Opened 4 months ago

Last modified 3 months ago

#16632 assigned Bug/Something is broken

palantetech.coop May First email being flagged as spam

Reported by: Jack Aponte Owned by: JaimeV
Priority: Medium Component: Tech
Keywords: Cc: Jamie McClelland
Sensitive: no

Description

Hi friends,

I've heard from a couple of tech-savvy folks this week that my direct jack@… emails to them at their Google Mail-powered email addresses are getting filtered to their spam folders, despite them having communicated with me in the past. Here's the headers from one such email:

Delivered-To: jen@jenerationweb.com
Received: by 2002:ab3:6349:0:0:0:0:0 with SMTP id k9csp4015307ltf;
        Wed, 11 Aug 2021 16:14:28 -0700 (PDT)
X-Google-Smtp-Source:
ABdhPJzeokLOQ7992zvXE/95UUVYgLCgxUl6q7OH+TfgOUkMy/47G8mFBZG/67TXnUJCR+u9sz/S
X-Received: by 2002:a67:c789:: with SMTP id t9mr1203566vsk.60.1628723668273;
        Wed, 11 Aug 2021 16:14:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628723668; cv=none;
        d=google.com; s=arc-20160816;
        b=AN/DVABUfKPruJsdJreDM1snkMdC6IEBHW7VHce6ddRYVqEy1ZsMk6ZIxVTQE3itq/
         I/PQ0et81X5mMe0QzjERhbKmeMmQwIQCw5WwlG6NJCiwT3F4af1d5+AWMMGFYqFIstye
         OAhvnm+jsiQBp+YU2D2fdoOSx7ZSPuFpMkleV+odlUvfb2flsd2kZeTSEn/uEA2X5/NQ
         EX3Vj/NmAkPTcSiOdM3I6Hsokt69kdnJaikgUfbUAWa7d84hqBEgHcl9l+UtrsoyayfK
         iCxXWSjXJ9zCRtPc+qab3NPFdHOHko2y/9vy4A5ZphbguocAttnNcq/LOadNInkQDNww
         C3Yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:organization:references:cc:to:from
         :subject;
        bh=D4PsyfuKTXijHQyWgPRrBWFXc1tfVQBW6gW8yqRBxq0=;
        b=AgQW31tQiTMDCG1aIsye7p1PEZxi2oqfuQHklCc3c9nowtVS12kG0r4rk+gMBnGHOg
         K+RX3HvruBucHYyf8C6aHlcVw7ziGJvlpnEJivsr0intMP1Etuitj0Vni1RbUvSX9n4X
         Y2Se0uPYGvehb4fWI/Neh2vDM1r2+uIi1VrLm+pMB90Fet95PiMGQNP5psC0gCghgLh+
         jhPL07GAeT5fnHspkQ4lo5FAjj5aoe12sk0BqPR5SKF2ZT4P8vqOF/DzzojKUVRLDlKt
         QtRh1716i057yg6XIWzXa9rcnp5VXnTZqEAUNs1waTsPxeFY/VQBFEVRCrEJiL4V7GOJ
         +DSA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of jack@palantetech.coop
designates 162.247.75.206 as permitted sender)
smtp.mailfrom=jack@palantetech.coop
Return-Path: <jack@palantetech.coop>
Received: from gil.mayfirst.org (gil.mayfirst.org. [162.247.75.206])
        by mx.google.com with ESMTPS id d24si243122vsf.441.2021.08.11.16.14.27
        for <jen@jenerationweb.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Aug 2021 16:14:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of jack@palantetech.coop
designates 162.247.75.206 as permitted sender)
client-ip=162.247.75.206;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of jack@palantetech.coop
designates 162.247.75.206 as permitted sender)
smtp.mailfrom=jack@palantetech.coop
Received: from gil.mayfirst.org (unknown [127.0.0.1]) by
gil.mayfirst.org (Postfix) with ESMTP id 808635F6F; Wed, 11 Aug 2021
19:14:27 -0400 (EDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated
sender: xxxxx) with ESMTPSA id 01DB85ED8
Subject: Re: Accepting donations via CiviCRM
From: Jack Aponte <jack@palantetech.coop>
To: pono@sfconservancy.org
Cc: karen@sfconservancy.org, Jen Lampton <jen@jenerationweb.com>
References: <ca3de8c7-0e2f-7151-6545-5582e29b88fe@palantetech.coop>
Organization: Palante Technology Cooperative
Message-ID: <0ab27f39-9729-000d-9e01-576333f3cda3@palantetech.coop>
Date: Wed, 11 Aug 2021 16:14:24 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <ca3de8c7-0e2f-7151-6545-5582e29b88fe@palantetech.coop>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP

