Gmail, SPF, and Broken Email Forwarding?

alek writes "I recently stopped getting Email from a friend ... which turns out to be related to his use of SPF records and my forwarding to gmail. This 'lost Email problem' may get worse with Google implementing Domain Keys." Alek is looking for a non-complicated solution to this non-trivial problem; read on below for more details. "Background: Like many people, I have me@mydomain.com as my public facing Email address. When Email comes into my server, I forward it to me@gmail.com. But since my friend has published SPF (Sender Policy Framework) records that say only his server is allowed to send Emails for friend@frienddomain.com, gmail apparently rejects (silently buries actually!) the Email since it is forwarding through my server. Please note that this is exactly what SPF is designed to prevent — spammers from sending Emails with your address — but it breaks forwarding and has other problems.

What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response — i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears — it's not even in my gmail spam filter ... so there is no trace of it at all. If my friend sends directly to me@gmail.com, it shows up ... since his domain sends directly and the SPF test is passed. Note that on my gmail account, I associate me@mydomain.com with my me@gmail.com account ... so perhaps there should be a recipient test applied before SPF is tested on the sender ... although this arguably defeats the purpose of SPF.

The logical solution is to configure sendmail on my server to do Sender Rewriting — anyone have an easy FAQ to do this? But many people/domains aren't doing this ... and my Email forwarding to gmail is quite common, so I'm surprised that this issue hasn't gotten more attention. Is there another solution?"

Sunblock

[MyLongNickName]

I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women wild.

Re:Sunblock

I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women away.

There, fixed that for ya.

Re:Sunblock

I'm not funny.

Fixed.

Re:Sunblock

[Spy+der+Mann]

I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women away.

There, fixed that for ya.

. o <-- joke
.
. </sarcasm> tag
. o <-- you
./|\
./ \

Re:Sunblock

[dlaudel]

What's a "sun"?

Re:Sunblock

company that makes servers.

Re:Sunblock

[onkelonkel]

Beware! The elders sometimes speak in hushed tones of "The Daystar". Its evil blinding rays will singe you to the finest ash and "The Wind" (like moving air from a cooling fan, but hideously amplified) will blow the ash away as if it had never existed.

Re:Sunblock

[Basilius]

You know how sometimes you can see your keyboard without turning on the light?

THAT's the sun.

Re:Sunblock

[Repossessed]

You know how sometimes you can see your keyboard without turning on the light?

Huh, I thought that was the gow from my monitor.

Re:Sunblock

[AceofSpades19]

We don't like yellowface, do we, my precious

Please adhere to RFC

[DNS-and-BIND]

Please stop using mydomain.com and other such nonsense. Example.com is reserved by RFC 2606 for use as a...wait for it...example domain name. Please make a habit of using it instead of whatever name strikes your fancy, as it is probably in use by real people.

The Internet Assigned Numbers Authority (IANA) also currently has the following second level domain names reserved which can be used as examples.

• example.com
• example.net
• example.org

Re:Please adhere to RFC

[gEvil+(beta)]

Errrrm. That isn't his real address he puts up there. He has an actual domain but doesn't want to put it on Slashdot.

Really? I'm glad you cleared that up for us....

Re:Please adhere to RFC

Uhm, ajem.... whooosh?

Re:Please adhere to RFC

[bigstrat2003]

Got any real reason that this matters, or should we all applaud you for reaching new levels of pedantry?

(Spam doesn't count, anyone with a domain so easy to pull out of a hat as to be used as an example domain gets bombarded with spam already.)

Re:Please adhere to RFC

[TheRealMindChild]

Ironic you bring this up when thedailywtf.com posted this little bit today.

Re:Please adhere to RFC

Did you score a 200 on your SAT? Did you even take the SAT? Since your reading comprehension skills are apparently on par with first graders and congressmen, allow me to clarify.

1) The story submitter used 'mydomain.com' as an example domain in his original post.

