4

I've been able to make SPF pass on all the sent emails from my Postfix server. But for forwarded domains which simply redirect email to my gmail id I see softfail in the SPF.

For example if I send email from a hotmail account to contactus@workingwoman.org then it is forwarded to test email id ragraggupta8899@gmail.com.

I've added SPF header "spf1 a mx -all" for my hostname(host.tariffplans.com) as well for all domains. The A record of all domains/subdomains is correctly pointing to my server IP : 23.239.30.81

But in the forwarded email header .. Google shows it as softfail. What could be the problem?:

Delivered-To: rag.raggupta8899@gmail.com
Received: by 10.114.96.70 with SMTP id dq6csp51447ldb;
        Sat, 19 Jul 2014 23:05:03 -0700 (PDT)
X-Received: by 10.182.65.66 with SMTP id v2mr22896624obs.74.1405836302184;
        Sat, 19 Jul 2014 23:05:02 -0700 (PDT)
Return-Path: 
Received: from host.tariffplans.com (tariffplans.com. [23.239.30.81])
        by mx.google.com with ESMTPS id js4si25593503obc.98.2014.07.19.23.05.01
        for 
        (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Sat, 19 Jul 2014 23:05:02 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning bhasker@hotmail.com does not designate 23.239.30.81 as permitted sender) client-ip=23.239.30.81;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning bhasker@hotmail.com does not designate 23.239.30.81 as permitted sender) smtp.mail=bhasker@hotmail.com
Received: from BLU004-OMC4S20.hotmail.com (blu004-omc4s20.hotmail.com [65.55.111.159])
    (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits))
    (No client certificate requested)
    by host.tariffplans.com (Postfix) with ESMTPS id 668E01E1619
    for ; Sun, 20 Jul 2014 11:35:01 +0530 (IST)
Received: from BLU181-W79 ([65.55.111.136]) by BLU004-OMC4S20.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712);
     Sat, 19 Jul 2014 23:05:01 -0700
X-TMN: [mcaEHqstvkaYJBg7Y5zPleq+hEPF4BC7]
X-Originating-Email: [bhasker@hotmail.com]
Message-ID: 
Content-Type: multipart/alternative;
    boundary="_dfcd1b0c-5d39-4204-a29c-16fb51556946_"
From: Bhasker Yamsani 
To: "contactus@workingwoman.org" 
Subject: testing
Date: Sun, 20 Jul 2014 02:05:00 -0400
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Jul 2014 06:05:01.0018 (UTC) FILETIME=[8A96E3A0:01CFA3E0]
user5858
  • 243
  • 1
  • 5
  • 16
  • 1
    If I understand the headers correctly you receive mails on your server, but deliver them via hotmail? If you are using an external relay, you also have to include their IPs in your SPF-Record. – sebix Jul 20 '14 at 07:15
  • No I'm receiving email for a domain but forwarding it to my gmail account. The test sample email was sent from hotmail account to contactus@indianworkingwoman.org which was forwarded to my Gmail account. – user5858 Jul 20 '14 at 07:33

2 Answers2

9

Your server host.tariffplansindia.com is receiving a mail from outside, in this case bhasker1@hotmail.com. The receiver on your host is contactus@indianworkingwoman.org. Now your server relays that mail (without changing the envelope From-address) to gmail. The gmail server now gets a mail from your server host.tariffplansindia.com with envelope-From bhasker1@hotmail.com. Now the SPF-Record of hotmail.com forbids all senders except its own, and you can't do anything about that. SPF breaks this kind of mail-forwarding, that's a known issue, but it's also solved by Sender Rewriting Scheme (SRS) from Open SPF.

Using SRS, the relaying mailserver can rewrite the envelope-From so that it comes from a domain you control the SPF record for (host.tariffplansindia.com). Unfortunately, setting up SRS on a mailserver requires - in most cases - compiling and installing software by hand, there is only a very limited variety of available implementations listed on open-spf.org and also an existing question of how to perform SRS on postfix.

Martin M
  • 103
  • 3
sebix
  • 4,175
  • 2
  • 25
  • 45
  • 3
    sebix, I hope you'll forgive me for editing your answer as I have. Since the OP was kind enough to tell us all the real domains involved in this, I thought we could use the actual values in your answer (which I thought was otherwise very good, +1 from me) instead of example domains. Anyone who's tempted to downvote this answer, please check and see if what you disagree with is something I wrote, not sebix's original. – MadHatter Jul 20 '14 at 09:56
  • @MadHatter I also wanted to edit my answer and change the domains, but due to connectivity issues, you were faster. But these were not the only changes you did. I can't see anything in your edit that could be wrong. A good read about mail spoofing and the difference between envelope and message can be found on [security.stackexchange: Why is it even possible to forge sender header in e-mail?](http://security.stackexchange.com/a/30741/52333) – sebix Jul 20 '14 at 10:04
  • sebix, yes, I also thought you might be a little confused about how SRS works, so I changed that a bit. If you aren't OK with those edits, you're (of course!) welcome to revert them and do the domain changes yourself. – MadHatter Jul 20 '14 at 10:09
  • Thanks Sebix. I did not find this problem while using Cpanel. So I guess Cpanel must be using SRS. – user5858 Jul 20 '14 at 11:03
  • Apologies for asking to confirm, but are you actually saying it's impossible to forward email from an external domain to an @gmail.com adres and have SPF pass? It kind of makes sense because why would Google allow any IP / domain to pass SPF, this seems like a security risk. I just need final confirmation. The infrastructure I use does not support SRS. – Eugene van der Merwe Dec 18 '21 at 05:44
  • EDIT: It turns out I have Postfix and root access. I installed SRS and it's working perfectly! Only took me 3 years to solve this problem! – Eugene van der Merwe Dec 18 '21 at 06:10
0

Found easy solution for me, I just add a TXT record in my domain name hosting with " v=spf1 ip4:xxx.xxx.xxx.xxx include:_spf.google.com ~all " where xxx.xxx.xxx.xxx is your server IP.

Paper Man
  • 11
  • Someone downvoted this comment without specifying a reason so I upvoted it again. The reason why it should be considered is because of the `include:_spf.google.com ~all` line in there. Could that be a solution to stop Google from reporting forwarded emails as illegitimate? In the context of a reply, at least that should be considered. – Eugene van der Merwe Dec 18 '21 at 05:18