2

I have postfix with dovecot set up on Ubuntu 13.10. I send emails via a node application (using email-templates).

If I send an email from noreply@mydomain.com to myacccount@gmail.com (email 1), the spf record passes. If I send an email from noreply@mydomain.com to support@mydomain.com (email 2), the spf record fails.

My spf record:

v=spf1 a mx ~all

I've tried a variation by specifying the ip, but I get the same pass/softfail for emails 1 and 2.

I've linked my @mydomain.com emails to gmail, so I can read them from there and also check the headers from gmail.

Here is the header for the email 1, which passes:

Delivered-To: myaccount@gmail.com
Received: by 10.220.131.9 with SMTP id v9csp9729vcs;
        Thu, 3 Apr 2014 02:07:44 -0700 (PDT)
X-Received: by 10.204.243.137 with SMTP id lm9mr3945288bkb.33.1396516062351;
        Thu, 03 Apr 2014 02:07:42 -0700 (PDT)
Return-Path: <noreply@mydomain.com>
Received: from mydomain.com (mydomain.com. [81.4.107.88])
        by mx.google.com with ESMTPS id de1si2116722bkc.265.2014.04.03.02.07.41
        for <myaccount@gmail.com>
        (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 03 Apr 2014 02:07:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) client-ip=81.4.107.88;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) smtp.mail=noreply@mydomain.com
Received: from [127.0.0.1] (mydomain [127.0.0.1])
    (Authenticated sender: username)
    by mydomain.com (Postfix) with ESMTPA id 2FE0730A095F
    for <myaccount@gmail.com>; Thu,  3 Apr 2014 05:07:41 -0400 (EDT)
X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer;
 smtp/0.3.23)
Date: Thu, 03 Apr 2014 09:07:41 GMT
Message-Id: <688fb886bd83cff1bb5e299cb01e69@mydomain.com>
From: noreply@mydomain.com
To: myaccount@gmail.com
Subject: Welcome to mydomain

Here is the header for the email 2, which fails:

Delivered-To: myaccount@gmail.com
Received: by 10.220.131.9 with SMTP id v9csp9756vcs;
        Thu, 3 Apr 2014 02:08:20 -0700 (PDT)
X-Received: by 10.220.103.141 with SMTP id k13mr2007429vco.25.1396516099631;
        Thu, 03 Apr 2014 02:08:19 -0700 (PDT)
Authentication-Results: mx.google.com;
       spf=softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender) smtp.mail=noreply@mydomain.com
Received-SPF: softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender)
Received: by 10.220.241.77 with POP3 id ld13mf1851813vcb.12;
        Thu, 03 Apr 2014 02:08:19 -0700 (PDT)
X-Gmail-Fetch-Info: support@mydomain.com 3 mail.mydomain.com 110 support
Return-Path: <noreply@mydomain.com>
X-Original-To: support@mydomain.com
Delivered-To: support@mydomain.com
Received: from [127.0.0.1] (mydomain [127.0.0.1])
    (Authenticated sender: username)
    by mydomain.com (Postfix) with ESMTPA id 2DF0730A095E
    for <support@mydomain.com>; Thu,  3 Apr 2014 05:07:41 -0400 (EDT)
X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer;
 smtp/0.3.23)
Date: Thu, 03 Apr 2014 09:07:41 GMT
Message-Id: <732468ffa47870963332c0e2dcebf3@mydomain.com>
From: noreply@mydomain.com
To: support@mydomain.com
Subject: New user signed-up
Content-Type: multipart/alternative;
 boundary="----Nodemailer-0.6.1-?=_1-1396516061189"
MIME-Version: 1.0

I don't think the issue is with the node.js code that is sending the emails, as they both use the same transports and logins. Here is a simplified, but still long, version of the code:

var transport = nodemailer.createTransport("SMTP", {
      service: "mydomain.com",
        auth: {
                user: "username",
                pass: "password"
        }

    })

//THIS EMAIL FAILS SPF CHECK
exports.send_new_registration = function(username, email){
        emailTemplates(templatesDir, function(err, template) {
                console.log("Attempting to send email.");
          if (err) {
            console.log(err);
          } else {

            var locals = {
                email : email,
                username :username 
            };