Nothing looks wrong to us in those headers, though I don't know whether the "(unknown [127.0.0.1])" bit might raise a flag, seems a bit funny.

We aren't picking up that palantetech.coop, gil.mayfirst.org, mail.mayfirst.org or albizu.mayfirst.org are on any spam/block lists.

Not sure there's anything that May First can do about this, but just wanted to flag it for you!

Saludos, Jack

Change History (8)

comment:1 Changed 4 months ago by JaimeV

Cc: Jamie McClelland added
Owner: set to JaimeV
Status: newassigned

Hi Jack,

Sorry for the delay, I looked at this earlier this week and didn't have any additional explanation. It is unsettling and adds to other anecdotal reports of mail going to gmail spam temporarily. jamie and I looked at this again today and don't have any additional feedback. Are you still experiencing this issue consistently with gmail recipients?

The google postmaster tools don't offer us much feedback for our own domain. We could add the palantetech.coop to the list of domain to track for our google postmaster account, we can verify the domain by adding a DNS record for it. Let us know if you think this would be useful or would rather track it yourself this way.

comment:2 Changed 3 months ago by Jack Aponte

Hi Jaime, thanks for this response, and sorry for the delay in turn.

Yes, this is very unsettling indeed! And we continue to get reports and see evidence from Gmail users that our palantetech.coop emails sent through May First are being sent to spam, to the point where it's interfering with our client work and our movement work.

As far as we can tell, our bulk and transactional mail sent through Mailgun is getting through to the same Gmail addresses fine, so it seems to be an IP reputation issue rather than a domain reputation issue.

I've set up Google Postmaster Tools for palantetech.coop and mail.palantetech.coop, thanks for that good idea. I'm going to keep an eye on that and will let you know what I find.

Let me know if you'd like us to grant a May First Google user access to Postmaster Tools for our domain; I'll double check with the rest of the team and get that set up for you if yes.

comment:3 Changed 3 months ago by JaimeV

Thank for the follow up Jack. I think if you pass on any useful info you can glean from Google postmaster tools that is enough. Honestly I would be surprised by that as they have not given us anything useful for our own domain.

I am not discarding your suspicions but it seems that if this were an ip reputation issue we should be receiving much wider reports of mail going to Spam.

One thing we had identified earlier is that mails whose body text contains links from url shortening services like bit.ly were being flagged as spam by gmail.

Can you tell if that is the case for any of your mails that have been sent to spam?

comment:4 Changed 3 months ago by Jack Aponte

Thanks Jaime. I'll pass along anything useful that we glean from Google once data starts showing up for us! I hear you on the IP reputation tip; hopefully our Postmaster Tools data will shed some light on what's actually going on here.

As far as I know, none of the emails sent to spam contained links from URL shortening services; the emails I sent that went to spam definitely didn't include such links.

comment:5 Changed 3 months ago by Jack Aponte

More info in case it's helpful:

I tested sending the same email with "real" content (subject and body from an actual email I sent previously) from my palantetech.coop address to my personal Gmail and Riseup addresses.

