Sunday, May 13, 2018

Enabling SPF on Dreamhost accounts

Dreamhost writes about SPF:

SPF overview – DreamHost

… Mail servers that receive an email for delivery can check SPF by comparing the sending server’s IP address against the email's envelope sender's SPF DNS record. If the email was sent from a server that is not included in that SPF record, the email is more likely to be spoofed or untrustworthy. The receiving mail server may handle the email differently because of the SPF failure, such as marking the email as spam or rejecting the email…

and

What SPF records do I use? – DreamHost

If you’re hosting your email at DreamHost, no changes need to be made to your SPF records. DreamHost’s SPF records are generated automatically and should work without any issues or additional changes.

IP's in DreamHost’s SPF records include mail servers and the relay machine IP addresses.

Except this isn’t true. When I was investigating my family’s Google email Hell I found that emails sent from DH Webmail didn’t have SFP records in the header. I tested using mxtoolbox.com, Kitterman, and by inspecting emails in Gmail using the ‘view original’ option. I also directly inspected my DNS settings. No SFP.

When I asked DH tech support admitted their documentation was wrong and responded (emphases mine):

If it were, you'd see the SPF setup on the 'Manage Domains' > 'DNS' pageby default for every domain hosting mail with us along with the DKIM
 that's already there, but SPF is NOT set by default (at this time).

… we should start setting it by default, so that info above may be accurate in the future. We’re doing a lot with emails right now, which is still mostly in the discussion phase, so this is likely something that’ll come up as well what with various hosts starting to strengthen their incoming filters to help stop spam.”

For the domain in question, I’ve added the record for you through the 'Manage Domains' > 'DNS' page as a TXT record:

… We have now added the TXT record for .faughnan.com with value v=spf1 include:netblocks.dreamhost.com. Our DNS servers will start serving this
record within a couple of minutes.

My DNS records now show an SFP TXT record:

v=spf1 include:netblocks.dreamhost.com

Unfortunately adding the SPF didn’t help with Google treating my DH redirects as spam. I have a hunch those come from DH’s own SMTP service (homiemail) and that service might have a reputational issue with Google, but I don’t really know what’s going on. I don’t think anyone does any more.

What about DKIM?

DH claims DKIM is set automatically and I can confirm that works, at least for a domain that was relatively recently added to DH. On the other hand when I examine that domain’s DNS settings I see several records not in my older domain. I wonder if DH has never updated DNS settings for older domains, such that they are now obsolete. OTOH, even for a new domain there were no SPF records.

And then there’s Google domain verification (postmaster services). I turned those on my adding their key to a TXT field, but a few days later it wasn’t there any more. I assume DH removed it. I’m kind of losing confidence in Dreamhost.

Saturday, May 12, 2018

Google sent my family into email Hell. This is how we climbed out.

… we’re living in a time when algorithmic software is just good enough to eat the world and still bad enough to be endlessly frustrating. (Daniel Genser, via Twitter)

A few days ago I sent an email to Emily and a few seconds later this came back:

Mail Delivery System <MAILER-DAEMON@homiemail-mx1.g.dreamhost.com>
Tue, May 8, 9:52 PM (4 days ago)

This is the mail system at host homiemail-mx1.g.dreamhost.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

                DreamHost Email Support

   <emily@googleappdomain.com> (expanded from <emily@redirectemail.com>): host
    ASPMX.L.GOOGLE.com[173.194.202 .27] said: 550-5.7.1 [208.97.132.209      12]
    Our system has detected that this message is 550-5.7.1 likely unsolicited
    mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message
    has been blocked. Please visit 550-5.7.1
    https://support.google.com/mai l/?p=UnsolicitedMessageError 550 5.7.1  for
    more information. q3-v6si11849599pgn.272 - gsmtp (in reply to end of DATA
    command)

Google had sent me to email Hell. Everything I sent to Emily was rejected. It was the same story with emails sent to my children. Whatever I sent, Google rejected.

I think the problem, as far as Google was concerned, was that I was using redirects. This is old net tech. If you own a domain, say “kateva.org”, your hosting service will usually let you define as many redirect “email addresses” in the domain as you might want. They aren’t real email addresses though, they’re redirects. You have to define a true email recipient for each one.

Google didn’t see the email I sent Emily as coming from my personal gmail account, it saw it as coming from the SMTP service that works with my domain (which I’ll call “kateva.org"); in this case homiemail-mx1.g.dreamhost.com. It appears either my domain, or that sending service, had bad Google-karma [1]. Google sent the rejection to “homiemail” (I think!) and homiemail sent it to me.