2) The OP of this thread said 'Don't do that', use 'example.com' instead of 'mydomain.com'.

3) You pointed out (1)

4) You are being rightfully flamed for being such an ignoramus.

Re:Please adhere to RFC

The ACTUAL POINT being is that mydomain.com could presumably be actually owned by someone - and hence posting it as an example might land someone with a bunch of spam.

Re:Please adhere to RFC

swoosh
~~~~~~~~~~~~~~~~point~~~~>

  0
=|=
  / \
you

Re:Please adhere to RFC

[XanC]

Doubly ironic that the article you point to makes the exact same mistake that it warns against: it uses a seemingly random string instead of example.com. Great story, though.

Re:Please adhere to RFC

[MyLongNickName]

Um, no. If you actually read RFC 2606, it is for TESTING. If this guy were really sending test emails to me@mydomain.com, then he would be in violation. Simply posting it on Slashdot as an example is not prohibited.

Re:Please adhere to RFC

I do not believe, and would not care if, RFC regulations applied to the contents of blogs, forum posts, etc.

mydomain.com is perfectly suitable for someone who is discussing their own domain, than any generic "example."

Who made you hall monitor anyway?

Dude, if you are gonna adopt a Pet peeve, at least make it peeve worthy of adoption...

Re:Please adhere to RFC

[MyLongNickName]

Wow, you posted AC and then posted again. Cool.

Anyhow, RFC refers to using the example domain for testing purposes and documentation. Unless you consider a Slashdot post one or the other, it does not apply. Sorry.

Re:Please adhere to RFC

[xtracto]

wow, you posted AC and then posted again. Cool.

Haha, incredible.

  MyLongNickName, I present you Select/Copy/Paste. You can do that with almost all the new Operating Systems :)

You are welcome.

Re:Please adhere to RFC

[CopaceticOpus]

Technically you're right. But I'm pretty sure that if some idiot chose "me@mydomain.com" as his personal email address, he's already used to getting mountains of spam.

Re:Please adhere to RFC

[gEvil+(beta)]

Wow, you clearly didn't read very far. You only need to read the abstract to see that it's not just for testing:
"To reduce the likelihood of conflict and confusion, a few top level domain names are reserved for use in private testing, as examples in documentation, and the like. In addition, a few second level domain names reserved for use as examples are documented."

And no, it's not prohibited per se, but it is a good practice so as not to annoy those who own the domains the submitter used.

Re:Please adhere to RFC

If I can pull the stick out of your ass, do I become the heir to the British throne or something?

Re:Please adhere to RFC

[rho]

Every now and then you'll see a How-To that has absurd example domains. "a.b.c" or "bob.jones.company". I seem to recall an LDAP How-To that had such junk in it.

It's hard to read and really is a pain in the ass. To me it's just like doing a search-and-replace of all capital "S"s to "$".

"example.com" is useful, and available. Use it.

Re:Please adhere to RFC

[Altus]

putting a fake domain name into an article is not the same thing as using it for testing an application.

for instance, if the person who wrote this slashdot story had used "example.com" for his domain, what would you suggest he use for his friends domain?

Re:Please adhere to RFC

[XanC]

for instance, if the person who wrote this slashdot story had used "example.com" for his domain, what would you suggest he use for his friends domain?

example.net

Re:Please adhere to RFC

[Culture20]

Not just intentional SPAM, but also unintentional SPAM, stuff that stupid admins thought was "not going to a real address", but really was. http://it.slashdot.org/article.pl?sid=08/03/21/1737248

Re:Please adhere to RFC

[Cecil]

Do you own a domain? If so, please post it here so we can all start using it in examples from now on. We'll see how you like it, since after all it's not really even a peeve worth discussing.

Re:Please adhere to RFC

[Culture20]

Adding, accidental SPAM often uses more bandwidth (in a small window) than real SPAM, because it's not trying to avoid detection.

Re:Please adhere to RFC

http://www.merriam-webster.com/dictionary/alot

Re:Please adhere to RFC

(Spam doesn't count, anyone with a domain gets bombarded with spam already.)

There, fixed it for you. :-)

Re:Please adhere to RFC

[bcat24]

I would suggest using subdomains, e.g. "me@my-server.example.com" and "my-friend@his-their.example.com".