            // Send a single email
            template('new_user', locals, function(err, html, text) {
              if (err) {
                console.log(err);
              } else {
                transport.sendMail({
                  from: 'noreply@mydomain.com',
                  to: 'support@mydomain.com',
                  subject: "New user signed-up",
                  html: html,
                  // generateTextFromHTML: true,
                  text: text
                }, function(err, responseStatus) {
                  if (err) {
                    console.log(err);
                  } else {
                    console.log(responseStatus.message);
                  }
                });
              }
            });
          }

//THIS EMAIL PASSES SPF CHECK
exports.send_confirmation_email = function(email, token){
        var link = "https://mydomain.com/email-confirmation/" + token;  
        emailTemplates(templatesDir, function(err, template) {
                console.log("Attempting to send email.");
          if (err) {
            console.log(err);
          } else {

                var locals = {
                link : link
                };

            // Send a single email
            template('register', locals, function(err, html, text) {
              if (err) {
                console.log(err);
              } else {
                transport.sendMail({
                  from: 'noreply@mydomain.com',
                  to: email,
                  subject: "Welcome to mydomain",
                  html: html,
                  // generateTextFromHTML: true,
                  text: text
                }, function(err, responseStatus) {
                  if (err) {
                    console.log(err);
                  } else {
                    console.log(responseStatus.message);
                  }
                });
              }
            });
          }
        });     
}

I don't think it's relevant, but I've yet to get TLS working on postfix. I've also tried to get postfix-policyd-spf-perl working, unsuccessfully, yet. When sending an email to my own account, from my own account, this add an additional header. I'm guessing it's related, but i'm not certain.

As an FYI, if I add check_policy_service unix:private/policy-spf to my /etc/postfix/main.cf, the additional header I see in the email from noreply@mydomain.com to support@mydomain.com is:

    Received-SPF: softfail (mydomain.com: Sender is not authorized by default to use 
'support@mydomain.com' in 'mfrom' identity, however domain is not currently prepared for false
 failures (mechanism '~all' matched)) receiver=mydomain.com; identity=mailfrom; envelope-
from="support@mydomain.com"; helo="[an_ip]"; client-ip=a_diff_ip

I only add this is as I'm not sure if this is related or not to the google softfail check...

EDIT: To make the question clear, it's not clear to me why if I send an email to a gmail account, it passes the spf check, but if I send an email to my own domain, it fails.

Simon
  • 165
  • 1
  • 8
  • 1
    Not a duplicate; something else is going on here. Exactly how is your second message getting to Gmail? – Michael Hampton Apr 03 '14 at 14:26
  • Using gmail's mail fetcher, via POP3. https://support.google.com/mail/answer/21289?hl=en&rd=1 – Simon Apr 03 '14 at 14:40
  • How is this question a duplicate? I read through the answers in the question provided by MadHatter as a possible duplicate, and couldn't see how that could help with my question, apart from the fact that are related to SPFs? – Simon Apr 04 '14 at 08:42
  • To my mind, the function of a canonical question is to note that the community has said all it's going to say on the subject. Anything past that point is usually specific to the question and of little use to other users; sure, each SPF question is different from the next, but the differences tend not to generalise, and the generalities tend to be no different. I also note that this sort of question is nearly impossible to answer as long as the details are redacted. – MadHatter Apr 04 '14 at 09:03

1 Answers1

4

SPF is not failing. You're misinterpreting the results.

Google is doing the check (properly) when the mail is sent to the GMail account. Google is also adding the check when it retrieves via POP3. It doesn't know where it came from, therefore it marks a softfail.

I'm not sure why Google is checking for a POP3 retrieved email, but it shouldn't be.

You need to send it to an address that does it's own SPF check and get it directly, rather than let Google play with the headers.

David Crowell
  • 183
  • 4
  • Thanks. I then need to relook at getting `postfix-policyd-spf-perl` working correctly. That gives me some direction to work in. – Simon Apr 04 '14 at 14:29
  • Are you using TXT or SPF records? I'd use both - with identical contents. – David Crowell Apr 04 '14 at 14:38
  • Does domain.com resolve to the same IP you're sending from? How about the mx record? It's difficult to test with fake information. – David Crowell Apr 04 '14 at 14:38
  • Hi. My spf record is currently added to the DNS as a TXT entry. I'll try adding an spf record as an spf record. Yep the reverse DNS matches, and so do the mx records (according to online tools that check these things, such as http://tools.bevhost.com/spf/). I think I have some setting wrong on Ubunutu. I'll look into `postfix-policyd-spf-perl`, and will possibly ask a new (but related to this) question soon. Thanks again for your time. – Simon Apr 04 '14 at 14:58