MacInTouch Amazon link...

email issues and products

Channels
Security, Products
If you have Google's 2FA active and you're using a mail app that doesn't support OAuth 2.0, then you need to tell Google to create an application-specific password and use that instead.

I don't think Apple Mail supports OAuth 2.0, so it would fall into this category. If you have previously created an app-specific password, and you still have it written down somewhere, you may be able to use it. If you don't still have it, then you should just go and create another (and tell Google to revoke the one you were previously using).
 


If you have Google's 2FA active and you're using a mail app that doesn't support OAuth 2.0, then you need to tell Google to create an application-specific password and use that instead. I don't think Apple Mail supports OAuth 2.0, so it would fall into this category. If you have previously created an app-specific password, and you still have it written down somewhere, you may be able to use it. If you don't still have it, then you should just go and create another (and tell Google to revoke the one you were previously using).
AT&T is switching to OAuth 2.0, and their sites indicate that Apple Mail does support OAuth. According to their site, you can use an application-specific password or, within Apple Mail, delete your AT&T IMAP account and then add it right back. This will force it to do it in an OAuth-compliant manner; no new passwords are needed.
 


AT&T is switching to OAuth 2.0, and their sites indicate that Apple Mail does support OAuth. According to their site, you can use an application-specific password or, within Apple Mail, delete your AT&T IMAP account and then add it right back. This will force it to do it in an OAuth-compliant manner; no new passwords are needed.
If anyone has tried this, please let us know. If it failed for you, try it using Thunderbird.

I did a bit of web searching, and the only references I can find to Apple supporting OAuth are for Version 1. I haven't seen anything about them supporting Version 2.

In contrast, Thunderbird supports Version 2 but not Version 1. The two protocols are not compatible with each other.

If one works and the other doesn't, then that's where the problem is. It is well known that Google only supports OAuth version 2.

AT&T's web site talks about supporting OAuth, but they never say which version they support - I suspect it is Version 1, because they have detailed instructions for configuring Apple Mail.

In my own personal experience, I need an app-specific password to connect any Apple apps (Mail, Calendar, etc.) to Google's servers. Thunderbird just works, asking me for the 2FA code via OAuth2 when required.
 


AT&T is switching to OAuth 2.0, and their sites indicate that Apple Mail does support OAuth. According to their site, you can use an application-specific password or, within Apple Mail, delete your AT&T IMAP account and then add it right back. This will force it to do it in an OAuth-compliant manner; no new passwords are needed.
I am using AT&T with Yahoo mail and had been getting regular messages reminding me to update my mail app settings. Using macOS Sierra, I found that I had to create a new mailbox from scratch, since I found no way to change the existing servers from Yahoo's to AT&T. It took a few extra steps and I used the same password as before but ended up having two mailboxes in the Mail app, one for the legacy Yahoo and the other for AT&T. I could not tell if the new one is using OAuth, but I don't get the reminder emails from AT&T. ...
 


I need some help with Apple Mail.

I have email accounts xxxx@me.com and xxxx@icloud.com where xxxx is the same string [for both].

Things work fine on OS X 10.11.6. With the introduction of macOS 10.12.6, I have an issue. I have macOS 10.12.6 on a MacBook Pro, and I cannot get it to use xxxx@me.com as an email account. It says the name is already used.

How do I fix this problem?

On OS X 10.11.6,email for either address will go into the same mailbox. How do I get it to do that on macOS 10.12.6? Thanks.
 


I have email accounts xxxx@me.com and xxxx@icloud.com where xxxx is the same string [for both].
Things work fine on OS X 10.11.6. With the introduction of macOS 10.12.6, I have an issue. I have macOS 10.12.6 on a MacBook Pro, and I cannot get it to use xxxx@me.com as an email account. It says the name is already used.
How do I fix this problem?
On OS X 10.11.6,email for either address will go into the same mailbox. How do I get it to do that on macOS 10.12.6? Thanks.
The two e-mail addresses correspond to the same account and the same mailbox. The @me.com domain is deprecated (went away many years ago when Apple shut down Mobile Me in 2012, transitioning all accounts to iCloud), so I'm not surprised that Apple is no longer letting you configure your mail client to use it. I'm actually surprised OS X 10.11 allowed it, since Mobile Me went away while OS X 10.8 was the current Mac OS release.

Is there a reason you can't configure Apple Mail to use your @icloud.com address? As you already pointed out, the mail ends up going into the same mailbox anyway.