Re:Please adhere to RFC

[quonsar]

how i wish i had grabbed eatshit@fuckyou.com back in '93...

Re:Please adhere to RFC

[es330td]

but it is a good practice so as not to annoy those who own the domains the submitter used

So I guess you are expecting that /.'ers are going to start sending email to that domain to try it out? I thought common sense would dictate that he could have put jsmith@us.ibm.com or any other realish email address in his post and it still wouldn't have resulted in any email being sent to that address because people here understand his point. This is definitely a case of the perfect being the enemy of the good.

Re:Please adhere to RFC

I'd like to add that alek's scenario has more than one 'example domain.' The names he has chosen clearly illustrate which domain belongs to whom - mydomain.com, frienddomain.com. If he were to use example.com, and then example.net, he would need to further state what function each domain performs in the scenario, because it's not intuitive.

As the beginning of the RFC states the reserved names are To reduce the likelihood of conflict and confusion, alek's strict adherence to the RFC would run contrary to its purpose.

Besides, RFCs shouldn't be read as nerd scripture. Unless you mean to tell me IP over carrier pigeon is a valid protocol.

Re:Please adhere to RFC

You have taken anal to a whole new level.

Re:Please adhere to RFC

[hansonc]

I present you Select/Copy/Paste. You can do that with almost all the new Operating Systems

not on my iPhone you insensitive clod.

Re:Please adhere to RFC

[Joe+U]

So I guess you are expecting that /.'ers are going to start sending email to that domain to try it out? I

No, but a spambot will, you insensitive clod.

Re:Please adhere to RFC

[neltana]

You could still get cocksuckerdie.com for $9.99!

Of course, now that I've looked it up, don't be surprised if some bot snaps it up before you can read this.

Re:Please adhere to RFC

Actually sending test emails isn't exactly prohibited, either, y'know.

That doesn't mean you SHOULD do it, though. There's a perfectly good domain reserved specifically for things like this - to serve as an example (it's in the name already). Using an EXISTING domain instead is rubbish (just ask the owner of acme.com, or better yet, check out his site - and no, it's not me); getting all uppity about how what you're doing is not technically "prohibited" is just arrogant, useless asshattery, the kind that'd be more befitting to a 13-year old.

But hey, maybe that's what you are.

Re:Please adhere to RFC

[Dan541]

Ive always wanted

n.com

So my email becomes D@n.com

Re:Please adhere to RFC

I once worked with a programmer who made the same mistake, only he chose a much worse non-existent domain. See, he was Russian, spoke very little English and didn't realize that there was an organization that was probably using the domain kkk.com and that kkk@kkk.com was probably a valid email address.

Needless to say, our mail server administrator was none-too-pleased to learn that we had just sent out thousands of copies of our newsletter to the Klan.

Re:Please adhere to RFC

[sakshale]

Guess what! A quick visit to whois.net will show that mydomain.com is a valid, registered site. Obviously not good for random examples.

Re:Please adhere to RFC

[corsec67]

Or even better, my-server.invalid and other-server.invalid

And then people would ask if there is really a TLD for handicapped people...

Re:Please adhere to RFC

Slashdot readers may well realize that the domain is being used as an example, but all those spiders that harvest email addresses from the internet won't. Because this person used an existing domain, there will be spam messages sent to the email addresses in the story that the owners of those domains would not otherwise have had to deal with.

Oh...and thanks to you, jsmith will likely suffer the same fate...hopefully that's you, but I somehow doubt it.

Re:Please adhere to RFC

I'm sure that John Smith from IBM doesn't appreciate you putting his email address up on slashdot.

Re:Please adhere to RFC

[Random+BedHead+Ed]

Ironic you bring this up

To double the pedantry that has already devoured this thread, an apt cosincidence is not an example of irony. :)

Re:Please adhere to RFC

[Random+BedHead+Ed]

Go ahead, let's make it a triple: someone tell me I misspelled coincidence.

Re:Please adhere to RFC

