UPDATE: The SPF record I have in DNS for domain mailinglist.com:
mailinglist.com. 3600 IN TXT "v=spf1 mx ptr include:gateway.com ?all"
UPDATE2: The From:, Reply-To:, Sender: and Return-Path:headers from a failed message:
...
From: "bob" <[email protected]>
Reply-To: <[email protected]>
Sender: <[email protected]>
List-Post: <mailto:[email protected]>
Return-Path: [email protected]
...
I've inherited a Sympa mailing list server from a previous Admin and am not very familiar with the whole process. Recently, we've been getting some calls from users that their posts to the various mailing lists are being marked as failing fraud detection checks.
I've been reading up on SPF and suspect that what is happening is when a user ([email protected]) posts to the list (my.mailinglist.com), the outbound message from the list server has the envelope sender set to "[email protected]". Our list server then relays the outgoing message to mail.gateway.com which then delivers it over the Internet. When the SMTP server at somewhere.org (or other domain) receives the post, it sees that it was sent by our relay, mail.gateway.com (13.14.15.16), which does not have it's IP address on the SPF record for somewhere.org.
In the mail headers of the outbound post sent from mail.gateway.com, I have an SPF line which reads:
Received-SPF: SoftFail (mail.gateway.com: domain of
transitioning [email protected] discourages use of 13.14.15.16 as
permitted sender)
We have many users from many different domains sending mail to our list server. Asking every domain to include the mail.gateway.com IP in their SPF record seems ridiculous, but that's what I gather is one way to fix this.
The other fix involves probably using a different envelope sender. I'm not sure how this would affect "Reply" and "Reply to" functionality. Right now it seems a bit wonky; Reply and Reply-to both go the the mailing list which seems odd. I'm trying to figure out where that is configured.
Are there some other ways to work this out that I have missed? Thanks
As of 2017, the recommended and most used method used by the MX servers around the world (at least these who know SPF exits) is to use DMARC policies. Even under the most strict DMARC policy, a failed SPF is not a sufficient reason to fail/quarantine a message. You have also DKIM. If your users send DKIM-signed messages, they should be accepted even when not fulfilling SPF.
This is designed specifically to allow 3rd-party forwarders like you to function.
Just don't modify their body (maillist footer) or the signed headers (like "Subject" and others).
You need to use an envelope sender that is under your control. So, if
[email protected]is subscribed to[email protected], the return path of any mails posted to the list should look something like[email protected](just guessing after glancing at the Sympa docs). Anyway, the point is that the domain part should match the one of the mailing list. Check the headers of a list you are subscribe to, and see what theReturn-Path:one is.Once the
Return-Pathis correct, you can go about setting up the correct SPF record in the DNS for only the domain of your mailing list. From reading your question, it sounds like this part is already done and the outgoing relaymail.gateway.orgis already SPF authorized for your domain, so this part should be fine.Update:
You seem to be missing an SPF record for
my.mailinglist.com(you only show one formailinglist.com).The
mail.gateway.com:prefix in the warning implies that this warning was inserted by your upstream mail relay atmail.gateway.com. If you are using using an upstream relay then there is no reason why they should be doing SPF checks for email coming from you. The reason for this failure is a question you should raise with their support.You'll need to add a TXT entry to the DNS with the spf string. See http://www.openspf.org/FAQ/Examples
If you cannot edit the DNS records yourself, then you'll have to ask the DNS administrator to do it for you.
EDIT: If I understand your post correctly, you only need to add an SPF record to your mail server's dns and your problem will go way.