Mails to security@passbolt.com bounce

My mail to security@passbolt.com came back with the following message:

Your email to group security@passbolt.com was rejected due to spam classification. To address this issue: * Contact the owner of the group, who can choose to enable message moderation instead of bouncing these emails. * Set up SPF records for your sending domain if you have not done so already. Instructions for both steps can be found here: https://support.google.com/a/answer/168383.

For reference, SPF is set up properly on my end - maybe the mail is being redirected on your end? That might result in SPF validation failure. Either way, bouncing security issue reports isn’t a good idea. How about enabling moderation at least?

Hi @palant I just saw your message. security@passbolt.com is an alias that reach a bunch of people. Bouncing is not intentional. We’ve tested it by sending emails from other gmail accounts and it worked fine so we assume it was configured properly. We’ll investigate further the issue. Could you send me the issue directly: remy@passbolt.com

9FDC 781B E555 39D4 CB50 FF42 86DB 2BDD 17D3 34B1
https://keys.mailvelope.com/pks/lookup?op=get&search=remy%40passbolt.com

@palant we cannot reproduce the issue. We successfully manage to send emails to security@passbolt.com from different email service providers (protonmail, etc.). Which email service provider are you using?

See. https://toolbox.googleapps.com/apps/checkmx/check?domain=palant.de&dkim_selector=

Yes, Google put my test mail into spam as well for some reason. At the same time it confirms that DKIM and SPF are set up correctly, so this is not the issue here. I will look into this. I’m not using any provider, it’s my own mail server.

I sent the mail to you directly, you might need to change the Spam folder though. Still, how about enabling moderation for security@passbolt.com so that mails sent there aren’t lost if Google dislikes them?

Still, how about enabling moderation for security@passbolt.com so that mails sent there aren’t lost if Google dislikes them?

Yes we’re looking into this.