[VGR]

I think the expectation here is that you're adult enough that you don't need a hall monitor watching over you. It's called acting responsibly.

You want to use example.* domains for the same reason filmmakers always use 555-* phone numbers. There's no law forcing them to; they do it because it's an effortless courtesy to people who might actually own an otherwise randomly generated phone number.

Just ask the few unlucky individuals who have had 867-5309 as their number.

Re:Please adhere to RFC

[MightyYar]

Howdareyou.com abridge.com my.com freespeech.com?

Re:Please adhere to RFC

[PReDiToR]

i find@yourideas.intriguing.com and would like to subscribe@toyour.newsletter.com.

Re:Please adhere to RFC

[Vertigo+Acid]

Indeed, as the former abuse/e-mail guy for Dotster, who own mydomain.com, I can't even express how annoying it is to see it used as an example and the deluge of bogus e-mail we had to reject as a result.

Re:Please adhere to RFC

[zippthorne]

Wha? You're sorry you used up Robert C. Byrd's bandwidth? why?

Re:Please adhere to RFC

Please make a habit of using it instead of whatever name strikes your fancy

What are you talking about? I don't think anyone has every used whatever%20name%20strikes%20your%20fancy.com

Re:Please adhere to RFC

com.comdot.com.com! com.dot.dot.com! dot.dot.com.com.dot.com!

Re:Please adhere to RFC

[ultrafunkula]

You could just use frienddomain.example.com and mydomain.example.com though.

Re:Please adhere to RFC

[darkpixel2k]

Ironic you bring this up when thedailywtf.com posted this little bit today.

I stopped reading thedailywtf.com after I realized how bullshit his stories are.
I submitted a story that went along the lines of "Adam went to Bob's house to help him with a problem. He couldn't find the 'any' key, so Adam told him he could actually press any key."

After Alex Pampadopolioiiusijhoweverthefuckyouspellit finished with his editing and posted the story, it ended up including someone named Charlie who hated both Adam and Bob, and got pissed off about the any key, so he went and burned down Microsoft HQ.

That's the real WTF.

Re:Please adhere to RFC

[GoRK]

I have posted a reply to your message. You can view my reply via the internet at slashdot.org using Message ID v0h2w03na0sdfah0wn0vfsn and password 92pxzgf230nv0ng2ydzp

Re:I knew ..

right. so, there is potentially one problem. with a free service... and you knew there was a reason somewhere, sometime?
 
Well. Using that reasoning... I know you're an idiot. Because at some point in the future, you'll prove me right.

Is there another solution?

[jeffmeden]

Yes, of course. Have all your email sent to Google in the first place! You don't have to switch everything over to the Google app tool, you can just set MX records for your domain pointing to them, and collect it all (or forward it inside or outside Google.) It's free (with a paid version available.) Check it out here http://www.google.com/a/help/intl/en/index.html

Re:Is there another solution?

[dch24]

It really works! (ob. disclaimer: satisfied customer)

Our company forwards email to google (MX record in the DNS), where it runs through the spam filter and then a forwarding rule (an anything-but-spam rule) sends it on to our mailboxes.

For free... :-)

Re:Is there another solution?

use GMail for your domain t too, but my mail is frequently sorted as spam. I have SPF records properly set up (with the ~). At one point the gmail server was blacklisted at http://psbl.surriel.com/. Another time my email was sorted as spam by an associate's company email filter (Trend), then he clicked "not spam" and it got moved into the Outlook spam folder.

I like the Google thing a lot but I can never be sure if my email is going to be seen or not.

Re:Is there another solution?

Gmail can check email via POP or IMAP. You don't even *need* to adjust DNS to use Gmail.

Re:Is there another solution?

<AOL>Me too!</AOL>

Seriously, having my domain's email hosted by google has been a great move--- no more flaky email forwarding service from the company who registers my domain name.

Re:Is there another solution?

[NightRain]

The ability to use IMAP is the /reason/ many people forward their domain emails to their gmail account. If you don't adjust your DNS, then you have to mail forward, which puts you back at square one with the problem of disappearing emails...

Re:Is there another solution?

