servers that the algorithm may learn which messages to pass through and which ones are actually spam coming from spoofed smtp hosts.

Really? Statistically, there’s a 26% chance that one of my e-mails is meant for a Gmail user (in actuality, higher because I work with local schools who are on Google’s suite of services for education). So some spammers must be sending a thousand times more spam to Google users while spoofing my hostname and IP address? But I still get hundreds of spam in MY Gmail account. So what makes it possible for spammers’ messages to get through but not MINE? Sheer quantity?

Let me make it clear that I am FOR moving to IPv6. We need more IP addresses if we keep going this route in technology. The accompanying changes in protocols can make some of the more exploited parts of the current Internet more secure. But then, people don’t get to send birthday party invites or veteran’s benefits notices to Gmail users. It’s the implementations out there that suck.

Even if you set up SPF, DKIM, DMARC on outgoing messages, if your e-mail has “spammer-like behavior”, it gets rejected. Spam-like behavior includes, messages to multiple recipients. The threshold is TWO recipients.

By the way, as always, Alex at Topicdesk has an excellent tutorial on adding DKIM to your OS X Server 5.x. The only change with OS X Server 5.2 and up is that you must fix a bug(?) in amavisd-new 2.0.11. For OS X Server,

 #In /Applications/
 #Add at line 22852

And with OS X Server 5.x, SPF is already compiled into the mail system. You only need to add TXT records to your DNS entry.

If you’re running on older versions, Alex has a SPF tutorial also.

 #Example: Replace with your actual domainname and ipv4/ipv6 addresses
 domain.tld 3600 IN TXT v=spf1 ip4: ip6:1111:2222:3333:4444::/56 ~all

Notice one problem with the IPv6 address. If you lease one (1) static IPv4 address from your ISP, they’ll probably give you a /56 block of IPv6 addresses… that’s 4.7 sextillion hosts. They ALL have to point back to your server. If you’ve ever hosted reverse DNS, you’ll know that’s impossible to manage PTR records. And I think that’s where Google decided to authenticate using SPF instead of forcing admins to create 4.7 sextillion arpa records.

This was especially true in my case as my ISP’s transitional equipment would assign a random IPv6 address from the 4.7 sextillion possibilities to my single machine every day.

Of course, you must also use Google’s Postmaster Tools to generate a google-site-verification hash and add that as a TXT entry to your DNS records. This is fairly easy, but I don’t see how it verifies anything.

Posted in Confusion, English.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

You must be logged in to post a comment.