We were in trouble. It was likely that email sent to our family members was going to be bouncing back in a very confusing way.

I tested sending from various email addresses and using various software (web client vs. iOS Mail, etc) to see which was rejected and which accepted:

Sender Redirect Result
GSuite (web client) Yes Success
Yahoo (web client) Yes Success
Gmail (web client) Yes Success
GSuite (macOS mail, iOS mail)  Yes Success
Gmail (macOS mail, iOS mail)  Yes FAIL
Gmail (macOS mail, iOS mail)  NO Success

It turned out my mail was only hitting Google’s spam threshold when I sent it from my personal Gmail (not GSuite email) using iOS or macOS Mail. Everything else worked, including using my personal Gmail by web interface.

No, I don’t understand what’s happening here. I can speculate that Google rates sending services roughly as follows: GSuite_web > Gmail_web, Yahoo_web > GSuite_client > Gmail_client. The combination of Gmail_client (macOS Mail) and the redirect dropped my email score below Google’s internal cutoff.

There’s not much to do about this. It’s not like Google is going to help. I was on my own and we were in trouble.

The first thing I did was change the redirects to send all the mail to an old school Dreamhost local webmail box. That stopped the bouncing. I could forward from that box to my gmail and reroute important emails manually to other addresses for Emily and the kids.

Next I discovered, contrary to their documentation, that Dreamhost had not enabled DKIM or SFP on my domain. I fixed that (separate post pending) to see if it would improve the reputation score for my domain but it had no effect. I suspect the reputation that mattered was that of homiemail-mx1.g.dreamhost.com.

That left me with these options …

  1. Setup Dreamhost mailboxes for each person and create redirects to them.
    1. Set up a forward from the DH mailbox to another of our family GSuite emails (I picked several Google Apps/GSuite things when they were free)
    2. Have our family GSuite emails do POP retrieval from the DH mailbox.

Dreamhost recommended the 1.2 (second). But I had a third option…

… even though I’d not used it, the problem domain (“kateva.org”) had an old legacy GSuite. I went into that GSuite, defined an account for Emily and kids, and then switched Dreamhost MX to use the GSuite email rather than DH email [2]. I had lost some faith in DreamHost by that point and I figured that since Google rules the net I was better off inside their castle.

And that’s where we are at the moment.

One more weird thing. For 2-3 family members I received a notice that a non-apps Gmail account already existed for them. I didn’t create those accounts but maybe my kids did? (It’s complicated, but somehow when I did Google Voice for them it did … something … brain shutting down ….) Apparently Google lets one do this! They wouldn’t have received email though, DNS records were using DreamHost MX redirects. If you own a domain, and create Google Apps account that matches the existing address, it gets renamed to something like “username%domainname@gtempaccount.com” email. Wow. [3]

It’s Google’s world, we just play in it.

Oh — and don’t use redirects. Google doesn’t approve.

- fn -

[1] Dreamhost denies that they’re in any kind of trouble with Google — but really, how would anyone know. Maybe it was my domain that Google didn’t like — we get a lot of spam and in this setup all that spam would seem to be coming from my domain.

[2] This wipes out all the past redirects. GSuite supported aliases so I moved them into there. Fortunately I’d saved the redirect records before making the MX switch.

[3] Google has an article on conflicting accounts, here is how they are resolved. I think Google Voice was the primary route for creating conflicting accounts — an artifact of how Google switched Voice credential systems post acquisition. 

Friday, April 27, 2018

Appigo Todo Cloud.app - don't forget to unsubscribe when you leave

Even since iOS 11 editing in Appigo’s Todo Cloud.app has been buggy for me on iPad and iPhone alike. Just aggravating. Feels like they failed to revamp something. I wasn’t delighted with their sync technology, but I could live with that. The editing bugs finally broke me.

So I decided to exit. Somehow I remembered Todo Cloud is a subscription service. I found my way to the somewhat hidden account settings and disabled premium. Turns out that turns off auto-renewal. 

Screen Shot 2018 04 27 at 2 53 24 PM

Hope it really works.

Appigo is a textbook example of how subscription solutions can disappoint. They never provided a good export strategy, so there’s a strong data lock. Then they failed to do minimal maintenance but continued to collect subscription revenue and sell the app.

So what will the replacement be? I’d like a product that

  1. Did what Appigo ToDo Cloud did but actually worked
  2. Had a web client as well as Mac, iPad and iPhone client
  3. Supported family sharing
  4. Had good data export (exit strategy).

I evaluated Things.app and OmniFocus. Things got #1 and 3. OmniFocus got #1 and 4. Neither got #2.

Hmm.

