>> Given an email from ch...@isbd.co.uk, originating at zbmc.eu and sent >> via mail.gandi.net (authenticated smtp submission) to b...@server.com: >> >> - server.com sees the ip address of mail.gandi.net (incoming connection) >> - server.com querys DNS for ch...@isbd.co.uk (host -t txt isbd.co.uk) >> - server.com cannot find the ip address of mail.gandi.net within spf >> - server.com might quarantine or classify your mail as spam because of ~all. >> >> The solution would be to include mail.gandi.net's ips in the spf >> of isbd.co.uk (ip4, ip6, include, ...) so that it is authorized >> to send emails in the name of @isbd.co.uk. >> > Brilliant explanation, thank you. > > In reality the envelope sender for E-Mail sent out of my home server > is s...@zbmc.eu <mailto:s...@zbmc.eu> as I have a mailbox of that name at > Gandi Internet and > the zbmc.eu <http://zbmc.eu/> domain is hosted there. However zbmc.eu > <http://zbmc.eu/> has no SPF record:- > > chris@esprimo$ host -t txt zbmc.eu <http://zbmc.eu/> > zbmc.eu <http://zbmc.eu/> has no TXT record > > Presumably Gandi Internet accepts the mail anyway because it's an > authenticated SMTP connection.
Usually spf is not checked in that case but gandi may use internal lists that define allowed envelope sender addresses for your sasl login, so that you cannot impersonate other customers. (https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps) > What I'm not clear about is what happens when the mail is sent onwards > by the 'smarthost' at Gandi. Does it change the envelope sender to Send an email to yourself and have a look at the headers. Some MTAs add received headers like "received by <server> for <envelope>". Usually the envelope sender is not changed. It is possible that gandi replaces it with your sasl login email address, although it's not common. Not changing envelope senders is especially problematic with external forwards (no smtp auth) and spf. That's why SRS (sender rewriting scheme) has been invented, but it's not part of postfix and has to be configured separately. I just mention it because you never know what mailproviders do internally ... See https://github.com/roehling/postsrsd > something that an SPF record will be found for? Or does it get sent > on with the same envelope sender with the possibility that it will > then get marked as spam or something? It's not commmon but only gandi can tell ... SPF can't fail for zbmc.eu because it does not have one. Considered per se you're safe but gmail recently requires spf for forwards, so for some it might be better to have one. Best regards Gerald