Got to Riseup inbox with no problems despite their fairly rigorous spam filtering. The headers have more interesting info than Gmail offers:

Return-Path: <jack@palantetech.coop>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on towhee.riseup.net
X-Spam-Level: 
X-Spam-Pyzor: Reported 0 times.
X-Spam-Status: No, score=0.4 required=6.0 shortcircuit=no autolearn=disabled
	version=3.4.2
X-Spam-Report: 
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.1 NICK_TO Being sent to address with normal nick
	* -0.1 MATCH_NICK_TO Being sent to address with part of name
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
	* -0.0 SPF_PASS SPF: sender matches SPF record
	*  0.0 CK_419SIZE typical 419 size - avoid matches in long text
	*  0.1 CK_KARD_SIZE short, card virus size - avoid matches in long
	*      text
	* -0.4 DCC_REPUT_00_12 DCC reputation between 0 and 12 %  (mostly ham)
	* -0.1 AM_TRUNCATED Compensate on large message for misfiring rules
	*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
	*      lines
	*  0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict
	*      Alignment
	*  0.2 TXREP TXREP: Score normalizing based on sender's reputation
Delivered-To: jackaponte@riseup.net
Received: from mx1.riseup.net (mx1-pn.riseup.net [10.0.1.33])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
	by towhee.riseup.net (Postfix) with ESMTPS id 4Gw0h53LTBz2g
	for <jackaponte@riseup.net>; Wed, 25 Aug 2021 15:16:53 -0700 (PDT)
Received: from paulo.mayfirst.org (paulo.mayfirst.org [162.247.75.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.riseup.net (Postfix) with ESMTPS id 4Gw0h51qfczF42s
	for <jackaponte@riseup.net>; Wed, 25 Aug 2021 15:16:53 -0700 (PDT)
Received: from paulo.mayfirst.org (unknown [127.0.0.1])
	by paulo.mayfirst.org (Postfix) with ESMTP id 8B8E03F31
	for <jackaponte@riseup.net>; Wed, 25 Aug 2021 18:16:52 -0400 (EDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: xxxxx) with ESMTPSA id 48CA43F29
From: Jack Aponte <jack@palantetech.coop>
Subject: Updating billing contact for BEB
To: Jack Aponte <jackaponte@riseup.net>
Organization: Palante Technology Cooperative
Message-ID: <192ce723-0935-c165-1a49-afe0202b7056@palantetech.coop>
Date: Wed, 25 Aug 2021 15:16:50 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.13.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP

The same message wound up in my Gmail Spam. When I opened the email in Gmail I saw this warning message:

Why is this message in spam?

Lots of messages from palantetech.coop were identified as spam in the past.

I clicked the "Report Not Spam" button.

Headers from the message received via Gmail:

