9

I configured hardfail SPF for my domain and DKIM message signing on my SMTP server. Since this is the only SMTP server that should be used for outgoing mail from my domain, I didn't foresee any complications.

However, consider the following situation: I sent an e-mail message via my SMTP server to my colleague's university e-mail. The problem is that my colleague forwards his university e-mail to his GMail account. These are the headers of the message after it reaches his GMail mailbox:

Received-SPF: fail (google.com: domain of me@example.com does not designate 192.168.128.100 as permitted sender) client-ip=192.168.128.100;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of me@example.com does not designate 192.168.128.100 as permitted sender) smtp.mail=me@example.com; dkim=hardfail (test mode) header.i=@example.com

(Headers have been sanitized to protect the domains and IP addresses of the non-Google parties)

GMail checks the last SMTP server in the delivery chain against my SPF and DKIM records (rightfully so). Since the last STMP server in the delivery chain was the university's server and not my server, the check results in an SPF hardfail and DKIM failure. Fortunately, GMail did not mark the message as spam but I'm concerned that this might cause a problem in the future.

Is my implementation of SPF hardfail perhaps too strict? Any other recommendations or potential issues that I should be aware of? Or maybe there is a more ideal configuration for the university's e-mail forwarding procedure? I know that the forwarding server could possibly change the envelope sender but I see that getting messy.

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145

2 Answers2

5

The forwarding server needs to setup SRS in order not to break your SPF http://www.open-spf.org/srs/

ScottH
  • 3
  • 2
topdog
  • 3,490
  • 16
  • 13
  • 1
    +1 I was reading about it right before I received the SF notification for your answer. Unfortunately, I see that the university's mail (Mirapoint) does not support SRS. Wondering if the implementation rate of SRS is just very low. – Belmin Fernandez Sep 29 '10 at 18:47
  • Most providers who forward mail do implement it, blackberry for example uses it to rewrite your address when you send from your device – topdog Sep 30 '10 at 05:19
0

While forwarding does break SPF (without SRS), it typically does not break DKIM. It looks like (based on dkim=hardfail (test mode) in GMail's authentication results) the problem is that your SPF key record has the t=y flag, indicating it is only for testing purposes.

Andrew
  • 181
  • 1
  • 5