I'm thinking of adding an SPF to a domain. So I'm concerned if there are circumstances under which my MTA would use some relay when sending mail. Like, when the destination servers are too busy or something? I'm mainly interested in postfix's or exim's default settings.
Asked
Active
Viewed 526 times
5
x-yuri
- 1,845
- 1
- 22
- 27
-
On the sending site MTAs can use long chains of relays, that’s typical In an enterprise setting, passing through site local installations, enterprise Gateways, spam filters and possibly a public cloud/isp service for sending, The chain is however configured or enforced privately. Once the public MTA sends it only picks a primary or secondary MX. It is not uncommon to use secondary MXs of your provider and your filtering must deal with it. It is however something you configure with your MX DNS records, so it is configured by the recipient admins. – eckes Mar 30 '19 at 20:34
3 Answers
13
No, if you don’t configure any relay (and don’t fiddle around on the network layer) , an MTA will try to deliver to whatever DNS says should get the mail.
Sven
- 97,248
- 13
- 177
- 225
-
Can you please check out the other [answer](https://serverfault.com/a/962895/162443)? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect? – x-yuri Apr 17 '19 at 19:47
-
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it). – Sven Apr 17 '19 at 21:58
-
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again. – Sven Apr 17 '19 at 21:59
4
I'm concerned if there are circumstances under which my MTA would use some relay when sending mail.
No. Your server will attempt to send email to the server whose host is described by the MX record(s) for the destination domain.
Lightness Races in Orbit
- 370
- 2
- 5
- 17
joeqwerty
- 108,377
- 6
- 80
- 171
3
Of course there is. If you send mail from an address x-yuri@example.com and the recipient is john@nice-domain.com you don't know whether it will relay that mail. You will often see the situation that the mail lands finally in john.priv@google.com and you will get a report from google.com who report a quarantined message because of SPF failure.
This is why you always need DMARC and DKIM, and SPF is your backup mechanism for (rare) cases when DKIM fails on you. A good description is in chapter 1 and 2 of RFC 7489 (DMARC).
-
-
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question. – kubanczyk Apr 15 '19 at 13:56
-
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF [break](https://web.archive.org/web/20180729152252/http://www.openspf.org/FAQ/Forwarding) forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly? – x-yuri Apr 15 '19 at 19:51
-
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of [RFC 7489](https://tools.ietf.org/html/rfc7489) (DMARC). – kubanczyk Apr 15 '19 at 20:48
-
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached the `MX`-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached the `MX`-server? @Sven @joeqwerty Can you confirm? – x-yuri Apr 16 '19 at 11:13
-
Exactly, my answer considers what can go wrong after your message reaches the MX-server (and could prevent it from being correctly displayed in a mail client if DKIM fails to verify). – kubanczyk Apr 16 '19 at 13:39