IP's of myaddr.x subdomains are getting blacklisted

[ZEROF]

Hi,

First of all, thanks a lot for providing great services and their stability. It's easy to set subdomain and some basic scripting bring automatization. I even wrote some instructions for people using free subdomain and how to set everything and forget: https://gist.github.com/ZEROF/c3c45d94eeb163adf98b1a933ffaeae4 . Maybe you can even use this for your documentation. Anyway ...

Until now I had 0 issues using myaddr.x domain. I use it to create subdomain and set PTR record to avoid one provided by ISP. Device behind this IP doesn't run mail server, but IP get blacklisted. I got annoyed with this message "non-compliance domain". Short explanation would be, even though the domain and IP are not serving emails they must have specific DNS txt entries. Detailed explanation can be found here: https://www.cloudflare.com/learning/dns/dns-records/protect-domains-without-email/.

RBL authority message:

Without testing I'm not really sure what the best solution would be (I don't think that we need dkim and dmarc), but I would add at least SPF record to your API. This should be default value for DNS entry. Indicating: "this domain is not running email server":

subdomain IN TXT "v=spf1 -all"

I hope that you can integrate this on your side and if you want to test my domain I can send you info, just share your email.

Off Topic: documentation need full guide for setting acme with nginx (because there's no real guide) and it will be good idea to add your project here: https://github.com/acmesh-official/acme.sh/tree/master/dnsapi

Thanks

[brianshea2]

I looked at your gist, thank you for writing that up! My hope is to one day compile user-contributed guides for using myaddr.tools with all the various platforms/software out there.

As far as your IP getting blacklisted... I'm a little confused :) Who/what is blacklisting your IP? The message you posted says the domain, which I'm assuming is your myaddr subdomain it found via the PTR record you said you set up for your IP, is considered non-compliant due to whois privacy. Well.... I'm not sure what it's testing compliance for, but the myaddr domains do indeed have whois privacy enabled so I don't get bombarded with spam or have my personal information out there for everyone to see. If you need a domain which you can control the whois data for, a free dynamic dns domain isn't going to be it :) The message also says your IP was flagged for not having a mail server at it. Ok, seems strange to flag an IP for that, as you say you're intentionally not running a mail server at that IP. I'm not really sure what this compliance nonsense is all about, but obviously I don't control what you host at your IP, as you understand.

So let's focus on your ask of adding the "this domain doesn't send email" spf record to myaddr subdomains. On the surface that sounds like a good idea, but some people may want to use a myaddr subdomain to prototype a project that could send out email notifications, for example. Obviously it's a bad idea to host a production mail server at a dynamic dns domain, but there's nothing technically wrong with that if just testing. Then again, I'm not sure I want to support that use case as it may lead to domain reputation issues. Let me do a little research here.

[ZEROF]

Hi,

Keeping privacy enabled on your domain is good idea, and you shouldn't change that like, ever.

And about this topic ...rules in the email world changes overtime. Today every domain dealing with e-mail, must have all those TXT DNS entries to be accepted as valid. More rules are included every few years to achieve security and fighting the spam. Now RBL's pushing things to another level, "forcing" every domain to have at least SPF mentioned before. They see scenario like: ok you don't do mailing, but you must validate that with using right DNS entry". Because even that you don't send mails, domain can be used for some type of illegal activities without SPF. That's their logic behind this.

Your service in this state, can't be even used for email testing purposes but can be used for spamming without obligation to have at least SPF. And without DKIM and DMARC, running legitim email service on your subdomain is not even possible.

Hope that you can integrate SPF with possibility to be included or excluded to cover both scenarios, including the one you mentioned,

[brianshea2]

I've (maybe temporarily) updated the dns server to return v=spf1 -all for all myaddr requests. Please let me know if this clears up the RBL blacklisting issue.

[ZEROF]

Okay, super way to test it. I will share results.

[ZEROF]

Hi,

For now results are 50/50, meaning one RBL whitelisted and second one didn't do anything. I just sent mail to them asking to whitelist all your domains from this absurdity that they put in place. But knowing how this business works, I don't have a lot of hope about positive response from them, but they have no legal rights to do it and maybe this is the case to push things forward with GDPR. To be continued...

[ZEROF]

Hi @brianshea2,

It took me two days and explaining many things to spfbl.net team about this project and I can say, we won the small battle. My domain was removed from that strange list and they removed 2$ "delisting" fee for every other myaddr.tools/dev/io sub-domain I tested. But I think that now they are using the fact that PSL is not validated from my understanding and they are showing this:

Conclusion is, SPF entry must stay. It's up to you to decide how you want to integrate this, but in this state of project, I guess, you can leave as it is now.

[brianshea2]

@ZEROF thank you for working through this. I believe the spf records indicating no emails should be getting sent from myaddr domains is an appropriate change. I'll make that permanent and close this issue.