Re: How to set up a SPF policy when emails are redirected through GNOME?


On Mon, Mar 21, 2016 at 3:37 PM, Andrea Veri <av gnome org> wrote:
2016-03-21 14:51 GMT+01:00 Jehan Pagès <jehan marmottard gmail com>:

For instance emails coming from which has a strict SPF
policy (-all) cannot reach me to or
Would anyone have any advice on how to properly keep SPF filtering
with emails coming through aliases on third-party servers (GNOME
servers in my case, but a general solution would be good)? For the
time being, I had to deactivate my SPF checks because that's really
not acceptable as it is now.

You are probably misunderstanding how SPF actually works behind the

It is highly possible and I am expecting to learn things. :-)

The DNS zone file has a TXT record containing a
relaxed SPF rule (v=spf1 mx ?all) which tells any mail server out
there to just go ahead and ignore the SPF check itself. On a related
note SPF records (through the TXT RR) are only consulted by the
recipient mail servers to find out whether the originating sender's
mail server is *allowed* to relay e-mails on behalf of a specific
domain. having a strict SPF policy rule won't affect the
e-mails you receive to your or addresses but will
only help recipient mail servers to discard any e-mail (having as the sending domain) originating from an IP / DNS not
listed on the SPF record published for the domain.

So I may be indeed misunderstanding something, but here is the exact
thing which happened:

- someone sent me an email on my alias.
- forwarded the email to my actual email
- my postfix server got a connection from (and not any
of IPs), for a message labelled as coming from a address, and therefore rejected the email because of
strict SPF records. It came back in error to
(then to the original sender who warned me with another
email directly to the finale address, otherwise I would never have
known) with the error:

Message rejected due to: SPF fail - not authorized. Please see;id=XXX redhat com;ip=

Basically I understand my postfix installation checked that ( was not in the SPF records of, and since's SPF record is strict (-all), it
simply rejected this email coming from an unauthorized IP for a email. Except that was relaying this email
on behalf of me, the recipient, not on behalf of the sender.

Basically the problem here is that my personal server considered as sender server (which makes sense, since you cannot
trust headers, otherwise any spam server could as well just pretend to
be relaying from whatever IP is in a domain SPF record).

So you are right when you say it won't affect the email received on or But it affects it when I receive it on my
actual finale address, since it appears always coming from from my server's point of view.

Only solution I seem to think of right now is to simply not doing any
SPF check if the email is coming from Not sure if and
how this is possible to have selective SPF checks depending on the
sending server. Maybe you have a better solution?

Or really I misunderstand something? Because what you wrote, that is
already what I think I understand of SPF.




Debian Developer,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
GNOME Foundation Board of Directors Secretary,
GNOME Foundation Membership & Elections Committee Chairman


ZeMarmot open animation film

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]