I would also consider migrating any accounts (e.g. mailing lists, shopping sites, etc.) from your @me.com address to your @icloud.com address in preparation for the day when Apple actually deletes the @me.com domain. I don't know when this will happen, but I think it's safe to assume that it will happen sooner or later. Better that you do it on your own schedule then when circumstances force it on you.
 


I would also consider migrating any accounts (e.g. mailing lists, shopping sites, etc.) from your @me.com address to your @icloud.com address in preparation for the day when Apple actually deletes the @me.com domain. I don't know when this will happen, but I think it's safe to assume that it will happen sooner or later.
Do you think Apple will shut down @me.com before @mac.com, which has been working since iTools was introduced in 2000?
 


The two e-mail addresses correspond to the same account and the same mailbox. The @me.com domain is deprecated (went away many years ago when Apple shut down Mobile Me in 2012, transitioning all accounts to iCloud), so I'm not surprised that Apple is no longer letting you configure your mail client to use it. I'm actually surprised OS X 10.11 allowed it, since Mobile Me went away while OS X 10.8 was the current Mac OS release.
I have been using me.com for years and am currently on Mojave and iOS 12. If Apple does drop me.com, does that mean they will not forward emails to icloud.com? Maybe this is not knowable at this point, but it would be a hassle for me (to update accounts and alert correspondents).
 


If anyone has tried this, please let us know.
I have run in circles trying to get this to work. First of all, the 'warning' messages have consistently looked like spam emails. They are poorly crafted and very generic. There are no specific dates mentioned, nor anything that would lead one to believe the messages are authentic. Once my emails started acting funny, I reluctantly clicked in ...
AT&T's web site ... [has] detailed instructions for configuring Apple Mail.
Please post the link! As far as I can tell, they have about three pages related to Apple, and they run in a short cycle. Maybe I am missing the appropriate link... please help!

Here is where I am in this fiasco:
1. I have several att.com email accounts, most of which work on iMac and iPhone.​
2. Supposedly, my calls to ATT have been escalated, but no next-tier support has called me. I have explained my symptoms multiple times to multiple support personnel, but they are reluctant to give me anything but the same instructions for my iPhone. These instructions do not work for the iPhone (iOS 12.4.1 - waiting for iOS 13 to get better - maybe 13.6 or so!).​
3. Mail (Version 12.4 (3445.104.11)) on my iMac (late 2015, macOS Mojave 10.14.6) worked after I went to the start.att.net website and logged in to all att.net email accounts that were not working properly. Somehow, this synchronized the passwords. I did not have to install a certificate, as they suggest.​
4. One (of many) att.net email accounts on my iPhone will not successfully synchronize the new password that I was forced to select. It seems to accept the password on the website using iPhone Safari, but if you log out and then try to log back in, it will try to force you to change the password again. Perpetually. I did create another email account in Mail, without using the Yahoo presets (chose Other, I believe), and it works. However, it will not show any emails older than about 2 months, even though this is an IMAP account. So, like other readers, it seems that I am forced to maintain an 'old' account, which will not download new emails, just so I can maintain the old ones from the last couple of years. Anyone know how to force IMAP to look at the whole catalog of emails?​

Very frustrating!
 


Please post the link! As far as I can tell, they have about three pages related to Apple, and they run in a short cycle. Maybe I am missing the appropriate link... please help!
Here's what I found. Unfortunately, it's a web site where you have to click through a bunch of links - direct linking to the page doesn't work.
  1. Start here: AT&T Troubleshoot & Resolve
  2. Click on "Internet"
  3. Click on "Email Setup and Repair"
  4. Click on "Setup or Update Email Application"
  5. Click on "First Time Setup"
  6. Click on "Desktop/Laptop"
  7. Click on "MAC" (sic)
  8. Click on "Apple Mail". The next several pages explain the procedure (making you click "Next" after each step:
    • The page says it will set up the account using "OAUTH" (doesn't say which version).
    • With the Apple Mail application open, click "Mail" in the menu, then "Accounts..."
    • Select "Yahoo" from the list of account providers
    • Enter your username and click Next
    • Enter your username again as well as your password then tap Sign In
    • Select the services you would like to use with the app, then click Done.
I have no way of knowing if this will really work or not.
 



Here's what I found. Unfortunately, it's a web site where you have to click through a bunch of links - direct linking to the page doesn't work.
  1. Start here: AT&T Troubleshoot & Resolve
  2. Click on "Internet"
  3. Click on "Email Setup and Repair"
  4. Click on "Setup or Update Email Application"
  5. ...
Thanks! You apparently have to be logged in to an att.com account, but that's no problem (right?). At Step 5, I am shown a banner:
Alert!
Unfortunately, we are unable to access Troubleshoot & Resolve at this time. For further assistance, please visit att.com/esupport."
I guess I'll try again... later.
 


