> However most of the time I use my hosting at gandi.net to send my
> E-Mail, so mail from ch...@isbd.co.uk originates on zbmc.eu, is
> transferred by authenticated SMTP to mail.gandi.net and is sent on
> from there to whatever its destination is.
>
> As I understand it the SPF records for mail.gandi.net purely confirm
> to a receiving mail server that the mail is coming from mail.gandi.net
> and reverse DNS look-up confirms that it really is mail.gandi.net.
> Have I got that right? I.e. the fact that the mail's From: is not
> connected in any way to the SPF record is irrelevant. The SPF record
> simply confirms the SMTP relay host's IP and that it is meant to be
> relaying mail for that IP.
Probably it's best to start with a simple smtp conversation.
ch...@isbd.co.uk wants to send an email to b...@server.com:
[u...@client.com ~]$ nc server.com 25
220 server.com ESMTP Postfix
HELO client.com
250 server.com
MAIL FROM: <ch...@isbd.co.uk>
250 2.1.0 Ok
RCPT TO: <b...@server.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: <ch...@isbd.co.uk>
To: <b...@server.com>
Subject: test
Hello,
this is a test.
.
250 2.0.0 Ok: queued as 4Nvabz5RcNabcHH3
QUIT
221 2.0.0 Bye
SPF is about the envelope sender which is the address given at
"MAIL FROM". The address at "From:" within the "DATA" stage is
what your mailclient (Thunderbird, Outlook, ...) will display
as the sender, which may be completely different and is not
considered by SPF (or postfix).
The envelope sender in our example is ch...@isbd.co.uk, so the
receiving mailserver (server.com) will use this address for spf
checks. Therefore it will look for a TXT record via DNS that
contains spf info:
$ host -t txt isbd.co.uk
isbd.co.uk descriptive text "v=spf1 include:_spf.mythic-beasts.com ~all"
This has an include option which requires another DNS query:
$ host -t txt _spf.mythic-beasts.com
_spf.mythic-beasts.com descriptive text "v=spf1 ip4:93.93.130.89 ... ~all"
This returns ip addresses/networks that are allowed to send
emails with senders @isbd.co.uk and a hint how to proceed
(~all which means softfail or do not block right away).
Now we have that smtp connection from client.com to server.com and
server.com will check if client.com's ip address is included in the
list returned via DNS txt/spf query. If so, client.com is authorized
to send mail in the name of @isbd.co.uk and the mail is accepted.
Otherwise it could reject that mail (-all) or take that into account
while checking spam (~all), ...
Given an email from ch...@isbd.co.uk, originating at zbmc.eu and sent
via mail.gandi.net (authenticated smtp submission) to b...@server.com:
- server.com sees the ip address of mail.gandi.net (incoming connection)
- server.com querys DNS for ch...@isbd.co.uk (host -t txt isbd.co.uk)
- server.com cannot find the ip address of mail.gandi.net within spf
- server.com might quarantine or classify your mail as spam because of ~all.
The solution would be to include mail.gandi.net's ips in the spf
of isbd.co.uk (ip4, ip6, include, ...) so that it is authorized
to send emails in the name of @isbd.co.uk.
Best regards
Gerald
