Yahoo's recent DMARC policy change would seem likely to give you problems too, if any of your users have *@yahoo.com as their regular address. http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-... Regards Brian Carpenter On 18/04/2014 17:01, Richard Hector wrote:

Hi all,

I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address.

The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence.

What's the best solution?

Do I (and anybody else who might mail us) need to turn off SPF, or make it less strict?

Does the forwarding server need to remail rather than forward?

Do we need to persuade the receiving mail admins to whitelist our forwarder (there could be many others)?

Should the organisation mailserver just operate an IMAP/POP/Webmail service rather than forwarding, so that this never arises (my favourite)?

Any tips?

Thanks, Richard _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

In my experience, your options are 1) Don't allow forwarding through to any platform that enforces SPF, or 2) Don't allow forwarding at all, or 3) Require your forwarding system to also rewrite the envelope-sender. The following may be of interest: based on a cursory google search, http://www.openspf.org/FAQ/Forwarding http://www.openspf.org/SRS may be of interest. I've personally seen entirely legitimate SPF implementations break entirely legitimate mail forwarding arrangements. Interestingly there doesn't appear to be a single agreed resolution to this, short of simply not forwarding. Google for 'Forwarded Email SPF' and note the general thrust of many of the results. Good luck, Mark. On Fri, April 18, 2014 5:01 pm, Richard Hector wrote:

Hi all,

I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address.

The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence.

What's the best solution?

Do I (and anybody else who might mail us) need to turn off SPF, or make it less strict?

Does the forwarding server need to remail rather than forward?

Do we need to persuade the receiving mail admins to whitelist our forwarder (there could be many others)?

Should the organisation mailserver just operate an IMAP/POP/Webmail service rather than forwarding, so that this never arises (my favourite)?

Any tips?

Thanks, Richard _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

On 18 Apr 2014, at 15:01, Richard Hector wrote:

I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address.

The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence.

What's the best solution?

Rewrite the ‘Sender’ and ‘Return-Path’ headers to be something like bounces(a)organisation, while still leaving the original ‘From’ header intact.