On 17 October 2017 at 03:40, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Mon, Oct 16, 2017 at 10:05:07PM -0400, J Doe wrote: > > > My questions are: > > > > 1. When using Postfix and virtual domain hosting in this fashion, is > > there any way to pass SPF when mail from a sending account is forwarded > > to another host (ie: Gmail) ? > > This requires SRS, and fairly effective anti-spam filters. Much > simpler to not support forwarding. > or just don't worry about it > > > 2. Do I need to be concerned with a SPF SOFTFAIL from GMail when the same > > message generates a pass for DKIM (I have OpenDKIM configured and running > > correctly), and DMARC ? In this case, does a SPF SOFTAIL but a DKIM and > > DMARC pass mean that SPF is always discounted and the mail won�t be > > quarantined ? > > When the sending domain has both SPF and DKIM, you may be fine, as > Google should be able to figure out that the message is a real > hotmail message relayed through your system. However, much depends > on the details of the upstream DKIM signature and how it is processed > by Gmail. > > Domains that only publish SPF pose a more significant issue. > With DMARC, either an SPF pass or a DKIM pass will result in overall pass (subject to alignment). If there is no DMARC, or DMARC p=none, neither SPF nor DKIM failure should lead to rejection by Gmail. With DMARC p=quarantine, Gmail puts an email that fails SPF and DKIM into spam. So it is only really an issue if the sender domain has DMARC p=reject policy and uses SPF without DKIM, but in my experience (with almost identical setup to OP) this is very rare. Also, as Viktor's reply hints, there can be edge cases where an incoming mail passes DKIM at our server but fails DKIM at Gmail - again these are very rare (I am aware of one domain - with DMARC p=reject policy - some of whose marketing emails, but nothing important, fall into this category). Why this happens I don't know, presumably as Viktor says there is some difference between opendkim and Gmail's dkim implementation. For forwarding to Gmail I recommend opendmarc (as well as opendkim) on your server, this can block some 'bad' incoming emails before they get sent on to Gmail and damage your server's reputation. And decent spam filtering - I use lots of rbls as well as amavis-newd (which uses spamassassin but with bayesian tests disabled because there can be no ham/spam learning).
