On Sat, Jan 14, 2023 at 05:03:15PM +0100, Gerald Galster wrote:
> > However most of the time I use my hosting at gandi.net to send my
> > E-Mail, so mail from ch...@isbd.co.uk originates on zbmc.eu, is
> > transferred by authenticated SMTP to mail.gandi.net and is sent on
> > from there to whatever its destination is.
> >
> > As I understand it the SPF records for mail.gandi.net purely confirm
> > to a receiving mail server that the mail is coming from mail.gandi.net
> > and reverse DNS look-up confirms that it really is mail.gandi.net.
> > Have I got that right? I.e. the fact that the mail's From: is not
> > connected in any way to the SPF record is irrelevant. The SPF record
> > simply confirms the SMTP relay host's IP and that it is meant to be
> > relaying mail for that IP.
>
>
> Probably it's best to start with a simple smtp conversation.
> ch...@isbd.co.uk wants to send an email to b...@server.com:
>
> [u...@client.com ~]$ nc server.com 25
> 220 server.com ESMTP Postfix
> HELO client.com
> 250 server.com
> MAIL FROM: <ch...@isbd.co.uk>
> 250 2.1.0 Ok
> RCPT TO: <b...@server.com>
> 250 2.1.5 Ok
> DATA
> 354 End data with <CR><LF>.<CR><LF>
> From: <ch...@isbd.co.uk>
> To: <b...@server.com>
> Subject: test
>
> Hello,
>
> this is a test.
> .
> 250 2.0.0 Ok: queued as 4Nvabz5RcNabcHH3
> QUIT
> 221 2.0.0 Bye
>
>
> SPF is about the envelope sender which is the address given at
> "MAIL FROM". The address at "From:" within the "DATA" stage is
> what your mailclient (Thunderbird, Outlook, ...) will display
> as the sender, which may be completely different and is not
> considered by SPF (or postfix).
>
Yes, this is what I thought/assumed was going on, thank you for
confirming it.
> The envelope sender in our example is ch...@isbd.co.uk, so the
> receiving mailserver (server.com) will use this address for spf
> checks. Therefore it will look for a TXT record via DNS that
> contains spf info:
>
> $ host -t txt isbd.co.uk
> isbd.co.uk descriptive text "v=spf1 include:_spf.mythic-beasts.com ~all"
>
> This has an include option which requires another DNS query:
>
> $ host -t txt _spf.mythic-beasts.com
> _spf.mythic-beasts.com descriptive text "v=spf1 ip4:93.93.130.89 ... ~all"
>
> This returns ip addresses/networks that are allowed to send
> emails with senders @isbd.co.uk and a hint how to proceed
> (~all which means softfail or do not block right away).
>
> Now we have that smtp connection from client.com to server.com and
> server.com will check if client.com's ip address is included in the
> list returned via DNS txt/spf query. If so, client.com is authorized
> to send mail in the name of @isbd.co.uk and the mail is accepted.
> Otherwise it could reject that mail (-all) or take that into account
> while checking spam (~all), ...
>
> Given an email from ch...@isbd.co.uk, originating at zbmc.eu and sent
> via mail.gandi.net (authenticated smtp submission) to b...@server.com:
>
> - server.com sees the ip address of mail.gandi.net (incoming connection)
> - server.com querys DNS for ch...@isbd.co.uk (host -t txt isbd.co.uk)
> - server.com cannot find the ip address of mail.gandi.net within spf
> - server.com might quarantine or classify your mail as spam because of ~all.
>
> The solution would be to include mail.gandi.net's ips in the spf
> of isbd.co.uk (ip4, ip6, include, ...) so that it is authorized
> to send emails in the name of @isbd.co.uk.
>
Brilliant explanation, thank you.
In reality the envelope sender for E-Mail sent out of my home server
is s...@zbmc.eu as I have a mailbox of that name at Gandi Internet and
the zbmc.eu domain is hosted there. However zbmc.eu has no SPF record:-
chris@esprimo$ host -t txt zbmc.eu
zbmc.eu has no TXT record
Presumably Gandi Internet accepts the mail anyway because it's an
authenticated SMTP connection.
What I'm not clear about is what happens when the mail is sent onwards
by the 'smarthost' at Gandi. Does it change the envelope sender to
something that an SPF record will be found for? Or does it get sent
on with the same envelope sender with the possibility that it will
then get marked as spam or something?
Anyway it seems I should add an SPF record for zbmc.eu at Gandi Internet
and I see they have a 'recommended' setting already there for me to use.
Thank you, it's all a bit clearer now.
--
Chris Green