On the other hand, Reminders.app for iOS got #2 and #3 and it’s free. So it’s weirdly in contention.

For now I’m using Reminders.app for tasks and Trello for projects. I manually copying over tasks that had dates, it’s not too bad. The backlog of ‘someday’ tasks I’ll gradually slog away at.

If Things gets some data export I’ll probably buy it, but it’s expensive since it’s not a universal app. If OmniFocus gets family sharing I might buy it. Meanwhile I’ll see what I can make Reminders do.

I think this is my first significant iOS functional regression.

Update 5/22/2018

I just discovered I wrote about this in 2011 …

There are no great task managers for the iPhone - but there's hope for 2011

… Neither Things, nor Appigo’s ToDo.app (which I have used incessantly since 2008), nor OmniFocus, nor Remember the Milk.app nor Toodledo.app are a great solution. They all fall short…

Seven years later and ToDo.app is moribund (I’ve been using it for 10 years!) and both OmniFocus and Things are still flawed.

Since I first wrote this I’ve run into issues with Reminders.app — including sync bugs and even text editor bugs. On the other hand, OmniFocus is promising a web client. I’m going to transiently switch back to ToDo.app and see if WWDC providers some kind of family sharing for subscriptions. That would make OmniFocus pricing less extreme.

MarsEdit - don't enable all post sync if you have a very large number of posts

MarsEdit 4 added a new feature — the ability to sync all posts. It didn’t work for my Blogger posts, somewhere around post 3,000-4,000 Google Blogger dies. It looks like a Google bug.

It did work for kateva.org/sh though — that has over 30,000 posts (it mirrors my pinboard shares and twitter tweets). Unfortunately that slowed MarsEdit launch severely — it took up to 3-4 minutes to start. Turns out MarsEdit loads all posts into memory and it doesn’t scale to that size.

I reset the kateva.org/sh sync to ‘last 50’ and startup is ok now.

Sunday, April 22, 2018

Two possible bugs in iOS 11.3 to watch out for: enable purchases by Touch ID, change iTunes & App Store account

Our kids' phones were setup to use my Store Apple ID (it’s an old practice — see a blog post about undoing this). The phones were set to require the Store Apple ID password prior to purchase. When our kids wanted to buy we’d enter the Store Apple ID password for them. Touch ID was not enabled for purchases. 

After the 11.3 update two of the phones had Touch ID enabled for purchases. Normally you need to enter the Apple Store ID to enable this. One child (special needs) ran up a $10 bill which he paid for. (He gleefully shared his new power with us.). On one affected phone I turned it off again, when I turned it on the Store Apple ID was requested as expected. (Another phone I migrated to using its own Store ID, a third device wasn’t affected.)

On 1 of the 3 phones the Store Apple ID was changed to the user’s iCloud Apple ID. The problem was recognized when my daughter was unable to view movies not on her phone — it took me a few minutes to figure out what happened.

It’s interesting how much behaviors varied between the 3 devices.

Saturday, April 21, 2018

Why you should change your router DNS to Cloudflare and Quad9

I wrote this one for Facebook friends - reposting here. The TidBITS review is excellent.

This is roughly how things work ...

  1. Someone in your home visits a certain web site.
  2. Your home internet provider (ex: Comcast) associates that site with the identity of the Comcast account holder. They sell that information to the universe. Facebook buys it.
  3. Facebook shows the Comcast account holder ads based on the visited site.

This happens because your internet provider is your default internet directory service (DNS provider) - Comcast knows all the sites you visit and (as best we can tell) they sell that information.

It's basically an internet design flaw.

If you're a bit geeky you can change the DNS settings in your home router to someone more trustworthy than Comcast (which would be anyone else, really). In our home that's an Apple Airport. I have our settings below but your settings will vary.

DNSConfig


We use:

Cloudflare: 1.0.0.1 (their 1.1.1.1 address doesn't work with some ISPs)
Quad9: 9.9.9.9 (as backup)

For more information see an excellent TidBITS review. If you truly want privacy, particularly on iOS where DNS settings are a pain, you need to use a trustworthy VPN (see below).

PS. It’s easy in macOS Location settings to experiment with different settings. This is particularly important for a laptop that moves between locations. On my standard macOS Location I use Cloudflare, then Quad9, then Google. Sadly iOS DNS settings are a mess (per TIDBits):

In iOS, DNS server settings tend not to work the way most people would want them, which is as in macOS: setting the details once and having them work on every network to which you connect. The settings have to be set for each network. Worse, we’ve found in our testing that after changing DNS values, the settings revert to Automatic and the server IP addresses we entered are tossed. There’s also no way to set DNS servers for cellular connections.

