[GLLUG] OT: GMail handling SPF records of forwarded messages

Peter Grant grantpe at gmail.com
Wed May 18 20:43:27 UTC 2016 

On 18 May 2016 at 03:30, gvim via GLLUG <gllug at mailman.lug.org.uk> wrote:
> Can anyone explain GMail's confusing handling of this SPF/forwarding
> scenario?
>
> Email for:
>
> jane at surname.uk.com
>
> ... is forwarded via her domain host 123-Reg to:
>
> jane.surname at gmail.com
>
> .... which works fine for several years until she begins work at the NHS and
> finds staff using @nhs.net email addresses cannot get messages through to
> her via jane at surname.uk.com resulting in this bounce:
>
> **************************************************
> A message that you sent has not yet been delivered to one or more of its
> recipients after more than 6 hours on the queue on smtp02.mailcore.me.
>
> The message identifier is:     1b2glo-0004Lq-JX
> The date of the message is:    Tue, 17 May 2016 16:11:40 +0100
> The subject of the message is: Test on Tuesday 17 May
>
> The address to which the message has not yet been delivered is:
>
> jane.surname at gmail.com
>    (generated from jane at surname.uk.com)
>    Delay reason: SMTP error from remote mail server after end of data:
>    host alt3.gmail-smtp-in.l.google.com [64.233.189.26]:
>    421-4.7.0 [94.136.40.64      15] The SPF record of the sending domain has
> one or
>    421-4.7.0 more suspicious entries. To protect our users from spam, mail
> sent
>    421-4.7.0 from your IP address has been temporarily rate limited. Please
> visit
>    421-4.7.0 https://support.google.com/mail/answer/81126#authentication for
> more
>    421 4.7.0 information. s69si16983236ita.53 - gsmtp
> *******************************************************
>
> 94.136.40.64 is the IP of one of 123-Reg's mailservers at mailcore.me but
> the bounce refers to this IP in the context of "the sending domain" which
> would be nhs.net. This is what's confusing me as the NHS admins assured Jane
> that there is nothing wrong with their SPF records.
>
> I setup an SPF record for surname.uk.com at 123-Reg but it hasn't altered
> the problem with @nhs.net emails. A further complication is that emails from
> other origins are getting through to jane at surname.uk.com.
>
> Any ideas?
>
> gvim
>
>

Yes. For use with SPF records this is correct behavior if the SPF
record specifies a 'hard fail'. If relay servers weren't counted it
would be a massive, easy SPAM loophole. Yes, that means forwarders are
broken, unless they resend the message as 'xyz at yourdomain.com on
behalf of sender at sendersdomain.com'.
Weirdly Gmail and Yahoo presently process SPF records differently -
Yahoo seems to treat both 'hard' and 'soft' fails the same and Gmail
doesn't completely block soft fails - just more likely to filter it to
the SPAM folder.

Yes, that sucks.
Peter

More information about the GLLUG mailing list