I have my domain served by two servers with different IP addresses: one for main website and another for online shop. When a customer places an order, among other things, an email is being sent to an internal email address sales@example.com. This email is sent by the server on which the online store resides. However the email is sent to be from the customer's email address, so, for example, if customer@example.org places an order, an email will be sent from the online store to sales@example.com with details of the order, pretending to be from customer@example.org.
On my mail server, SpamAssassin rejects these emails though because they fail SPF validation check, specifically, I get error message stating that store.example.com is not allowed to send mail from example.org (this is easy to understand, as my online store will not be included into example.org SPF record).
I am administering example.com on behalf of a client - and the client states that emails from the store need to arrive in this format (i.e. from customer@example.org as opposed to a generic store@example.com). How can I configure SpamAssassin (via cPanel or, if necessary via back end) to accept messages delivered by store.example.com?
Everything turned out to be much simpler than I thought - SpamAssassin had nothing to do with it and the SPF rule rejection was happening on the exim level. I modified the exim configuration to include the IP of our online store server into trusted SMTP list - and everything is now working correctly.
The correct way to solve this is to have the client's address in the
From:header of the email, but your address in the SMTPMAIL FROMcommand.If the client requires emails are sent "from" their domain, then they need to add an SPF record for your services, validating this is as an approved endpoint. The
include:mechanism in SPF may be the way to go.Do you host your own mail services? If so, you likely already have an SPF record. You could encourage your client to add a line such as
?include:store.mydomain.comto their SPF, to allow a "neutral" validation of your domain sending as otherdomain.com. Of course your SPF should be pretty strict, not something like+all. I would recommend using the ip address of your online shop server.If you are only worried about emails coming into your org, and not passing SPF for external recipients, you can get away with only whitelisting the
customer@otherdomain.comaddresses in SpamAssassin. whitelist-from SpamAssassin link. (I am not familiar with this configuration, YMMV.)If you need to deliver emails to other email domains while impersonating the
customer@otherdomain.comaddress, you will need to have valid SPF or you will fail checks globally. It sounds like you're providing a service to multiple customers, so I recommend having valid SPF and instructing customers to add the?include:reference to their SPF records.