In iOS you need to use trusted (not free!) VPN provider. I use TunnelBear’s free GB option, I wish I could buy blocks of data from them rather than yet another subscription. If you use a limited data capacity VPN on a Mac you should use TripMode to reduce background data use.

Update 4/22/2018: A Gizmodo article reminded me why this DNS control is more important now ….

“The FCC under Chairman Pai changed the rules in the United States for ISPs allowing ISPs to start selling your browsing history to target advertising against you,” Prince said…

They mention two popular VPNs - ProtonVPN and Private Internet Access. Curiously PIA claims TunnelBear does not protect me — which makes me a bit suspicious of PIA. 

Wednesday, April 18, 2018

Converting from shared store ID to Family Sharing - and what didn't work

Maybe this worked. Or not. See update.

Our five family members have long shared one store Apple ID. We’ve done this before there was Family Sharing. I put off switching to Family Sharing as I figured it would take Apple 3-4 years to get it working.

With iOS 11.3 Apple broke a longstanding purchase behavior. My son’s iPhone no longer required a password for purchases, only his fingerprint. There might be a fix, but I decided instead to move him to Family Sharing. (There is a fix, see below.)

The story went something like this [1]:

  • I have an iCloud Apple ID (john.___@icloud.com) and a different Store Apple ID (j____@mac.com) — because I’m old. He has an iCloud Apple ID (sam.___@icloud.com) and my store Apple ID.
  • In my iCloud Apple ID he is a family member. 
  • I removed my Store Apple ID from his phone and added his iCloud Apple ID.
  • I sent $15 to his iCloud Apple ID from my App Store account.

So far he still can access our movies and apps. Now he will make his own purchases that will be associated with his Apple ID. When he runs through his $15 he’ll give me cash and I’ll send more money. Eventually I do need to get a debit or managed credit card on his phone but we’ll start with cash. Alas, it doesn’t work that way. See update.

After the change I checked the (this is broken) two places Apple currently tracks devices associated with an Apple ID

  • appleid.apple.com/account/manage: showed 7 devices including an old iPhone my son used to have that I’d previously removed. This also showed on his iPhone Apple ID view. I removed it from both places and it has not returned.
  • iTunes Manage Devices showed 8 devices, but not my son’s current iPhone. This, in contrast to past testing, is correct while the appleid.apple.com list is incomplete. It’s interesting that moving my son’s phone to Family Sharing means I’m no longer at my 10 item device limit (if that rule still applies!)

- fn -

[1] He is, incidentally, a special needs adult. I’d have liked to be able to use Apple Ask to Buy for him but that’s not available for an adult. (I wish Apple considered special needs as a disability — they have great support for visual and auditory needs, but not for cognitive.)

Update 4/19/2018

  • Seeing purchase histories is really clunky. You can see what apps a family member has purchased by launching App Store.app, logging out and then logging in as the family member. To see both tunes and apps you go to Apps & iTunes in Settings (yeah, this is crazy). You have to log in as the family member — I got the ancient iOS 1.0 un/pw dialog that shows up when you get to a part of iOS that desperately needs a replacement. It did work, but seriously ugly.

Update 4/20/2018

  • Subscriptions aren’t Family shareable. So that’s a significant bummer; several of his apps are subscription based. All is not lost though, At Bat.app presented my Store Apple ID username and accepted the password. In-App purchases aren’t Family shareable either — which is bad news for Omni Group. Apple has a list of what’s not shared.

Update 4/28/2018 - what I wish I’d known

My son ran up a $70 bill on a $15 credit — all on my account — because “Any time a family member makes a new purchase, it’s billed directly to the family organizer’s account”. It doesn’t work the way I thought it did. If a family member is under 18 you can activate Ask to Buy, but not for someone over 18.

Family sharing is clearly designed to only work for children. It’s a poor match for a couple that wants to keep separate finances and it’s unsuited to adult children.

I found that the 11.3 update bug didn’t truly break the ability to require an iCloud password for purchases. It only bypassed the requirement to enter the iCloud password to enable Touch ID. I went into Touch ID & Passcode and turned off “USE TOUCH ID FOR … iTunes & App Store”. 

He doesn’t know his iCloud password (so he can’t lose it in a phishing attack!), so this meant he again needed us to enter a password into his iPhone to make purchases. Obviously, Ask to Buy would be far better. If Apple wanted to support users with cognitive disabilities …well, this blog accepts comments. I’d be glad to advise.

We didn’t want to have to memorize another password, so I changed his iCloud password to match my App Store & iTunes password.