A little bit about why your email are considered as a SPAM by Microsoft and Google.



  • Hi;

    To continue on this topic Hosting my/your Email Server and hopefully help some Cloudron users understand the reason of this, here's a little story.

    After building your self-hosted server, Cloudron and/or any self-hosted solution, you run all these test successfully and to be confident that your emails will reach their destination,
    mxToolBox

    • Blacklist
    • DKIM
    • DMARC
    • SPF
    • Reverse DNS

    Even Mail-Tester give you a thumb-up rainbow (10/10).

    But then you send you email to your friend, or worst, your client and his using Microsoft (Office365) or Google (gSuite) as the mail service to receive. If you're lucky, you email passes their inHouse Spam filter and your friend/customer receive your email. With less luck, the message goes straight to their SPAM mailbox or, even worst simply don't reach them at all.

    WHY ???
    Some ConspiraZionist would say: they want to control the world and kill all small businesses,....

    While this may be true, the fact is that Microsoft and Google use their own private Blacklists (RBL) and they seem to not whitelisting IP as often than SpamHaus and/or Barracuda which are public Blacklist.

    Another reason might be they enlarge the range of the subnet instead of only declaring one IP at time, such as an example if you are hosting your server at Hetzner and your neighbor with the IP 88.188.88.188/32 is marked as a spammer they might ban the all range of 88.188.88.0/24 or even worst 88.198.0.0/16 which represent a big part of their entire network Hetzner AS.

    They can also use a set of different pattern which could vary from how long is the email, how similar it look like a phishing attempt, ...

    Unfortunately, Microsoft and Google don't really provide support and guideline for this kind of situation. Google has it's postmaster.google.com but even if your domain is verified,... you have to send a s**t load of email per month to be considered a legitimate sender.

    That's one reason why Cloudron support Mail Relay such as SendGrid and MailJet, because Microsoft prefers to analyze your email at the source and read them before the recipient, who knows, it could be a threat to U.S. national security,... but these e-mails are also very useful for profiling, and targeting and also feeding the Artificial Intelligence

    To counter the last part, I suggest that you encrypt your email with GPG or PGP and/or if you have something very important to say to someone, just invite him/her for a coffee or a beer.

    😉



  • Email encryption is fundamentally broken and is security LARPing. Check out this article for more info.
    Also, MS doesn't own Sendgrid or Mailjet

    https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html

    If you want encrypted comms, don't use email. It wasn't designed for that and PGP is old and broken.

    Coffee or beer is your best bet!



  • Thanks for the great write up @JOduMonT ! To add to your list, the domain reputation also affects email delivery. If you just very recently purchased a domain, it's likely that they it gets binned. The key is to just be patient for a month or so.



  • @will I've been reading a lot about this lately. Signal seems to be a best bet. The gold standard. The second best, and perhaps the long term best bet is Matrix/Riot, thats why I'm excited to see them here!



  • @will said in A little bit about why your email are considered as a SPAM by Microsoft and Google.:

    Signal

    Based on Exodus Privacy Audit, Signal is not better than TelegramX.

    Also based on Exodus, the app for your communication and privacy, if it really exist, would be Freygo
    photo5947125483038683217.jpg



  • @JOduMonT First off, that site is just reviewing app permissions. It’s docking Signal for requesting things like access to camera (used for taking and sending photos). That’s not really relevant here.

    From a security standpoint, the Signal protocol is the gold standard for secure messaging. Other apps , like WhatsApp have even implemented it themselves.

    Signal is also a non-profit and spends a considerable amount of effort in reducing knowledge needed to operate on the server. Their goal is to get to a point you don’t have to trust the server at all.

    I have never heard of the app you’re recommending, but I don’t see any information about how they manage their encryption. Their website link (from Google Play) lands on some obscure website that doesn’t really load unless I turn off my tracker blockers. The site then doesn’t really indicate why I should trust them. No information on their funding or security. Also, the Play Store listing says it includes Ads. Which is a huge no-no for privacy.

    Telegram is a popular app, but Signal is often recommended for security/privacy. First off, Telegram offers both encrypted and unencrypted messaging and defaults to unencrypted. Group messages cannot even be encrypted at all. In Signal, all is encrypted. Furthermore, when using encryption, Telegram uses a custom crypto algorithm they wrote rather than industry trusted ones like Signal does. This goes against a common maxim in the security industry “don’t roll your own crypto”. It could be just as secure, but less eyes on it means we just don’t know enough about it. Most professionals prefer a tried and true system.

    Anyway, I’m pretty passionate about secure messaging, so I’ve done a bit of research here. All that said, unless they are willing to switch, the best one is the one your friends are using. Messaging is useless if you’re the only one with it. Kinda relates to the article will posted about encrypted email in the first place.



  • Signal has zero trackers and all 65 permissions are kosher:-
    https://reports.exodus-privacy.eu.org/en/reports/114396/



  • @iamthefij said in A little bit about why your email are considered as a SPAM by Microsoft and Google.:

    I have never heard of the app you’re recommending

    I've never heard about this Freygo, and I didn't recommend it, I even mention I was suspecting this app don't really exist.

    I don't know much about Signal, but it is often the apps people mention. But after that if Signal have as neighbor apps such as FaceBook and Messenger does it really matter ? Your Friend on Signal is probably your Friend on Facebook and by correlation you just help them to crack the code. (I'm saying you as us, them, not necessarily you)

    Personally I prefer using my own set of key, I say that because apps like Telegram, WhatsApp, Messenger yes they use encryption but they also generate the key and have both the private and public key so it's only a matter of semantic and if you trust their business.

    And Yes I'm agree with you, you could have the best app of the world from privacy perspective but if you know no one using it become a notepad for yourself.



  • @JOduMonT said in A little bit about why your email are considered as a SPAM by Microsoft and Google.:

    Personally I prefer using my own set of key, I say that because apps like Telegram, WhatsApp, Messenger yes they use encryption but they also generate the key and have both the private and public key so it's only a matter of semantic and if you trust their business.

    You still have to trust the application, but private keys for Signal are generated on the device and not sent to the server. To improve trust in the application, Signal actually has reproducible builds. WhatsApp should, in theory, function the same way, but they are not open source and do not have reproducible builds so you have no way to verify that is actually how it’s functioning.



  • As a security consultant for the world's number 1 security company (depending on how you measure it), I can say that out of the major applications, Signal is hands down the gold standard. SO much so that other apps have taken their tech stack for their backend.
    The only downside in my eyes is the use of a phone number, but they have been doing insane ammounts of work to get around that need. Def a cool space to watch. Hell signal can even be self hosted. Maybe we'll see it on Cloudron.



  • @will said in A little bit about why your email are considered as a SPAM by Microsoft and Google.:

    The only downside in my eyes is the use of a phone number, but they have been doing insane ammounts of work to get around that need.

    I saw that!! I can't wait. For my main use case (since I care about privacy/security and not much about anonymity), I don't mind a phone number for discoverability, since I actually want people do discover me and message me there rather than SMS. However it's very valuable for others who need greater anonymity.

    I do look forward to it personally for things like registering bot accounts so that I can send notifications from my web servers to my Signal devices.



  • @iamthefij Well the you can make it so you're not discoverable unless you message the person. Thats pretty anonymous


Log in to reply