SPF and mail forwarding, best practice?
Hi all, I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address. The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence. What's the best solution? Do I (and anybody else who might mail us) need to turn off SPF, or make it less strict? Does the forwarding server need to remail rather than forward? Do we need to persuade the receiving mail admins to whitelist our forwarder (there could be many others)? Should the organisation mailserver just operate an IMAP/POP/Webmail service rather than forwarding, so that this never arises (my favourite)? Any tips? Thanks, Richard
Yahoo's recent DMARC policy change would seem likely to give you problems too, if any of your users have *@yahoo.com as their regular address. http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-... Regards Brian Carpenter On 18/04/2014 17:01, Richard Hector wrote:
Hi all,
I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address.
The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence.
What's the best solution?
Do I (and anybody else who might mail us) need to turn off SPF, or make it less strict?
Does the forwarding server need to remail rather than forward?
Do we need to persuade the receiving mail admins to whitelist our forwarder (there could be many others)?
Should the organisation mailserver just operate an IMAP/POP/Webmail service rather than forwarding, so that this never arises (my favourite)?
Any tips?
Thanks, Richard _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
oops wait - I mean if the *sender* has a yahoo address and the recipient's mail system checks the DMARC policy. Regards Brian On 18/04/2014 17:21, Brian E Carpenter wrote:
Yahoo's recent DMARC policy change would seem likely to give you problems too, if any of your users have *@yahoo.com as their regular address.
http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-...
Regards Brian Carpenter
On 18/04/2014 17:01, Richard Hector wrote:
Hi all,
I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address.
The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence.
What's the best solution?
Do I (and anybody else who might mail us) need to turn off SPF, or make it less strict?
Does the forwarding server need to remail rather than forward?
Do we need to persuade the receiving mail admins to whitelist our forwarder (there could be many others)?
Should the organisation mailserver just operate an IMAP/POP/Webmail service rather than forwarding, so that this never arises (my favourite)?
Any tips?
Thanks, Richard _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
In my experience, your options are 1) Don't allow forwarding through to any platform that enforces SPF, or 2) Don't allow forwarding at all, or 3) Require your forwarding system to also rewrite the envelope-sender. The following may be of interest: based on a cursory google search, http://www.openspf.org/FAQ/Forwarding http://www.openspf.org/SRS may be of interest. I've personally seen entirely legitimate SPF implementations break entirely legitimate mail forwarding arrangements. Interestingly there doesn't appear to be a single agreed resolution to this, short of simply not forwarding. Google for 'Forwarded Email SPF' and note the general thrust of many of the results. Good luck, Mark. On Fri, April 18, 2014 5:01 pm, Richard Hector wrote:
Hi all,
I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address.
The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence.
What's the best solution?
Do I (and anybody else who might mail us) need to turn off SPF, or make it less strict?
Does the forwarding server need to remail rather than forward?
Do we need to persuade the receiving mail admins to whitelist our forwarder (there could be many others)?
Should the organisation mailserver just operate an IMAP/POP/Webmail service rather than forwarding, so that this never arises (my favourite)?
Any tips?
Thanks, Richard _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Thanks all. On 18/04/14 17:24, Brian E Carpenter wrote:> oops wait - I mean if the *sender* has a yahoo address and
the recipient's mail system checks the DMARC policy.
Regards Brian
On 18/04/2014 17:21, Brian E Carpenter wrote:
Yahoo's recent DMARC policy change would seem likely to give you problems too, if any of your users have *@yahoo.com as their regular address.
http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-...
Yep, that looks like a very similar issue. On 18/04/14 18:00, Mark Foster wrote:
In my experience, your options are
1) Don't allow forwarding through to any platform that enforces SPF, or 2) Don't allow forwarding at all, or 3) Require your forwarding system to also rewrite the envelope-sender.
The following may be of interest:
based on a cursory google search,
I'd found the first link but not the second. It occurred to me afterwards that remailing need not be as intrusive as I'd thought - just rewriting the envelope sender, and possibly adding a Sender header should be enough; the From and Reply-to headers should be ok as they are, right? I'm slightly unclear as to what SPF is asserting - is it just the envelope sender? Anyway, it seems like the plan is to use the option I said I preferred anyway - put an IMAP/POP/Webmail server within the organisation, which probably means outgoing mail will go through it as well, which is a good thing too. Richard
On 18 Apr 2014, at 15:01, Richard Hector
I'm in an organisation that uses a forwarding mailserver to give (some) members user(a)organisation email addresses, which get forwarded to their regular address.
The trouble is, I have SPF on my domain, and one at least of the receiving MTAs checks it, and my mail gets rejected as a consequence.
What's the best solution?
Rewrite the ‘Sender’ and ‘Return-Path’ headers to be something like bounces(a)organisation, while still leaving the original ‘From’ header intact.
participants (4)
-
Brian E Carpenter -
Jeremy Visser -
Mark Foster -
Richard Hector