I have no idea if or when Apple will do anything, but I would never want to rely on any deprecated service - they all get turned off sooner or later.
Personally, I think that if Apple does away with the @mac.com domain it will be a sign they are abandoning us even worse than they have so far. I still use it as a badge of honor, even though sometimes over the phone others write it down as @mack.com thinking I'm in the trucking industry.
 


Here's what I found. Unfortunately, it's a web site where you have to click through a bunch of links - direct linking to the page doesn't work.
  1. Start here: AT&T Troubleshoot & Resolve
  2. Click on "Internet"
  3. Click on "Email Setup and Repair"
  4. Click on "Setup or Update Email Application"
  5. Click on "First Time Setup"
  6. Click on "Desktop/Laptop"
  7. Click on "MAC" (sic)
  8. Click on "Apple Mail". The next several pages explain the procedure (making you click "Next" after each step:
    • The page says it will set up the account using "OAUTH" (doesn't say which version).
    • With the Apple Mail application open, click "Mail" in the menu, then "Accounts..."
    • Select "Yahoo" from the list of account providers
    • Enter your username and click Next
    • Enter your username again as well as your password then tap Sign In
    • Select the services you would like to use with the app, then click Done.
I have no way of knowing if this will really work or not.
The 8th step above is essentially the same as deleting and re-adding your account, as I described in my post above.

An early e-mail from AT&T indicated delete/re-add was an option, but apparently too many people were afraid that deleting would mean they would lose all their e-mails (technically not, if they're IMAP accounts), so AT&T set up this Troubleshoot & Resolve page. Six of one, half dozen of the other?
 


I'm not an ATT customer, so I don't know if this will apply, but reading through the recent posts, it might help in some cases. It requires another email account at a less problematic host. (Perhaps Apple?)

In any case, the possible solution is to simply tell ATT to forward all your email to your account at the different host. Then start using that one to check your email.

(Probably not suitable in all cases, but it would get around the ATT-specific issues, eh?)
 


Do you think Apple will shut down @me.com before @mac.com, which has been working since iTools was introduced in 2000?
I hope not. (My Apple ID is 11 characters, so I prefer to give people my @me.com address.) If Apple abandons the me.com and mac.com domains, it won't be because supporting them takes a lot of work. For years I had DNS and Apple's deprecated Server set up to handle multiple email domains akin to @me.com, @mac.com and @icloud.com. The setup and maintenance was easy.
 


Thanks! You apparently have to be logged in to an att.com account, but that's no problem (right?). At Step 5, I am shown a banner:
I wasn't logged in (I don't have an AT&T account). It pops up some screen where it claims to be checking for outages, but that goes away after a few tens of seconds.

There is a login request, but you can ignore that and just use the links below the login screen. At least I did.

And, yes, I see the same error banner right now. Hopefully they'll get their server back online soon.
 


Maybe I don't understand the problem, but for people having trouble with AT&T (and maybe others), why not ditch them altogether? Archive your AT&T stuff and just “walk away.”

There are free email hosts that don’t seem to give rise to issues. The one I like best is gmx.com, based in Europe (Germany), all IMAP (I don’t think they do POP3), and for each free account, one can use up to 10 alias addresses, to both send and receive. Europe too far away? I am in New Zealand, and I have never once had any issues.

That still leaves one with Apple Mail as a potential source of problems, of course... and macOS, and... oh, come on, Apple!
 


The 8th step above is essentially the same as deleting and re-adding your account, as I described in my post above.
An early e-mail from AT&T indicated delete/re-add was an option, but apparently too many people were afraid that deleting would mean they would lose all their e-mails (technically not, if they're IMAP accounts), so AT&T set up this Troubleshoot & Resolve page. Six of one, half dozen of the other?
I see that now, and previously I have found, that the add/delete effort means that not all of the IMAP messages are available on that new account (although they are still on the IMAP server and visible through the ATT web portal). I have found that they limit the viewing to about 2 months of emails. That is why people are inclined to avoid the add/delete steps that they recommend. It just does not work the way it should.

Interestingly, in one of my iMac accounts, the Mail account that wasn't working started working on its own again. In another iMac account, access to the same email account is not working (when it had worked a short while ago). This is totally bizarre behavior.

Where I get hung up is in a bizarre loop where the password can be updated on the iMac/iPhone, and it accepts the change. But it drops you right back into the 'Change your password' dialog.
 


... I thought I would/should report two issues I'm seeing with Gmail, and separately but related, G Suite (the paid version of Gmail that hosts domain email).

The first is Gmail itself. In the past two months, virtually all of my clients who use Gmail have complained that many legitimate emails they receive are being sent to the Junk (or Spam) folder, in spite of the fact that there is a long history of emailing back and forth with the same sender, and in many cases, that the sender is already in the Contact Address Book. And... many emails they send out to other Gmail recipients, are also going to Junk on the recipient's end. I realize that, in individual cases, circumstances like having a questionable link in the email, or quoted as part of a reply, can trigger the spam filters... and everyone uses a different combination of devices and apps for accessing email, software versions, etc... But the pattern is clear - I've had four calls today about the issue, and 50 in the past few weeks. Has anyone else noticed this?

And the second is G Suite. I often send emails and invoices to clients who have Gmail addresses (from my own domain, not previously hosted with Gmail, and never blacklisted...), and because of the above issue, nothing was being received, it was all suddenly going to Junk.

In doing research I read up on the current standards of adding SPF, DKIM, and DMARC verification to domain-hosted email (by adding the respective TXT records to your domain DNS) in order to prevent spoofing (others pretending to send email as if it's from your domain), and in having your emails be better received because of the added verification. And, Google has very good documentation and set-up instructions, so I decided to purchase G Suite and swith to Gmail for hosting my domain email...
After successfully setting up G Suite, SPF, DKIM, and DMARC (according to the instructions in the links listed)... and then testing with Google's own G Suite toolbox to confirm a correct, functioning setup, I began using GSuite to send emails, which I hoped and assumed would now have the best possible chance of being respected as legitimate, and not spam.

All was well sending plain text emails, until I sent one email with a link to MyBB, which is respected and fairly well known open-source, PHP-based forum software... which happens to be in use by MacInTouch as well! As soon as I sent the email with a link to MyBB in it, G Suite's outgoing server blocked me with a generic 500 error. So I tried again, to the same recipient but a different address - same error.

I was able to get G Suite chat support, which spent a couple of hours testing, asking me to send and resend emails, with and without the link... and after about 5 or 6 attempts, G Suite locked my account. The technician said, "The link to MyBB.com is not 'authenticated', so our systems doesn't like it... And there is nothing I can do, sorry but you have to wait at least 24 hours before your account will be able to send mail again."

So, out of curiosity, I signed in to an unrelated, free, normal, generic Gmail account I keep for emergencies and sent an email with the same MyBB.com link, to my now-locked G Suite address... and, it came through with no problem, meaning, even after applying all of the SPF, DKIM and DMARC verifications that are supposed to make my domain email more "legit", Google locks me out for sending a link that is fine in any plain Gmail account? Grrr.

So, this is just a cautionary tale. I get that managing spam is an enormous task for Google. However, when the stated purpose of G Suite and SPF, DKIM and DMARC is to verify the validity of one's email, presumably to a higher level than the free, relatively anonymous regular Gmail, and it behaves in the opposite way... well, maybe Google has been tightening down the Artificial Intelligence engines a bit too much? I'm not a happy customer.

I actually got a call from a G Suite representative in New York, who spent the call explaining that "new accounts don't have any reputation", so even though it's a business account, verified domain, and they have all my credit info, "I shouldn't expect to be able to send links or attachments" in my business email... that somehow I have to "earn" the right (in the eyes of the murky AI engine) to send an email to a colleague for a project I've been working on for 5 years... and, now that I've triggered the 24-hour block (by doing what the tech asked me to do for testing the issue), they can't predict if my account will be allowed to send emails. So, following all the recommendations, taking care to test and verify with G Suite staff before emailing, and doing nothing but sending a link to MyBB.com... I got locked out of my paid corporate email.
 


Ric Ford

MacInTouch
I thought I would/should report two issues I'm seeing with Gmail, and separately but related, G Suite (the paid version of Gmail that hosts domain email)....
I'm pretty sure you'd be happier if you switched to FastMail. They handle all the SPF, DKIM, and DMARC stuff for you, among all their other features. I've never heard of issues like you describe with them, either.

(That said, I just checked a couple of Gmail accounts and don't see the spam problems you described.)
 


actually got a call from a G Suite representative in New York, who spent the call explaining that "new accounts don't have any reputation", so even though it's a business account, verified domain, and they have all my credit info, "I shouldn't expect to be able to send links or attachments" in my business email... that somehow I have to "earn" the right (in the eyes of the murky AI engine) to send an email to a colleague for a project I've been working on for 5 years... and, now that I've triggered the 24-hour block (by doing what the tech asked me to do for testing the issue), they can't predict if my account will be allowed to send emails. So, following all the recommendations, taking care to test and verify with G Suite staff before emailing, and doing nothing but sending a link to MyBB.com... I got locked out of my paid corporate email.
I did some digging into spam filtering when having email problems sometime earlier this year and found that "reputation" has become a key factor in spam filtering, presumably because spammers had been opening new email accounts for each spam campaign. However, Google's behavior in blocking you from sending email from a paid account you just opened with them is puzzling. If one part of the company can't fix a problem another part is creating, you should take your business elsewhere.
 


Thanks for the replies, Ric, and Jeff. Because I help others with technology and services, I actually welcome these issues, because I often have to advise clients and help to solve mysterious problems, and I am in a better position to help if I have solved them myself first. So I'm not afraid to get in to the weeds, and I tend not to give up until I've found a solution, and/or convinced the provider there is a legitimate issue negatively affecting their reputation and customer experience.

I have now resolved the issues, and in the process revealed that the G Suite support staff are not informed of what the specific problem is with an error, so they "[explain]" with generic answers that tend to blame the customer for things that "might be the reason". And more alarmingly, they advise actions that make things worse.

For example, and this should help anyone trying to set up DKIM:

1. DKIM is a public/private key pair, generated by your mail provider. G Suite creates a 2048-bit key by default, with an option for a weaker (but not recommended) 1024-bit key. They give you the public key that you add to your domain's DNS server in the form of a TXT record.

2. The TXT record looks like this, where 'p' is the public key, a long string of characters.

v=DKIM1; k=rsa; p=MIIBI...

3. Until a few years ago, the maximum key was 1024-bit, and when the record is **transmitted**, it still fit within a 255-character limit (if I understand correctly) of the packet.

4. But if you follow current recommendations for 2048-bit keys, then the total length of the TXT record grows to about 410 characters and so, when transmitted, the TXT record must be "segmented" into sections that are maximum of 255 characters each, like this, each segment in quotes with space in between:

"v=DKIM1; k=rsa; p=MIIBI... up to 255 characters" "Sdienf... remainder of key"

5. My domain host has a support note saying that TXT records can be 1024 characters... but it's not described that that they get segmented automatically for you - which makes life easier, you don't have to guess and do it yourself. So my domain host's system was doing it per the standard.

6. GSuite staff, who all recommend SPF, DKIM and DMARC for their "professional email", looked at the DIG result of my DNS TXT record and told me that my host was "breaking the key"... and that I must use the weaker (and not recommended) 1024-bit instead.

Not knowing all of the above, I followed their instruction but then got warnings that I was using a weak key and should use 2048... Frustrated, I escalated my inquiry and, after another day wasted, I discovered that it was correct the first time, and it has been the GSuite support staff causing not only my account to get locked, but not understanding DKIM, mis-diagnosing problems, and giving advice that is technically wrong. But, now it's working, and I know not to ask GSuite staff for help, or at least to get past the first level and ask for a supervisor.
 


The timing on this thread is perfect. I am in the process of moving off of FastMail and onto G Suite, and I appreciate being able to learn from others' experiences. The primary reason I am doing this move is that I want to have centralized anti-malware and anti-phishing services on my email, and that is not available with FastMail, as far as I can tell.

The only providers I know of that offer this sort of protection for businesses as small as mine as a commodity service, not as a dedicated hosted Exchange instance or equivalent, are Office365 and G Suite. I've had recent experience with both. To take advantage of the fullness of security services from Office 365, you have to know a lot about the service, and it is not easy information to acquire. Also, for each additional service you have to buy an additional level of service from Microsoft. The G Suite service seems more straightforward to me, and the bundled services are ones that appear to work well for me, as opposed to OneDrive, SharePoint, and all that other stuff. Not to say that G Suite doesn't have its own set of challenges.

This is a big turnabout for me, as I go as far as possible to stay away from Google products in general. I am comforted by reading their business terms of service – it seems that they monetize their business customers directly, rather than by snooping on their data. And, one of the most professionally paranoid persons I know works for Google and assures me that they'd use this service themself if they didn't already have access to it via their employment.

A comment about FastMail - I've been using POBox.com (now FastMail) for about six years. Every time one of my email users has had a problem with passwords on their various devices with POBox, it has taken at least a full day to get it straightened out and has raised my blood pressure to the danger point. I invariably end up swearing that I will leave them, and then, you know, stuff happens. The desire for additional security services has now brought me to the point where I'm proactively switching as opposed to waiting for disaster to strike again.

We'll see how it goes. :-)
 


Ric Ford

MacInTouch
The timing on this thread is perfect. I am in the process of moving off of FastMail and onto G Suite, and I appreciate being able to learn from others' experiences. The primary reason I am doing this move is that I want to have centralized anti-malware and anti-phishing services on my email, and that is not available with FastMail, as far as I can tell.
You might want to consider Rackspace, too:
Rackspace said:
Multi-layered Email Spam Filtering
... If mail passes the blocked email checks, we apply advanced content filtering to verify whether it is considered spam. Content filtering combines many techniques to analyze email structure and content, and create key indicators that identify patterns in email. These indicators are combined with industry-wide feedback from email providers across the internet about reported spam, phishing, and viruses. The end result is an accurate, adaptive, and evolving content filtering system that is highly effective at removing spam.
I did a little searching at FastMail and elsewhere, looking for anti-virus options but didn't find any easy solutions. Here's what I did find:
FastMail said:
Sieve scripts
Sieve is a programming language for filtering incoming emails. Fastmail's flexible rules system provides most users with filtering functionality, but advanced users may choose to write custom Sieve scripts for complicated filtering (such as time-based rules).
IETF said:
RFC 5235 - Sieve Email Filtering: Spamtest and Virustest Extensions
The Sieve email filtering language "spamtest", "spamtestplus", and "virustest" extensions permit users to use simple, portable commands for spam and virus tests on email messages. Each extension provides a new test using matches against numeric "scores". It is the responsibility of the underlying Sieve implementation to do the actual checks that result in proper input to the tests.
 


The timing on this thread is perfect. I am in the process of moving off of FastMail and onto G Suite, and I appreciate being able to learn from others' experiences. ...
I'm happy to share what I've learned in terms of switching to G Suite for email. Here are the basic steps, and the instructions are actually very good. The trickiest is the DKIM part.

1. The first important thing is to have full access to editing your domain's DNS. You have to "verify" your domain to Google by adding a TXT record with a code that your the G Suite Setup Wizard gives you. You have to be patient with any steps that involve adding or modifying DNS records because of DNS caching on the internet. In my case, it usually only took an hour, but in some cases, it can take 24 or 48 hours for DNS changes to propagate.

2. Once validated, you then have to remove old MX records and add GSuite MX records to your domain DNS - and then wait for propagation again.

3. I've learned a few tricks to speed up DNS propagation. Three large DNS services have a "cache flushing" tool... It still takes up to 48 hours for full internet propagation, but by using these three you can speed up your set up process:

Google​
OpenDNS (first "check" the domain, then at the bottom an option to update appears)​
Cloudflare cache purge​

4. The G Suite Setup Wizard will guide you through setting up G Suite user accounts and options to migrate from other servers (if necessary)

5. It is highly recommended that you set up SPF, DKIM and DMARC (all TXT records added to your DNS) in order to give your domain email "reputation" going forward. There is no guarantee with email, but these are the current standards for improving authenticity between email servers, and reducing spoofing, etc.

G Suite - Enhancing email security

Set the SPF TXT record first, which looks like this, and has clear instructions:
Code:
Host name: @
TXT value: v=spf1 include:_spf.google.com ~all
For DKIM, you have to go in to your G Suite Admin > 3-lines menu at the top > Apps > G Suite > Gmail and scroll down to the section "Authenticate email (DKIM)". It expands, and there is a "Generate new record" link. Click that, and it defaults to 2048-bit and "google" as the "selector" — you can change that, but I would leave it defaulted. You will copy and paste the hostname and the key into a TXT record in your DNS, but leave this G Suite Admin window open; you'll need to come back after setting DNS...


Usually, when entering DNS records, there are two fields: Hostname and Value. In most DNS editors, when you add a hostname value without a period at the end, it "prefixes" it to your base domain name. Eg, "www" gets prefixed as "www.domain.com" Here, the DKIM host name value is:

google._domainkey

but the Support Document instructions (174124) tell you to put the full domain name, which can be misleading: google._domainkey.yourdomain.com which results in a double entry of: google._domainkey.yourdomain.com.yourdomain.com so you have to be careful. Start with just google._domainkey as the hostname.