Exactly, I've been doing this for 3 domains for well over a year without any problems. The only side effect is that I've had to benefit from Gmail's superior spam filter. Poor me.

Re:Is there another solution?

[socialhack]

Ditto. I've been a happy user for around 2 years. Switched my Wife's domain e-mail to it too. She used to complain about her e-mail all the time when I had her set up on the hosts service. She hasn't complained once since the switch. Thanks Google!

Re:Is there another solution?

[TekPolitik]

Our company forwards email to google (MX record in the DNS), where it runs through the spam filter and then a forwarding rule (an anything-but-spam rule) sends it on to our mailboxes.

Or you could just use Spamassassin, which properly configured is every bit as good as commercial offerings (and I have actually trialled them to do the comparison). If you put MAIA Mailguard on top of it, you have a solution that leaves the commercial offerings for dead - per user, server based sensitivity settings, quarantine, anti-virus and most importantly, no stupid bounces to the sender address of spam, since the sender address is almost always forged and if you are sending those stupid bounces you are the spammer.

Yes, I am sick of Messagelabs spamming me.

Re:Is there another solution?

[jj00]

I'll start by saying that I also use this service, and for the most part I like it. However, there are some downsides:

• If you use Google Apps, you do not have as easy access to: Reader, Photos, and other Google utilities that are provided with a general GMail account.
• You could use a regular GMail account, using POP/IMAP and have it send mail as if it was coming from that server. However, if you send an email to someone who uses Outlook - a message is tagged to the email (ex: from person@example.com on behalf of person@gmail.com). This is very annoying.

Re:Is there another solution?

[Jherek+Carnelian]

For free... :-)

Maybe for free as in beer, but what about free as in liberty?
What is google doing with that email besides forwarding it on?
Are they building up a profile or even a full-text history that could be subpoenaed?

Re:Is there another solution?

[stevey]

Indeed those automated bounce messages are something we should have moved away from a long time ago.

(Ditto challenge-response systems; but thats a whole other subject.)

My own service gets that right at least!

As you say though if you've got the time, patience, and ability then most of the commercial systems may be bettered for your own setup - its just a matter of deciding whether you want the hassle, or whether you want to outsource it to somebody.

Re:Is there another solution?

I have emails from the host Enom's tech support, whom I contacted because my mail we getting bounced by Enom, stating that their MX record handling is NOT compatible with gmail. They recommend forwarding instead of setting MX records.

So its not the perfect solution.

Re:Is there another solution?

[Idiomatick]

Don't go on the internet if you are that worried. Your data as shocking as this may sound is all traveling through your ISP unencrypted! And I think the telcos might be a bit more likely to divulge information than Google. Given that well the telcos have done it in past, its being made legal now for them to do so in future making it more likely and Google has refused the governments demands in past. So.... Why are people so worried about Google selling them out? I honestly don't understand.

Re:Is there another solution?

[tobiasly]

If you use Google Apps, you do not have as easy access to: Reader, Photos, and other Google utilities that are provided with a general GMail account.

You don't have easy access under the same login, no, but there's no reason you can't create a Gmail login for all that other stuff and just don't use if for email; that's exactly what I do since I got tired of running my own mail server. And the two logins don't even step on each others' cookies; I stay logged in to both by Google Apps (free) and Gmail accounts.

The stuff that is included with Google Apps is the stuff that makes sense to integrate with email, e.g. you can send documents attached to email right to Google Docs from the email screen. I can't think of a good reason that your Reader and Email logins need to be the same though. Sure, it would be a bit more convenient, but there really isn't any missing functionality.

Re:Is there another solution?

