Hello everyone,
I have an NS8 installation that uses a private internal domain (e.g. internal.lan).
For years I have been sending server notifications without any issues through Gmail’s SMTP using an app password.
For compatibility with some services, I also configured a Postfix template that rewrites the internal sender address:
francesco@internal.lan → user@gmail.com
This setup has always worked: all providers accepted the messages, including Apple, Outlook, Proton, etc.
However, now the situation has changed:
ProtonMail still accepts the messages without issues
iCloud rejects the message
some providers classify it as spam
tests show errors such as:
DKIM_INVALID
FORGED_GMAIL_RCVD
DMARC_FAIL
It seems that Gmail, after the new 2024–2026 anti‑spoofing policies, no longer accepts SMTP AUTH submissions from external servers when the sender is not a Gmail address, especially if the domain does not exist in public DNS (like .lan) or if the From header is rewritten to a Gmail address.
Gmail accepts the authentication with the app password, but then breaks the DKIM signature, and stricter providers (such as iCloud) reject the message.
Question:
has anyone else experienced the same behavior or found a working alternative?
I send myself my email alone, I kicked the smarthost since a long time now, because we have to set spf, dkim and dmarc to be accepted to 365, gmail and others
From what I understand — although the Italian translation was bad — it seems that the smarthost is becoming unusable. Domains like gmail.com and outlook.com now impose very strict restrictions, so they no longer work as before: they control the source and authentication of the sender in a much more severe way.
I know there are free relays, but if I try to register using a Gmail address, the account is declined. It seems that these relays, even if free, are only available to those who own a valid domain, even if the server has a dynamic IP and is managed in LAN.
yes you need a valid domain to send email, you can find and use a smarthost but most of time their IP are in the blacklist of the RBL antispam, like SPAMHAUS blocklist
the general idea is
spf set the IP of mail server authorized to send email in your domain name, you can be relaxed, do nothing if it is not you or state to reject the mail
dkim is a signature to verify it is really your mail server that has sent the mail
dmarc is also a mechanism to verify that you are authorized to send email in the name of this domain name, if the IP is not good, you can do nothing, going to junk or reject, following your decisions
All of these settings must be done in the dns area of your provider
you can verify all of these settings with some provider that you can find in that page to see the score or your email
Yes it is really complex and be sure that spammer are better than us to set their DNS
ne I have solved almost entirely . mI changed the relay using the one provided by the provider of my internet connection , changed or better rewritten the from of the sender with a new account always identical to the domain of the provider . Now I have done tests on icloud.com, gmail,com etc. and they are all accepted. I also performed the test on mailtest.com attached the result .
