1

Should SPF validate the SMTP server address or the home PC address?

I have a situation where a home PC is sending mail through the ISP's SMTP server. The email address has a personal domain, used only for the purpose of defining an email address, e.g. [email protected]. The domain never had an SPF entry in DNS and mail would be received okay:

Received-SPF: none
    (somedomain.co.uk: No applicable sender policy available)

Google however would treat this mail as spam and some people did not receive it.

To fix this, I asked the ISP to add an SPF entry for the domain:

somedomain.co.uk.     3600    IN      A       81.187.30.xx
somedomain.co.uk.     3600    IN      NS      primary-dns.co.uk.
somedomain.co.uk.     3600    IN      NS      secondary-dns.co.uk.
somedomain.co.uk.     3600    IN      SOA     primary-dns.co.uk. hostmaster.somedomain.co.uk. 2020062608 10800 3600 1209600 600
somedomain.co.uk.     3600    IN      MX      20 c.secondary-mx.uk.
somedomain.co.uk.     3600    IN      TXT     "v=spf1 mx include:_spf_include.aa.net.uk ~all"
somedomain.co.uk.     3600    IN      AAAA    2001:8b0:0:30::xxxx:xxxx

Google now gives this a PASS

Received: from b-painless.mh.aa.net.uk (b-painless.mh.aa.net.uk. [2001:8b0:0:30::52]) 
    by mx.google.com with ESMTPS id b3si19902773wrv.385.2020.06.26.13.27.59
    for <[email protected]>
    (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
    Fri, 26 Jun 2020 13:27:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 2001:8b0:0:30::52 as permitted sender) client-ip=2001:8b0:0:30::52;
Authentication-Results: mx.google.com;
   spf=pass (google.com: domain of [email protected] designates 2001:8b0:0:30::52 as permitted sender) [email protected]
Received: from xx.227.187.81.in-addr.arpa ([81.187.227.xx] helo=MyPC) by b-painless.mh.aa.net.uk with smtps (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <[email protected]>)

The address it is checking, 2001:8b0:0:30::52 (which is within the approved range of the ISP), is the address of the SMTP server, not ipv4 address of the home PC (81.187.227.xx).

But my email provider, when receiving email from the same sender and working only in ipv4 addresses gives a soft fail.

Received-SPF: softfail
(somedomain.co.uk: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched))

Received: from b-painless.mh.aa.net.uk ([81.187.30.52])
    by bonn.contextshift.co.uk with esmtps (TLS1.2:RSA_AES_256_CBC_SHA1:256)
    (Exim 4.80)
    (envelope-from <[email protected]>)
    id 1jounn-0006BC-Hh
    for [email protected]; Fri, 26 Jun 2020 20:18:23 +0000
Received: from xx.227.187.81.in-addr.arpa ([81.187.227.xx] helo=MyPC)
    by b-painless.mh.aa.net.uk with smtps (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA1:256)
    (Exim 4.92)
    (envelope-from <[email protected]>)
    id 1jounn-0000Y1-8v
    for [email protected]; Fri, 26 Jun 2020 21:18:23 +0100

In the above, the SMTP server address 81.187.30.52, is within the permitted range (from SPF) but the home PC 81.187.227.xx is not.

_spf_include.aa.net.uk. 600     IN      TXT     "v=spf1 ip6:2001:8b0:0:30::/64 
ip6:2001:8b0:62::/64 
ip4:81.187.30.0/25 
ip4:90.155.4.48/31 
ip4:90.155.5.1/32 
ip4:90.155.4.50/31 
ip4:90.155.5.3/32 
ip4:90.155.62.16/28 ?all"

So in this case the email provider's SPF check is validating the Home PC address.

Improve this question
1
  • 1
    SPF is checked on your mail provider’s system boundary. It is used to check whether the entity delivering the mail is allowed to do so. That’s why direct-to-destination mail delivery is not generally used by users these days.
    – Daniel B
    Commented Jun 27, 2020 at 14:05

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .