I have a mail server “example.com” which forwards all emails with recipient “email@example.com” to “firstname.lastname@example.org”. My mail server runs Postfix and it uses the virtual_alias_maps mechanism to perform the forwarding. I also have SPF records installed for “example.com”:
v=spf1 a include:aspmx.googlemail.com ~all
The problem is, whenever someone delivers mail to “email@example.com”, Gmail validates the example.com SPF records against example.com’s IP address! I thought it’s supposed to validate against the original sender’s IP address.
For example, I’m on my laptop on my home Internet connection. I connect to example.com’s mail server as follows:
$ telnet example.com 25 20 example.com ESMTP Postfix (Debian/GNU) HELO my-laptop.local 250 example.com MAIL FROM:<firstname.lastname@example.org> 250 2.1.0 Ok RCPT TO:<email@example.com> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> From: firstname.lastname@example.org To: email@example.com Subject: testtest . 250 2.0.0 Ok: queued as CE5F42200F9
Now when I open that mail in Gmail and view its source, I see the following headers:
Delivered-To: firstname.lastname@example.org Received: by 10.231.219.195 with SMTP id hv3csp61494ibb; Sat, 14 Jul 2012 02:15:58 -0700 (PDT) Received: by 10.229.135.5 with SMTP id l5mr2360326qct.5.1342257358291; Sat, 14 Jul 2012 02:15:58 -0700 (PDT) Return-Path: <email@example.com> Received: from example.com [EXAMPLE.COM's IP ADDRESS HERE] by mx.google.com with ESMTP id u9si4262071qcv.89.2012.07.14.02.15.58; Sat, 14 Jul 2012 02:15:58 -0700 (PDT) Received-SPF: neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of firstname.lastname@example.org) client-ip=[EXAMPLE.COM's IP ADDRESS HERE]; Authentication-Results: mx.google.com; spf=neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of email@example.com) firstname.lastname@example.org Date: Sat, 14 Jul 2012 02:15:58 -0700 (PDT) Message-Id: <500138ce.c995e50a.6e4a.ffffd12aSMTPIN_ADDED@mx.google.com> Received: from my-laptop.local ([LAPTOP's IP ADDRESS HERE]) by example.com (Postfix) with SMTP id CE5F42200F9 for <email@example.com>; Sat, 14 Jul 2012 09:15:44 +0000 (UTC) From: firstname.lastname@example.org To: email@example.com Subject: test
As you can see in Received-SPF and Authentication-Results, the SPF records are being validated against [EXAMPLE.COM's IP ADDRESS] instead of [LAPTOP's IP ADDRESS].
Why does this happen, and how do I fix this problem?
google [or anyone else] will validate spf agains the ip address they see connecting to them. in that case it’ll be ip address of your postfix server; you cannot fix it – it’s by design….
by design spf has an ‘issue’ with forwarding unless message is ‘repackaged’ and sender address rewritten to the one of forwarder.
- DNS zone file SPF configuration to support sending mail from multiple servers and gmail
- List of mail servers using DKIM, SPF and SenderID
- SPF hardfail and DKIM failure when recipient has e-mail forwarding
- Changing SPF (Sender Policy Framework) record for Google Apps
- How to define TXT SPF record with multiple senders
Leave a comment
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?
- Is there research material on NTP accuracy available?
- How to create a limited “domain admin” that does not have access to domain controllers?