6. Once you have set SPF and DKIM, go and flush the Google DNS caches and wait a while before going back to the G Suite Admin > Apps > G Suite > Gmail > Authenticate Email section where this started, then click the "Start Authenticating" button. It may give an error in red, which means one of two things: either DNS has not propagated yet, or the hostname or value entries are not correct – hence my caution above.

You can find out what your DNS server is sending out with any DNS lookup tool, but it's easiest to use Google's own. On this page, start with the "DIG" section:

Enter your domain name first to make sure it gets a normal result. Then to test DKIM, enter this:

google._domainkey.yourdomain.com

and click on the TXT button to see the result. You should see
v=DKIM1; k=rsa; p=blahblahblah

If so, go back to the top level of the toolbox page and, instead of Dig, go in to Check MX.
Put your domain, and "google" as the "selector".

If DKIM verifies, go back and set up DMARC

And finally, here is the most important part: Wait two days before sending any email. I made the mistake of sending an email with a single link in it, before DMARC was fully propagated and active, and Google's Artificial Intelligence spam filter locked my account!
 


Being fed up with Google/Gmail, I started looking at setting up my own email server. I went through several options, at first trying to run it from home. My ISP is Charter/Spectrum. They don't block port 25 but blacklist email to their domains. Same difference. I have Citadel running on a RaspberryPi. Then I looked at a package from New Zeland. License cost was too high.

Then I found a package called Mail-in-a-Box - open source, secure, actively supported.

I have three email servers running now in Virtual Private Servers (VPS). Two are with Linode.com. The last is in Amazon's LightSail, part of AWS. The Linode servers are $5/month. The LightSail is $5/month, but I think I could get it to run in the smallest VPS, which would be $3.50/month.

There is no user limit in Mail-in-a-Box. The VPS are running Ubuntu Server 18.04 LTS. Installing Mail-in-a-Box is easy.

Knowing what I know now, I would just use LightSail. It is a one-stop solution. You can get and manage your domain name there. Mail-in-a-Box does automatic backups of your mail to Amazon S3. Since I set it up, they now have a free snapshot feature for the server. If you mess something up, you can revert back to a previous snapshot.

I didn't figure out how to do LightSail. Someone else posted a tutorial.

The Linode.com servers have been running 11 months and LightSail server 9 months.
 


I have an issue with, what else, the macOS Mail app. For some reason, it has been directing mail to the junk folder on two Exchange (Office365) accounts.

These emails have the usual brown color coding in the junk folder with a button to "Move to Inbox". The issue is, I don't have junk mail filtering enabled on any account, let alone these two. I haven't used that Mail feature in a while.

One account already has a spam service (Proofpoint) that appears to be working fine. When I look at the headers, there are some entries like "X-Forefront-Antispam-Report:", but these are inscrutable. Worse, I don't appear to be able to train this supposedly inactive spam filter and now have to regularly check the junk folder. When I did briefly use the Mail filter, I seemed to recall there was a "not junk" button for training purposes.

As far as I can tell, this started relatively recently on my Mojave install. I did have some problems with Mail junk filtering in El Capitan, which is probably why I turned it off. There are no relevant settings I can find in the Outlook web app. Does anybody know how to really turn off this "feature"?
 


I have an issue with, what else, the macOS Mail app. For some reason, it has been directing mail to the junk folder on two Exchange (Office365) accounts.
These emails have the usual brown color coding in the junk folder with a button to "Move to Inbox". The issue is, I don't have junk mail filtering enabled on any account, let alone these two. I haven't used that Mail feature in a while.
One account already has a spam service (Proofpoint) that appears to be working fine. When I look at the headers, there are some entries like "X-Forefront-Antispam-Report:", but these are inscrutable. Worse, I don't appear to be able to train this supposedly inactive spam filter and now have to regularly check the junk folder. When I did briefly use the Mail filter, I seemed to recall there was a "not junk" button for training purposes.
As far as I can tell, this started relatively recently on my Mojave install. I did have some problems with Mail junk filtering in El Capitan, which is probably why I turned it off. There are no relevant settings I can find in the Outlook web app. Does anybody know how to really turn off this "feature"?
The issue may not be with Mail, but with your ISP. Most providers do some sort of spam filtering before it gets to the Mail app, and their filtering may be less than accurate. I have had AT&T mark a message from themselves as spam.

If you log into your e-mail with a browser via your provider's web page, you should be able to mark any of the incorrect spam as "Good" or "Not Spam". No guarantee that the marking will last, but… .
 



