Results 1 to 3 of 3

Thread: SPF fail on auto forwards

  1. #1
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,183

    SPF fail on auto forwards

    We have SPF and DKIM and DMARC for our domain installed.

    When we send mail to our customers it will function just fine. Except when there are forwarders made, an SPF fail will occure.
    We see this in Google DMARC reports and it's only 1 fail, the rest of the report is all pass.

    Code:
         <count>1</count>
          <policy_evaluated>
            <disposition>none</disposition>
            <dkim>pass</dkim>
            <spf>fail</spf>
          </policy_evaluated>
    This is happening when we send mail to a an e-mail adress of a customer. The customer has the e-mail address present on the server, but also made a forward to here Gmail address for it.
    The customers account ofcourse also has SPF and DKIM present.

    So when arriving there, Gmail will discover that my domain is not allowed to send mail in behalve of customers domain and will fail SPF.

    I don't know if this is causing issues some how, since in the full report everything else (also DKIM) is pass, also for her domein which is mentioned.

    Does this need fixing for forwards some way? Or can this safely be ignored?
    Greetings, Richard.

  2. #2
    Join Date
    Jan 2004
    Posts
    191
    Quote Originally Posted by Richard G View Post
    We have SPF and DKIM and DMARC for our domain installed.

    When we send mail to our customers it will function just fine. Except when there are forwarders made, an SPF fail will occure.
    We see this in Google DMARC reports and it's only 1 fail, the rest of the report is all pass.

    Code:
         <count>1</count>
          <policy_evaluated>
            <disposition>none</disposition>
            <dkim>pass</dkim>
            <spf>fail</spf>
          </policy_evaluated>
    This is happening when we send mail to a an e-mail adress of a customer. The customer has the e-mail address present on the server, but also made a forward to here Gmail address for it.
    The customers account ofcourse also has SPF and DKIM present.

    So when arriving there, Gmail will discover that my domain is not allowed to send mail in behalve of customers domain and will fail SPF.

    I don't know if this is causing issues some how, since in the full report everything else (also DKIM) is pass, also for her domein which is mentioned.

    Does this need fixing for forwards some way? Or can this safely be ignored?
    it is problem in the setup of your customer.
    You have the right to protect your domain and you have just do this. If you change your setup to allow this then can someone send messages with your email in from lot easier

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,183
    Please don't quote full messages if you reply direct below it. No need to quote then anyway

    it is problem in the setup of your customer.
    Hmmzzz.. I highly doubt that.
    Every customer has SPF and DKIM in their DNS and that's good practice. It normally bad when others could send messages in your behalve, that's just why SPF and DKIM is preventing this as spam protection.
    DA sets this automatically so user did nothing wrong anyway.

    It's probably working as designed because in the complete report her part is all "pass".

    I did some more searching and indeed it's working as designed, found this kind of answer in multiple places.

    SPF was designed to validate the identity of the server delivering the message, by matching the envelope return address against the server's IP. In order for that to work, it is necessary for any relays to change the return address. As a result, SPF can only be used to validate the identity of the sender in direct delivery, not with forwarded messages.

    Because SPF cannot be used to validate the sender's identity in forwarded messages, it will always show as failed for DMARC purposes on those messages, even when it passes for message delivery It is perfectly expected and normal behaviour.
    So it's correct that SPF fails on that 1 instance (arriving at Gmail) and pass on everything else (arriving at my server) and also DKIM and DMARC pass in everything.
    So all is working fine and working as designed.

    We can safely ignore that one fail.

    But thank you for answering.
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •