Why is SPF being validated against my mail server’s IP instead of sender’s IP?
I have a mail server “example.com” which forwards all emails with recipient “me@example.com” to “me@gmail.com”. My mail server runs Postfix and it uses the virtual_alias_maps mechanism to perform the forwarding. I also have SPF records installed for “example.com”:
v=spf1 a include:aspmx.googlemail.com ~all
The problem is, whenever someone delivers mail to “me@example.com”, Gmail validates the example.com SPF records against example.com’s IP address! I thought it’s supposed to validate against the original sender’s IP address.
For example, I’m on my laptop on my home Internet connection. I connect to example.com’s mail server as follows:
$ telnet example.com 25
20 example.com ESMTP Postfix (Debian/GNU)
HELO my-laptop.local
250 example.com
MAIL FROM:<me@gmail.com>
250 2.1.0 Ok
RCPT TO:<me@example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: me@gmail.com
To: me@example.com
Subject: testtest
.
250 2.0.0 Ok: queued as CE5F42200F9
Now when I open that mail in Gmail and view its source, I see the following headers:
Delivered-To: me@gmail.com
Received: by 10.231.219.195 with SMTP id hv3csp61494ibb;
Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Received: by 10.229.135.5 with SMTP id l5mr2360326qct.5.1342257358291;
Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Return-Path: <me@gmail.com>
Received: from example.com [EXAMPLE.COM's IP ADDRESS HERE]
by mx.google.com with ESMTP id u9si4262071qcv.89.2012.07.14.02.15.58;
Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Received-SPF: neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of me@gmail.com) client-ip=[EXAMPLE.COM's IP ADDRESS HERE];
Authentication-Results: mx.google.com; spf=neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of me@gmail.com) smtp.mail=me@gmail.com
Date: Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Message-Id: <500138ce.c995e50a.6e4a.ffffd12aSMTPIN_ADDED@mx.google.com>
Received: from my-laptop.local ([LAPTOP's IP ADDRESS HERE])
by example.com (Postfix) with SMTP id CE5F42200F9
for <me@example.com>; Sat, 14 Jul 2012 09:15:44 +0000 (UTC)
From: me@gmail.com
To: me@example.com
Subject: test
As you can see in Received-SPF and Authentication-Results, the SPF records are being validated against [EXAMPLE.COM's IP ADDRESS] instead of [LAPTOP's IP ADDRESS].
Why does this happen, and how do I fix this problem?
google [or anyone else] will validate spf agains the ip address they see connecting to them. in that case it’ll be ip address of your postfix server; you cannot fix it – it’s by design….
by design spf has an ‘issue’ with forwarding unless message is ‘repackaged’ and sender address rewritten to the one of forwarder.
Check more discussion of this question.
Related posts:
- DNS zone file SPF configuration to support sending mail from multiple servers and gmail
- List of mail servers using DKIM, SPF and SenderID
- SPF hardfail and DKIM failure when recipient has e-mail forwarding
- Changing SPF (Sender Policy Framework) record for Google Apps
- How to define TXT SPF record with multiple senders
Leave a comment
Recent Posts
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?
- Is there research material on NTP accuracy available?
- How to create a limited “domain admin” that does not have access to domain controllers?