>On Mon, 13 Mar 2017, Carsten Bormann wrote: >> The most likely outcome is that local admins will ?upgrade" our mail >> system by turning off IPv6. (We have had IPv6 deployed for some 18 >> years now.) > >On Mon, 13 Mar 2017, Philip Homburg wrote: >> Getting mail delivered to gmail over IPv6 works most of the time without >> ever setting up SPF or DKIM. Gmail does seem to be the single most >> unreliable mail server that I know of, mostly due to their attempts >> to be more strict on IPv6. > >As I hope everyone knows, receiving mail requires orders of magnitude more >work than sending it. Even 20 years ago before spam was an issue, >recipients had to receive it, route it, store it somewhere, filter it with >sieve or procmail, and provide POP or IMAP for the recipient to collect >it. These days, with 90% of mail being spam or worse, there's another >magnitude of work in trying to separate the real mail from the flood of >junk. Or try this thought experiment: how hard would it be to send a >million messages a day from your laptop (easy), and how hard would be be >to receive and deliver a million messages a day on that laptop >(impossible.) It is now more than 2 decades that people keep proposing FUSSP (Final Ultimate Solution to the Spam Problem) after FUSSP. "There is spam problem, we need to do something" "What you propose doesn't work" "There is spam problem, we need to do something, this is something" Is there any point arguing against a FUSSP? By and large there isn't. Until spammers start exploiting the FUSSP at a large scale, there is always a very creative argument why spammers cannot deal with this particular FUSSP. Some FUSSPs remain small enough that spammers don't bother. So they seem effective. Typically in those cases there are enough negative side effects to keep them small. >The point of authentication schemes like SPF and DKIM is to make it easier >for recipients to tell that your mail is from you, so they can treat it >differently from the spam. Everywhere else, the response is OK, I would >prefer that people get the mail I send them, I will set up authentication >because it is not hard (SPF takes about 5 minutes), and it helps the >people who are handling my mail with the mail system they are paying for. So, we have a succession of SPF, DKIM, and now DMARC that are supposed to protect against phishing or other identity issues. Fine, I don't have a phishing problem, so I can ignore it. Except of course, that it doesn't take long or it becomes a FUSSP. Look there is no spam with [insert technology du jour]. It works. As many people have found out, if you allow a FUSSP to bypass traditional spam filters, then spammers quickly find out. So these things just pile up. Or, more common, just get ignored. >I can also assure you from many conversations with large mail providers >that you will increasingly find that recipients will conclude that if you >can't be bothered to authenticate your mail, they can't be bothered to >deliver it. It's their mail system, they get to do that. So for my mail system I look at what is actually common enough that I need to consider it. Reverse DNS is a rather silly FUSSP, but common enough that is is required. And by and large I like reverse DNS. In my experience, essentially no mail gets lost if you leave out SPF, DKIM, DMARC. The only exception is gmail that occasionally rejects e-mail. In the context of IPv6 we now have an additional problem. Sites that have filters that are more strict for IPv6 than for IPv4. The obvious very quick workaround for many mail admins is to avoid delivering mail over IPv6. Of course, that just increases the SPAM/HAM ratio, justifying more draconian measures. Which in the end will just kill IPv6 as a transport for e-mail.