I have recently started to look after a mail system where users can host their email with a web mail front end. One of the features provided is a function to set up forwarding.
The problem I am facing, and which people before me have faced, is that when users forward mail to another mailbox, such as their own gmail address, Google sees the email as coming from an unauthorized IP address.
I understand that this is due to the sender domain have set up SPF records with a "-all" flag, and my IP address clearly does not belong there.
Gmail, and other providers, as far as I understand it, then cannot tell the difference between an actual forwarded message, and a spoofed spam message, and then subsequently greylists the address of my server.
I cannot help but think someone else must have solved this before.
The forwarding is done using exim, so what I am looking for is a guide, or even just the right keywords to use to search for, for an answer to this issue.
Someone else has indeed solved this before, and "there is no way other than updating SPF in the sender domain" is not true.
The answer is SRS, Sender Rewriting Scheme: http://www.open-spf.org/SRS/ and https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme .
If you have control over the mail server that is doing the forwarding, then in principle, you could implement SRS. (See exim4 configuration with SRS daemon )
Unfortunately, looking at things the other way round, Google does not itself implement SRS when it is set to forward, so your email server would reject an email from a strict SPF sender which is forwarded to you via GMail or Google Workspace. In that case, you could make an exception for mails with the X-Gm-Original-To header, but that then undermines the intention of SPF: if this were routinely done, then a forger would just add that header.