Delivered-To: jackaponte@gmail.com
Received: by 2002:a67:ec0f:0:0:0:0:0 with SMTP id d15csp76756vso;
        Wed, 25 Aug 2021 15:16:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyq+XuP9kdOg2ElxMmczXikEi0UNYbYKQU4Zd1OzbMl+B5RNSix1p5FP1O7Pv+kkiMqiBq7
X-Received: by 2002:a37:6114:: with SMTP id v20mr843275qkb.348.1629929793478;
        Wed, 25 Aug 2021 15:16:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629929793; cv=none;
        d=google.com; s=arc-20160816;
        b=weslgURO7lcwFfmWm6cKpvMoV8BeiZ+HGvfCyygRiyg3tnKvYr5QTrJPeuoLK1iPuf
         EQotJUFZdeNr1vMKnKGl7SNiOiX0hDxx0vQpQcXq57Blf+MmVTTOjX751oujlB36l9g0
         WGoVFh3w1M/HRuTCJB3s8Sem2zisH2Ax8AUF2/bxgKeVEHeCnsgxxH1UYA82b0GyvEQG
         m7Wu6cwzGWv5Q0KJI92WFbhBVzHOWcihrUT6Gh6G6lCO+ttuwgDr7nl81dJdFKZBpWGy
         wgciFKukxa4XzFcuBsaHX3yIiyBVmlDWmCalGdrGBz1bp3D9/hCuQGNHkpDGXGpGFER4
         t2xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:mime-version:user-agent
         :date:message-id:organization:subject:from:to;
        bh=TJ2XImKgqm7P0s4GLQaJF06OxkcxvHc8/f+jUtVVRDQ=;
        b=PCk/9/U0VraHtPWFkXFGGdxBg/9z53kqZaaLUWIYXCGsYPTvQ2499Rhn2kh5ZOyqpv
         WMNpQ2A3y1B5Sgq/J3ZyEWuWIo0vCaoYalSUtBmwDGRkOmMr+eGoe5ew05ad1hV0Q0Ui
         +v/z5HOb6tUiUOivPgugbDaP5+dDZBPAgpjm/dcpVcFxQhEipQRLVPijpbO4iQCPo+dx
         Amy2/cEqYAdL/Q47xz1hQhLWw1V3SY10V1ANS7oEgF3yzYiI/Rzmg7EG3PZZO2dq7QBI
         beYqOzwQDCKtfNEs2MQGrUqxSP2td1HIp5n5hpcl21x1dfzLkM+1Ycnny7gNr9JgPEh0
         09jw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of jack@palantetech.coop designates 162.247.75.97 as permitted sender) smtp.mailfrom=jack@palantetech.coop
Return-Path: <jack@palantetech.coop>
Received: from paulo.mayfirst.org (paulo.mayfirst.org. [162.247.75.97])
        by mx.google.com with ESMTPS id s4si559534qtc.376.2021.08.25.15.16.32
        for <jackaponte@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Aug 2021 15:16:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of jack@palantetech.coop designates 162.247.75.97 as permitted sender) client-ip=162.247.75.97;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of jack@palantetech.coop designates 162.247.75.97 as permitted sender) smtp.mailfrom=jack@palantetech.coop
Received: from paulo.mayfirst.org (unknown [127.0.0.1]) by paulo.mayfirst.org (Postfix) with ESMTP id 705F23F35 for <jackaponte@gmail.com>; Wed, 25 Aug 2021 18:16:32 -0400 (EDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: xxxxx) with ESMTPSA id 0C6483F29
To: jack aponte <jackaponte@gmail.com>
From: Jack Aponte <jack@palantetech.coop>
Subject: Updating billing contact for BEB
Organization: Palante Technology Cooperative
Message-ID: <2257f896-46d6-bb63-977c-fde6c0637425@palantetech.coop>
Date: Wed, 25 Aug 2021 15:16:29 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP

comment:6 Changed 3 months ago by Jamie McClelland

Hi Jack,

We have a filter-check program we wrote a few years ago so we could get alerts if we end up in the spam box for Yahoo, Google, and MSN. It runs every four hours on a cron job and sends us an alert if any message ends up in the spam box.

Jaime and I just ran it by hand to see if we could replicate your experiences - and we ran it several times with different from addresses.

0 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom jack@palantetech.coop --subject "Updating billing contact for BEB" --sleep 30
Message sent (Thu, 26 Aug 2021 16:34:15 -0000)
Message-id: <162999565548.32047.16776608678179814587@gil.mayfirst.org>
Sleeping for 30.0 seconds.
Found in: Spambox

1 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom filtercheck@palantetech.coop --subject "Updating billing contact for BEB" --sleep 30
Message sent (Thu, 26 Aug 2021 16:35:23 -0000)
Message-id: <162999572315.32177.508010376102206691@gil.mayfirst.org>
Sleeping for 30.0 seconds.
Found in: Spambox

