We have a strange situation:
- we receive an email with ESMTP headers in it
- our server accepts it, it's fine
- we import that mail in Gmail like any other emails from our boxes
- Gmail makes SPF check which fails
- Gmail uses our server IP address and mail sender domain to make that check (sic!)
We also have similar problem with mails between local boxes (but there Gmail uses our server domain and client's IP): Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another
Example:
Received-SPF: fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) client-ip=188.40.153.39;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl
- 188.40.153.39 is our VPS IP
- example@msit.gov.pl is sender
- example@webvizarts.com is receiver
More headers:
Delivered-To: example@gmail.com
Received: by 10.194.168.164 with SMTP id zx4csp522020wjb;
Thu, 19 Feb 2015 06:26:04 -0800 (PST)
X-Received: by 10.180.219.66 with SMTP id pm2mr10333511wic.91.1424355964017;
Thu, 19 Feb 2015 06:26:04 -0800 (PST)
Return-Path: <example@msit.gov.pl>
Received: from server.webvizarts.com (server.webvizarts.com . [188.40.153.39])
by mx.google.com with ESMTPS id ge6si41332059wjd.24.2015.02.19.06.26.03
for <example@gmail.com>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 19 Feb 2015 06:26:04 -0800 (PST)
Received-SPF: fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) client-ip=188.40.153.39;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of example@msit.gov.pl does not designate 188.40.153.39 as permitted sender) smtp.mail=example@msit.gov.pl
Received: from mx.msit.gov.pl ([77.252.152.34])
by server.webvizarts.com with esmtp (Exim 4.83)
(envelope-from <example@msit.gov.pl>)
id 1YOS3G-0003eP-T2
for example@webvizarts.com; Thu, 19 Feb 2015 15:26:03 +0100
Received: from msit.gov.pl (unknown [192.168.10.30])
by mx.msit.gov.pl (Postfix) with ESMTPS id 5BE2F3B64
for <example@webvizarts.com>; Thu, 19 Feb 2015 15:24:48 +0100 (CET)
Received: from EX3.sport.local (192.168.10.30) by EX3.sport.local
(192.168.10.30) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 19 Feb
2015 15:22:45 +0100
Received: from EX3.sport.local ([fe80::b8ed:df29:c87:77d2]) by EX3.sport.local
([fe80::b8ed:df29:c87:77d2%15]) with mapi id 15.00.1044.021; Thu, 19 Feb 2015
15:22:45 +0100
From: John Smith <example@msit.gov.pl>
To: Christopher Smith <example@webvizarts.com>
Subject: Re: Some sensitive subject
Thread-Topic: Some sensitive subject
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.0.102]
Obscured title, mailboxes names and people names.
We have dovecot+exim on Debian based VPS.
We look for some solution how to avoid that. Is implementation on Gmail side flawed or we can do something about it?
Edit: according to comment it's forwarding mistakefully taken as importing