On Thu, Apr 28, 2022 at 5:32 PM Mark Milhollan via mailop <mailop@mailop.org> wrote:
> On Thu, 28 Apr 2022, Scott Mutter wrote: > > >configure your Gmail account to POP mail from that POP3 mailbox. This > >side steps the issues of SPF failing, > > It does not. As recently discussed, Gmail plays a game of trying to > guess whether SPF should have failed on a previous hop, rather than just > the connected peer. If they see a hop that accepted from a source that > SPF does not authorize and if not an RFC1918 address or an IPv6 LLA the > result is failure -- they don't accept the common indication of SMTP > AUTH, e.g., ESMTPSA, likely to catch when leaked credentials are > (ab)used, but it also "catches" roaming users. > > Authentication-Results: mx.google.com; ... spf=fail ... > Received: from passes-spf ... by mx.google.com ... > Received: from not-within-spf-its-a-forking-cafe ... by passes-spf > with ESMTPSA ... > This is only done for SMTP for Workspace messages coming through a specified inbound gateway, where we know that the connecting smtp server is not the IP to check. And ESMTPSA is not any sort of validation. > This is also done for messages fetched via POP with the result that some > are given the spam label while some are skipped. > > spam labeled (details in Gmail web MUA indicate SPF failure): > > Delivered-To: m...@some.corp > Received: from not-within-spf-its-a-forking-cafe ... by > mail.some.corp with ESMTPSA ... > From: <anot...@some.corp> > To: <m...@some.corp> > > not saved, which seems the POP fetch equivalent of an SMTP reject: > > Delivered-To: m...@some.corp > Received: from their-mta-wthin-spf ... by mail.some.corp with ESMTPS > ... > Received: from not-within-spf-its-a-forking-cafe ... by > their-mta-within-spf with ESMTPSA ... > From: <some...@another.corp> > To: <m...@some.corp> > Not sure what you're talking about, we don't drop messages that we POP fetch. > spam labeled -- more verbose: > > Original to be fetched: > > Received: from BY5PR22MB1826.namprd22.prod.outlook.com > (2603:10b6:a03:239::8) by BY5PR22MB2034.namprd22.prod.outlook.com with > HTTPS; Wed, 20 Apr 2022 16:49:43 +0000 > Authentication-Results: dkim=none (message not signed) > header.d=none;dmarc=none action=none header.from=some.corp; > Received: from BY5PR22MB2034.namprd22.prod.outlook.com > (2603:10b6:a03:230::13) by BY5PR22MB1826.namprd22.prod.outlook.com > (2603:10b6:a03:239::8) with Microsoft SMTP Server (version=TLS1_2, > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Wed, 20 Apr > 2022 16:49:41 +0000 > Received: from BY5PR22MB2034.namprd22.prod.outlook.com > ([fe80::149a:1ce0:44a0:a16%6]) by BY5PR22MB2034.namprd22.prod.outlook.com > ([fe80::149a:1ce0:44a0:a16%6]) with mapi id 15.20.5186.014; Wed, 20 Apr > 2022 16:49:41 +0000 > From: <m...@some.corp> > To: <anot...@some.corp> > > As seen in Gmail web MUA (which indicates SPF failure): > > Delivered-To: m...@gmail.com > Received: by 2002:a5d:860f:0:0:0:0:0 with SMTP id f15csp3628616iol; > Wed, 20 Apr 2022 10:26:27 -0700 (PDT) > X-Google-Smtp-Source: [elided] > X-Received: by 2002:a05:620a:404e:b0:69e:a5db:22cb with SMTP id > i14-20020a05620a404e00b0069ea5db22cbmr8513102qko.735.1650475587274; Wed, 20 > Apr 2022 10:26:27 -0700 (PDT) > Authentication-Results: mx.google.com; spf=softfail (google.com: > domain of transitioning m...@some.corp does not designate > 2603:10b6:a03:239::8 as permitted sender) smtp.mailfrom=m...@some.corp > Received-SPF: softfail (google.com: domain of transitioning > m...@some.corp does not designate 2603:10b6:a03:239::8 as permitted sender) > client-ip=2603:10b6:a03:239::8; > Received: by 2002:ac8:56fa:0:b0:2eb:a8b9:b77 with POP3 id > 26-20020ac856fa000000b002eba8b90b77mf678417qtu.2; Wed, 20 Apr 2022 10:26:27 > -0700 (PDT) > X-Gmail-Fetch-Info: m...@some.corp 3 outlook.office365.com 995 > m...@some.corp > Received: from BY5PR22MB1826.namprd22.prod.outlook.com > (2603:10b6:a03:239::8) by BY5PR22MB2034.namprd22.prod.outlook.com with > HTTPS; Wed, 20 Apr 2022 16:49:43 +0000 > Authentication-Results: dkim=none (message not signed) > header.d=none;dmarc=none action=none header.from=some.corp; > Received: from BY5PR22MB2034.namprd22.prod.outlook.com > (2603:10b6:a03:230::13) by BY5PR22MB1826.namprd22.prod.outlook.com > (2603:10b6:a03:239::8) with Microsoft SMTP Server (version=TLS1_2, > cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Wed, 20 Apr > 2022 16:49:41 +0000 > Received: from BY5PR22MB2034.namprd22.prod.outlook.com > ([fe80::149a:1ce0:44a0:a16]) by BY5PR22MB2034.namprd22.prod.outlook.com > ([fe80::149a:1ce0:44a0:a16%6]) with mapi id 15.20.5186.014; Wed, 20 Apr > 2022 16:49:41 +0000 > From: <m...@some.corp> > To: <anot...@some.corp> > Hmm, that is unfortunate if it doesn't work with O365. Also, wow, that a company allows their employees to pop their email out of their corporate account to an account the company doesn't control. > Good thing I don't do the same silliness else a daily email I get from > them would be rejected at end of DATA or dumped in my spam folder since > "domain of u...@gmail.com does not designate 24.199.x.x as permitted > sender" ... > > Received: from mail...google.com by me with ESMTPS ... > Received: by mail...google.com with SMTP ... > Received: from smtpclient ([24.199.x.x]) by smtp.gmail.com with > ESMTPSA ... > You're misunderstanding what's going on if you think this wouldn't pass the algorithm I described. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
