Gmail – How to Stop SPF SOFTFAIL with Mail Alias

gmailspf

I have a vanity domain (mydomain.com) hosted by Gandi and configured with mail aliases for my family that point to our respective Gmail addresses:

Alias	Real address
[email protected]	[email protected]
[email protected]	[email protected]

and so on.

Gmail is configured to send email as the vanity address and I also have a SPF record set up:

v=spf1 include:_spf.google.com include:_spf.gpaas.net include:_mailcust.gandi.net ?all

Although mail-tester.com reports that the SPF is set up correctly, it's possible to get a SOFTFAIL when sending an email from [anyone]@mydomain.com to [anyone else]@mydomain.com:

Sent from	Sent to	SPF result of email
[email protected]	[email protected]	PASS
[email protected]	[email protected]	PASS
[email protected]	[email protected]	PASS
[email protected]	[email protected]	SOFTFAIL

The headers when the email SOFTFAILs is as follows:

Delivered-To: [email protected]
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from relay10.mail.gandi.net (relay10.mail.gandi.net. [2001:4b98:dc4:8::230])
        by mx.google.com with ESMTPS id w4-20020a05600018c400b0020ac7a84cb7si9021160wrq.441.2022.05.01.02.22.05
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 01 May 2022 02:22:06 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender) client-ip=2001:4b98:dc4:8::230;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender) [email protected]
Received: from spool.mail.gandi.net (spool3.mail.gandi.net [217.70.178.212]) by relay.mail.gandi.net (Postfix) with ESMTPS id 51151240003 for <[email protected]>; Sun,
  1 May 2022 09:22:05 +0000 (UTC)
X-Envelope-To: [email protected]
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) by spool.mail.gandi.net (Postfix) with ESMTPS id 49A2CAC0C45 for <[email protected]>; Sun,
  1 May 2022 09:22:04 +0000 (UTC)
Received: by mail-lf1-f48.google.com with SMTP id w19so20836346lfu.11
        for <[email protected]>; Sun, 01 May 2022 02:22:04 -0700 (PDT)
Received: from smtpclient.apple (cpc1-sotn14-2-0-cust79.15-1.cable.virginm.net. [81.96.148.80])
        by smtp.gmail.com with ESMTPSA id r7-20020a2e8e27000000b0024f3d1dae9asm761964ljk.34.2022.05.01.02.22.02
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 01 May 2022 02:22:02 -0700 (PDT)
From: Me <[email protected]>
To: My Brother <[email protected]>
Received-SPF: pass (spool3: domain of gmail.com designates 209.85.167.48 as permitted sender) client-ip=209.85.167.48; [email protected]; helo=mail-lf1-f48.google.com;
Authentication-Results: spool.mail.gandi.net; dkim=none; dmarc=none; spf=pass (spool.mail.gandi.net: domain of [email protected] designates 209.85.167.48 as permitted sender) [email protected]

Is there any way I can stop emails sent from mydomain.com to another address at mydomain.com failing SPF?

Best Answer

You can see that the mail was received from a Gandi server:

Received: from relay10.mail.gandi.net (relay10.mail.gandi.net. [2001:4b98:dc4:8::230])

You can see that the Gandi servers are not authorized in the SPF record:

Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender)

SPF checks against the return-path header. Not the mailfrom header. The return-path is [email protected]. Therefore, gmail.com SPF records do not permit Gandi servers to send email using a return-path with gmail.com email addresses.

SPF is functioning normally. What you are seeing is an inherent weakness in the SPF protocol regarding mail forwarding. When mail is forwarded at the MTA (mail server) level, the mailfrom and return-path headers are not rewritten (nor should they be), but when the forwarded mail reaches the recipient's email server it is coming from the forwarding server, and not from the sender's original e-mail server. Therefore, the recipient's email server checks SPF and sees that the return-path domain does not authorize the forwarding email server to send mail.

Forwarding breaks SPF. Because you do not control the SPF records for the gmail.com domain, you can not authorize Gandi servers to forward mail on gmail's behalf. This is why SPF cannot be used, alone, to determine if mail is authorized or not.

You have four solutions (Options 1 and 2 require a paid Google workspace account I believe):

Make sure that when you send email from gmail using an alias email address, that it also uses the email alias in the return-path header. Also add the gmail servers to the SPF record for mydomain.com. For more information about sending email as an alias with gmail see here: https://support.google.com/mail/answer/22370?hl=en
Configure your MX records and gmail so that email destined to your alias is sent directly to gmail's servers and in to your inbox, rather than forwarding them through a third party.
Receive email destined to your alias email address at the third party, instead of forwarding the message. Then configure Gmail to collect that email from the third party using the Import emails from my other account (POP3) option in gmail.
If you have control over the behavior of the forwarding email server, you could create a rule that re-writes the return-path header to match the mailfrom header when it forwards email that is received from and destined to one of your email aliases.

Best Answer

Related Solutions

Yahoo flagging mail as spam when using relay server

SPF hardfail and DKIM failure when recipient has e-mail forwarding

Related Topic