The issue may not be with Mail, but with your ISP. Most providers do some sort of spam filtering before it gets to the Mail app, and their filtering may be less than accurate.
That's a good thought, but M Young clearly stated that Mail was classifying the mail as spam. An ISP's spam filtering could not cause this to happen unless the setting to "Trust junk mail headers in messages" was checked...and that would also require Mail's spam filtering to be enabled; M Young stated that is not the case.
 


I have an issue with, what else, the macOS Mail app. For some reason, it has been directing mail to the junk folder on two Exchange (Office365) accounts.
I reached out (again) to our IT office and after some initially unhelpful responses, I was directed to this link. The support article (I have no idea who or what Intermedia is) has directions for disabling a junk mail filter in Exchange.

I had rooted around a couple of times in these settings on Outlook Web Access and failed to find this option. I supposed if I had been using Outlook on the Mac, it might have been more obvious. On my own I also found this workaround on the SpamSieve (Michal Tsai) help pages, which does not explicitly disable junk filtering.

So, I think the bottom line is that Mail is off the hook for this issue, as Exchange was applying a filter and moving messages to the Junk folder. Those messages, once in the Junk folder, look like they have been filtered by Mail except for the absence of the "not junk" button, although there may be other "tells" that I missed.
 




Suggested alternative: create a separate email address for every merchant, either by setting up a domain with a catch-all account or some of the other options out there. Then ban the ones that resell or otherwise abuse your trust.
For those with Gmail accounts, there is an option that gives you virtually unlimited email options. First of all, Gmail ignores any "." in an address – e.g., big.foot@gmail.com is the same as bigfoot@gmail.com or bi.gf.oot@gmail.com.

But, even better, Gmail ignores anything after a "+" sign in an email address. You can use this to set up filtering/labels for email addresses. So you can have something like "bigfoot+storename@gmail.com" and it will come in to the same email as any of the above addresses. You can then label them, because it will show up in the email "From" position.
 


For those with Gmail accounts, there is an option that gives you virtually unlimited email options. First of all, Gmail ignores any "." in an address – e.g., big.foot@gmail.com is the same as bigfoot@gmail.com or bi.gf.oot@gmail.com.
But, even better, Gmail ignores anything after a "+" sign in an email address. You can use this to set up filtering/labels for email addresses. So you can have something like "bigfoot+storename@gmail.com" and it will come in to the same email as any of the above addresses. You can then label them, because it will show up in the email "From" position.
Wouldn't it be easy for any company receiving email from these alternate addresses to simply remove the "." or anything after the "+" to get the "real" email address?
 


Gmail ignores any "." in an address – e.g., big.foot@gmail.com is the same as bigfoot@gmail.com or bi.gf.oot@gmail.com.
But, even better, Gmail ignores anything after a "+" sign in an email address.
Great tip, with one caveat: These methods only work with general gmail.com addresses; they do not work with G Suite Gmail accounts.
 


Wouldn't it be easy for any company receiving email from these alternate addresses to simply remove the "." or anything after the "+" to get the "real" email address?
Certainly an individual may notice the modifications and change things out, but this is primarily targeted at those automated responses that are never viewed by a human.
 


... Gmail ignores any "." in an address – e.g., big.foot@gmail.com is the same as bigfoot@gmail.com or bi.gf.oot@gmail.com.

But, even better, Gmail ignores anything after a "+" sign in an email address. You can use this to set up filtering/labels for email addresses.
The former (ignoring dots) is something unique to GMail (as far as I know).

The latter (ignoring anything following a "+") is known as "subaddressing" and is actually part of an IETF standard (RFC 5233 from 2008, which is based on RFC 3598 from 2003). It is supported by most mail servers, although it may be disabled by the server's administrator.
Wouldn't it be easy for any company receiving email from these alternate addresses to simply remove the "." or anything after the "+" to get the "real" email address?
Sure it would, but in actual practice, it seems that most do not.

In my experience, the bigger problem is that there are many web sites that reject the "+" character in e-mail addresses, considering it invalid, forcing you to use an address that doesn't have a subaddress. These sites are wrong, but good luck convincing them to fix their broken code.
 


The former (ignoring dots) is something unique to GMail (as far as I know). The latter (ignoring anything following a "+") is known as "subaddressing" and is actually part of an IETF standard (RFC 5233 from 2008, which is based on RFC 3598 from 2003). It is supported by most mail servers, although it may be disabled by the server's administrator.
David, thank you for the further explanation. I was not aware that the "+" sign was a mostly universal implementation. I have used it for some time and haven't run into sites that do not implement this option.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts