Moving off self hosted email

Since March 4th, 2021, I have hosted my own email for this domain. I could definitely receive and I could send to most of my friends.

Then May 8th, 2021, I wanted to do something neat I read about online for fun:

• RFC6698 (DANE)
• RFC7672 (DANE for SMTP which is like RFC6797 (HSTS))
• RFC8461 (MTA-STS)

And I was successful! Green checks across the board on CheckTLS. I managed to use each standard effectively, I was in complete control of my server with reverse PTR records and everything! I didn't know these record types existed until I went through all this.

Next I automated checks for my DANE TLS records, this helped me stay on top of my ACME TLS integration with Let's Encrypt. Its put together with a cron job and a shell script which uses curl, jq, and openssl to update and verify DNS records in Cloudflare.

I was proud that I could technically achieve something cool (to me) and have it externally verified, while being so low resource (literally bash scripts and utility calls) it could run on a server with less than 64 MB of free memory. I literally pay $1 a month for it so it does not have much memory.

Then I tried to test my email setup with a few friends. For one of them I got back a rejection response, it mentioned:

host mx.zoho.com[204.141.43.44] said: 541 5.7.1 Mail rejected due to antispam policy

After digging into it among the many seemingly free email validation services, I see a few problems.

Oh right DMARC RFC7468. I've dealt with this at work a few times, as well as SPF RFC7208. Not too hard... So I fix those and wait a few days.

But the problem persists. It comes and goes too! I do literally everything right to the spec on inbound and outbound. One problem mentioned that my IP addressed was blocked by UCEPROTECTL3. So I look at this UCEPROTECT thing, and it's some website that's not even secured with HTTPS!

What is this thing? They do some sort of black hole listing that lasts for 7 days per violation. I look through it and there's something about paying for removal? It is about $100. But that's only for Level 1, I was on the level 3, what's up with that?

UCEPROTECT Level 3 blocks ASNs which you can think of as a group of IP ranges operated by an ISP. They want the ISP to take down misbehaving / spamming actors on their network. One could theoretically pay them to remove an ASN block for.. $485. But once a single IP address spams again, they'll add it back to their block list and keep the money.

I have zero spam history attributed to my server. And yet I can't send reply to someone who I paid for a custom pattern of my character?

hotmail-com.olc.protection.outlook.com[104.47.74.33] said: 550 5.7.1 Unfortunately, messages from [...] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140).

This sucks.

The price has increased three fold since I first looked at their prices last year. The pandemic hits spam grifters hard too, huh?

I have to depend on yet another service because of spammers and Scammy Real Time Black Holes.

My email is now serviced with fastmail. But it wasn't smooth either.

Fastmail did not detect that I had to migrate my MTA-STS settings. Which of course lead to Google refusing to send outbound from google to fastmail. I had the TTL set to 1 day, so switching that was a bother.

Everything seems settled now with Fastmail. I can communicate with people at orgs that should have competent email filtering without issue. So I'll leave it at that.