1 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom jamie@mayfirst.org --subject "Updating billing contact for BEB" --sleep 15
Message sent (Thu, 26 Aug 2021 16:36:06 -0000)
Message-id: <162999576644.32284.15692285413822970425@gil.mayfirst.org>
Sleeping for 15.0 seconds.
Found in: Inbox

0 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom jamie@octopoda.org --subject "Updating billing contact for BEB" --sleep 15
Message sent (Thu, 26 Aug 2021 16:36:34 -0000)
Message-id: <162999579457.32334.9637602259526676242@gil.mayfirst.org>
Sleeping for 15.0 seconds.
Found in: Inbox

0 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom jack@palantetech.coop --subject "a different subject" --sleep 30
Message sent (Thu, 26 Aug 2021 16:37:04 -0000)
Message-id: <162999582428.32385.4726638329146583476@gil.mayfirst.org>
Sleeping for 30.0 seconds.
Found in: Spambox

1 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom jack@palantetech.com --subject "a different subject" --sleep 15
Message sent (Thu, 26 Aug 2021 16:38:14 -0000)
Message-id: <162999589458.32641.512826370499476862@gil.mayfirst.org>
Sleeping for 15.0 seconds.
Found in: Inbox

0 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom jamie@coshnetwork.org --subject "Updating billing contact for BEB" --sleep 15
Message sent (Thu, 26 Aug 2021 16:39:11 -0000)
Message-id: <162999595153.32748.13581679437010700071@gil.mayfirst.org>
Sleeping for 15.0 seconds.
Found in: Inbox

0 gil:~# filter-check --sendvia mail.mayfirst.org --sendto gmail --emailfrom jamie@albizu.mayfirst.org --subject "Updating billing contact for BEB" --sleep 15
Message sent (Thu, 26 Aug 2021 16:39:47 -0000)
Message-id: <162999598735.356.1692541923191536915@gil.mayfirst.org>
Sleeping for 15.0 seconds.
Found in: Inbox

0 gil:~# 

We can definitely replicate your results!

The problem is that it seems to be triggering on your domain name. We tried many different from addresses, including others that are receiving email on albizu just like yours. I'm honestly not sure what to make of these results.

comment:7 Changed 3 months ago by Jack Aponte

Thanks for the additional info, Jaime. I'm trying to figure out what's configured differently between palantetech.com and palantetech.coop that would account for the different treatment by Gmail, but haven't been able to spot anything yet. :(

I know that DKIM and DMARC would help out with these problems and look forward to when that is ready on May First!

I'll keep y'all posted; thank you for all the help here!

comment:8 Changed 3 months ago by Jack Aponte

Hi again everyone! Some good news: palantetech.coop email seems to be making it through to Gmail inboxes a bit better as of the past few days. Bad news: we really have no idea why that changed, besides me testing a lot of palantetech.coop emails to my Gmail.com account and marking them as not spam.

When Gmail was marking palantetech.coop email as spam, it showed this message: "Lots of messages from palantetech.coop were identified as spam in the past." So as you indicated it does seem like this was palantetech.coop specific, which is frustrating. Now the problem seems to have gone away of its own accord; fingers crossed that it stays that way!

While troubleshooting this I reviewed the email headers from an email sent via Electric Embers and saw these interesting lines in the X-Spam-Report header:

	* -2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
	*      [208.90.215.73 listed in hostkarma.junkemailfilter.com]
	* -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
	*      [208.90.215.73 listed in wl.mailspike.net]
	* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders

While the Mailspike headers don't indicate much happening there, checking the Electric Embers IP address in https://www.mailspike.net/iplookup.html shows a Good Reputation record, and on https://ipadmin.junkemailfilter.com/remove.php their IP address is whitelisted. paulo.mayfirst.org (162.247.75.97) isn't listed in either place, nor is gil.mayfirst.org.

Might it be worthwhile towards overall email deliverability to get positive listings on lists like these? I'm not sure that would make any difference for deliverability to Gmail, but it might make a difference for other email services!

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.