Great irony of ironies, my tobiaseigen.org is currently on the spamhaus blocklist. I went ahead and moved DNS back to namecheap, copying dozens of records manually from my mailinabox. Also made a manual change to my mailinabox setup so the roundcube webmail app could be updated to the latest version, including various security fixes. Here’s what I wrote to spamhaus when asking to be delisted:
Hello! I am not sure why my domain was blocklisted, but I took some measures and would appreciate being delisted please. Here are some things I did:
changed nameservers to use my registrar nameservers instead of on the mailinabox server itself
updated mailinabox and roundcube webmail to latest version, which includes security fixes
archived all email accounts except my own
changed password for my email account
checked logs and see no spam is being sent that I could find
Now I have to wait and see if they agree with me and decide to delist my domain.
I have really liked getting to know mailinabox and using it to self-host my email, but am beginning to realize that it is a rather fragile project. Recent discussions (below) seem to indicate the project is being abandoned by its maintainer and likely will not even get updates beyond the current version of Ubuntu. Even their discourse support forum is outdated!
So I will begin to look for an alternative to recommend, either mailcow or just directly installing Dovecote which seems to be a strong, well-supported and hopefully user friendly project.
Agreed 100%! I will start thinking about a move as time permits, and when my domain is removed from spamhaus. Don’t want to fiddle with anything in the meantime!
Is it registered in last 30 or 90 days? All newly registered domains are added to spam lists by default to prevent scammers from using a fresh domain every time to send you scam/spam emails
I registered it on March 5th, so 42 days ago. I know about the new domain penalty and had faced that earlier on already. But then the domain started working to send mail for a while before it was blacklisted again. Today they decided to take me off the blacklist again!
The process was interesting and I learned quite a bit about all the moving pieces involved in setting up a digitally sovereign email.
The tl;dr:
be prepared for it to take some time before you can send email, especially if the domain you want to use is new
there are many technical things to get right
it helps to use already legit DNS instead of hosting your own on your own server
you want to turn off the privacy feature at your registrar so your ownership of the domain is public and transparent
you want to have a website at the same domain with links to your email address to demonstrate that you are using the domain for a legitimate purpose
even with the above, you can expect to be blacklisted again
the folks at spamhaus.com will communicate with you through their ticket system and share useful information for troubleshooting and fixing your problem (see transcript below)
so it’s worth following up to let them know what you have done, why you need the domain and to politely ask for removal
.. but they won’t tell you exactly the reason why your domain is blacklisted and when it will be removed again
I added a bunch of resources to Troubleshooting based on what I learned through this experience:
In the past I would have been inclined to agree with you because the whois database is basically a big phone directory available to spammers. But thinking about this from a European perspective it makes sense. In Europe there is more of an expectation that you don’t hide your identity if you are an information provider or have a business. In Germany there are even laws about requiring an “Impressum” page with the full contact details of the publisher/person responsible for the website!
I have no idea which of the criteria spamhaus used to blacklist my domain the second time, so I threw the kitchen sink at it. I suspect you are right that this particular criterion is not so significant given how normal it has become to use your domain registrar’s privacy features to mask your identity. It cuts both ways! Spammers really have ruined alot of things.
But it feels right to me that if you want digital sovereignty on your own domain, you have to put yourself out there as a legitimate entity that is worthy of trust and a reputation for trustworthiness.
If a business owns the domain, make sure you don’t have any WHOIS Masking or Private Domain Registration in place. These privacy protection services are usually offered by domain registrars where they will either:
Not publish the domain owner’s contact details
Publish “masked” details, for example, data that points to anonymous names and addresses.
It’s important to remember that GDPR doesn’t apply to businesses, so please, be transparent. If it looks like you’re hiding who owns the domain, it seems suspect. You want people to be able to verify that your company owns your domain, and this builds trust and increases the reputation of your domain.
Think about how you’d feel opening your front door to someone with their whole face and eyes obscured. You’d probably feel a little uncomfortable and unlikely to trust that individual. In the same way, don’t hide who you are as a domain owner.
Now you own a new domain; you can send emails, right? Er…no. Not so fast.
You are technically not a business (unless you have registered an entity as such) and iirc you are in the USA so this does not apply to you directly (except for the .de domain where they can enforce it.) If spamhaus were to be believed, neither of the big corporations could mask their whole data, but every single one of them is masked and their emails go just fine.
Yeah that’s a legit approach for most situations. But I like the values aligned idea of there being a straight line of ownership from owner to domain to whatever the domain is being used for.
