I have a vanity domain (mydomain.com) hosted by Gandi and configured with mail aliases for my family that point to our respective Gmail addresses:
Alias | Real address |
---|---|
[email protected] | [email protected] |
[email protected] | [email protected] |
and so on.
Gmail is configured to send email as the vanity address and I also have a SPF record set up:
v=spf1 include:_spf.google.com include:_spf.gpaas.net include:_mailcust.gandi.net ?all
Although mail-tester.com reports that the SPF is set up correctly, it's possible to get a SOFTFAIL when sending an email from [anyone]@mydomain.com to [anyone else]@mydomain.com:
Sent from | Sent to | SPF result of email |
---|---|---|
[email protected] | [email protected] | PASS |
[email protected] | [email protected] | PASS |
[email protected] | [email protected] | PASS |
[email protected] | [email protected] | SOFTFAIL |
The headers when the email SOFTFAILs is as follows:
Delivered-To: [email protected]
ARC-Authentication-Results: i=1; mx.google.com;
spf=softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from relay10.mail.gandi.net (relay10.mail.gandi.net. [2001:4b98:dc4:8::230])
by mx.google.com with ESMTPS id w4-20020a05600018c400b0020ac7a84cb7si9021160wrq.441.2022.05.01.02.22.05
for <[email protected]>
(version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
Sun, 01 May 2022 02:22:06 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender) client-ip=2001:4b98:dc4:8::230;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender) [email protected]
Received: from spool.mail.gandi.net (spool3.mail.gandi.net [217.70.178.212]) by relay.mail.gandi.net (Postfix) with ESMTPS id 51151240003 for <[email protected]>; Sun,
1 May 2022 09:22:05 +0000 (UTC)
X-Envelope-To: [email protected]
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) by spool.mail.gandi.net (Postfix) with ESMTPS id 49A2CAC0C45 for <[email protected]>; Sun,
1 May 2022 09:22:04 +0000 (UTC)
Received: by mail-lf1-f48.google.com with SMTP id w19so20836346lfu.11
for <[email protected]>; Sun, 01 May 2022 02:22:04 -0700 (PDT)
Received: from smtpclient.apple (cpc1-sotn14-2-0-cust79.15-1.cable.virginm.net. [81.96.148.80])
by smtp.gmail.com with ESMTPSA id r7-20020a2e8e27000000b0024f3d1dae9asm761964ljk.34.2022.05.01.02.22.02
for <[email protected]>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Sun, 01 May 2022 02:22:02 -0700 (PDT)
From: Me <[email protected]>
To: My Brother <[email protected]>
Received-SPF: pass (spool3: domain of gmail.com designates 209.85.167.48 as permitted sender) client-ip=209.85.167.48; [email protected]; helo=mail-lf1-f48.google.com;
Authentication-Results: spool.mail.gandi.net; dkim=none; dmarc=none; spf=pass (spool.mail.gandi.net: domain of [email protected] designates 209.85.167.48 as permitted sender) [email protected]
Is there any way I can stop emails sent from mydomain.com to another address at mydomain.com failing SPF?
Best Answer
You can see that the mail was received from a Gandi server:
You can see that the Gandi servers are not authorized in the SPF record:
SPF checks against the
return-path
header. Not themailfrom
header. Thereturn-path
is[email protected]
. Therefore, gmail.com SPF records do not permit Gandi servers to send email using areturn-path
with gmail.com email addresses.SPF is functioning normally. What you are seeing is an inherent weakness in the SPF protocol regarding mail forwarding. When mail is forwarded at the MTA (mail server) level, the
mailfrom
andreturn-path
headers are not rewritten (nor should they be), but when the forwarded mail reaches the recipient's email server it is coming from the forwarding server, and not from the sender's original e-mail server. Therefore, the recipient's email server checks SPF and sees that thereturn-path
domain does not authorize the forwarding email server to send mail.Forwarding breaks SPF. Because you do not control the SPF records for the
gmail.com
domain, you can not authorize Gandi servers to forward mail on gmail's behalf. This is why SPF cannot be used, alone, to determine if mail is authorized or not.You have four solutions (Options 1 and 2 require a paid Google workspace account I believe):
return-path
header. Also add the gmail servers to the SPF record formydomain.com
. For more information about sending email as an alias with gmail see here: https://support.google.com/mail/answer/22370?hl=enreturn-path
header to match themailfrom
header when it forwards email that is received from and destined to one of your email aliases.