Google blocks receipt of IPv6 email sent by OS X Server

It is increasingly common for (receiving) mail servers to want to check the IP address of a sending mail server matches the authorised listed mail server for a domain, there are various different ways this is done and I don't know whether a simple DNS forward/reverse comparison is one of them. One I do know Google use is SPF (Sender Policy Framework). This uses the addition of a txt record in your domain to list which mail servers are authorised for sending emails for your domain. The SPF rule can be set to be a 'hard' fail which means an unauthorised server is always blocked, or a 'soft' fail in which case it merely increases the spam score making it more likely to be marked as spam. There are other schemes as I mentioned like domain-records/domain-eys and so on.

To check to see if your domain has one of these records try the following in Terminal.app

nslookup -query=txt domain.com

where domain.com is your domain name as used in your email address

Here is the relevant line resulting from checking google.com

google.com text = "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"

The ~all entry means 'soft' fail a -all would mean 'hard' fail. The rest of that line defines a group of hostnames to allow, and two IP address ranges to allow.

For domain keys try

nslookup -query=txt mail._domainkey.domain.com

There are other schemes but those are the ones I have used. These are all aimed at trying to filter out fake aka. spam emails, a lot of spam uses fake from email addresses.

One could also argue that at this stage one should have a valid IPv4 address (and reverse PTR) for a mail server so as to allow other IPv4 only connected mail servers to reach you. IPv6 is still not widely adopted unfortunately. It is possible to have DNS records for both IPv4 (an A record) and IPv6 (and AAAA record) and similarly both types of reverse PTR. If your ISP is giving you true IPv6 connectivity and you are running a mail server then I would expect such an ISP to be able to define PTR records. You may need to speak to your ISP about this. The need for a valid reverse PTR is equally valid for both IPv4 and IPv6 and an ISP should be able to do both.

Thanks for the feedback. What you point out are all excellent best practices for configuring environments for hosting email, ones that I follow.

My setup has both SPF. and the SPF record embedded in a TXT record. The SPF and SPF TEXT records include both IPv4 and IPv6 server addresses.Currently my ISP doesn't provide IPv6 so I use tunneled IPv6 from Hurricane Electric which works well but makes configuring DNS a a bit more complicated for reverse PTR records. Forcing my MacMini to send gmail.com email via IPv4 was easy to set up. When I get the time I'll look into what it takes to get HE to change delegation or provide the reverse pointer.

At this time Google rejects IPv6 email if the reverse PTR record test fails. It doesn't matter what else you do in your DNS records. That's why I made this post to alert others so they don't spend as much time as I did figuring out this mandatory test that must pass for Google to accept IPv6 email Despite all other DNS settings.

As you've discovered, reverse DNS is a requirement for incoming IPv6 email.

Check out MAAWG's recommendations. It is in line with what the big providers are doing.

https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Inbound_IPv6_Policy_Issues- 2014-09.pdf

In general, both must be satisfied:

1) Valid IPv6 Reverse DNS is provided.

2) SPF or DKIM validate for the domain.

If one or both fail, it's up to the receiver to decide if they'll immediately reject or just mark it as spam.

Google has had their policy published for a while at:

https://support.google.com/mail/answer/81126?hl=en

Additional guidelines for IPv6

Microsoft (Exchange/Outlook/Hotmail) has similar restrictions:

https://technet.microsoft.com/en-us/library/dn720852(v=exchg.150).aspx

Hurricane Electric does provide a way to supply reverse DNS records for your IPv6 tunnel.

This works in El Capitan Server ONLY if you disable chroot, i.e.;

in master.cf:

smtp-ipv4 unix - - n - - smtp -o inet_protocols=ipv4

I also was struggeling with this issue, setting the network to manual using a valid public IPv6 Adres, Put this adres also in your domain txt record for spf

so it looks like: "v=spf1 include:_spf.example.com ip6:2001:A82:b3D1:1:6AEE:35f4:f4c6:4444 ip4:213.173.43.44 ip4:213.173.43.55 ~all"

and voila google didn't bounce my mail anymore.

Hello,

Running El Capitan server I get the following error in my mailq when I follow your directions:

(unknown mail transport error)

However, if I follow the directions above with respect to this line:

smtp-ipv4 unix - - n - - smtp -o inet_protocols=ipv4

In

/Library/Server/Mail/Config/postfix/master.cf

It does work correctly. And I did not disable "chroot" but it might not have been enabled.

Does this work on High Sierra? I recently tried to make the changes suggested, but it seems that mail to gmail was still going via IPv6.