[Mr.+Slippery]

Why are people so worried about Google selling them out? I honestly don't understand.

Because Google has done more evil than my ISP.

I have no desire to hand them my e-mail, thanks.

Re:Is there another solution?

[Idiomatick]

such as?

Re:Is there another solution?

[darkpurpleblob]

I can't think of a good reason that your Reader and Email logins need to be the same though. Sure, it would be a bit more convenient, but there really isn't any missing functionality.

The function to email an item to someone provides recipient address autocompletion using your Gmail contacts. (Although if you've associated multiple email addresses with a contact it will only display one of those addresses.)

Re:Is there another solution?

Funny that you mention Google Apps as a reliable alternative, seeing as there's been two daylong outages in SMTP service for many Apps users since the start of July. No warning or explanation given, natch.

Re:Is there another solution?

[Jherek+Carnelian]

Why are people so worried about Google selling them out?

Who said obeying a subpoena is "selling out?"

But, since you brought it up, INSTEAD OF ANSWERING THE QUESTION ASKED, here is the abridged response: Privacy is like pandora's box, once you let your personal information out of your hands you can never, ever put it back - even if circumstances change such what you thought was harmless is no longer harmless. If there is no compelling reason to let your personal information out of your hands, then why do so? For some people a chocolate bar is enough of a compelling reason. For others it is convenience, like ease of using toll roads or shopping at the supermarket. Some of us take our privacy a little bit more seriously than that.

And I think the telcos might be a bit more likely to divulge information than Google.

The telcos, as a rule, do not operate a business that is focused on targeted advertising. They do not have a business incentive to build up profiles of their users that could be vulnerable to subpoena or theft, they make their money by charging their users for services. Google isn't charging you a dime now are they? So it is entirely reasonable to expect them to build up as much of a cache of information about their users as possible because it means more accurately targeted advertising which means more revenue for them.

Hey how about this...

In these days of a few dollars per month hosting, why don't you let some else host your email. You obviously have no idea what you are doing. Anyone can set up a mail server, but hey, leave it to the pros to fix your inane problems.

Re:I knew ..

Well. Using that reasoning... I know you're an idiot. Because at some point in the future, you'll prove me right.

I think he already proved that we was an idiot in the not-too-distant past.

Simple answer: stop forwarding

[mattbee]

Effective spam filtering for forwarded email is pretty much impossible, as you lose vital information in the forwarding. Either get rid of your forwarding address, or have it hosted at Google as well. Probably the largest single reduction in spam I've ever made was the week that I got rid of years-old forwarding addresses. If the forwarding address is more important, just get it hosted at Google directly, or tell people to stop using it!

Re:Simple answer: stop forwarding

[joeytmann]

ding ding ding....we have a winner! tell them what they have won Vanna.

Re:Simple answer: stop forwarding

I disagree. I do a simple forward of my email address to google, and google's spam filter works great! I get probably 500 spam messages a day, and I usually only see a couple of them make it through the filter. And I haven't had a false positive in almost a year......

Re:Simple answer: stop forwarding

[lpangelrob]

Actually, Charlie tells them what they've won. Vanna plays the part of "Jerry Springer's insightful monologue" at the end, except less controversial, less insightful, and it's actually a dialogue with Pat.

Re:Simple answer: stop forwarding

[jabberw0k]

Jerry Springer? Perhaps you meant "incite-ful."

Re:Simple answer: stop forwarding

I agree, if you have already taken the time to setup a server you are likely capable of setting up SquirrelMail or another suitable webmail client for yourself. Sure, flags will replace stars, and folders will replace vfolders (unless you contribute some code), but at least you will know your messages get through 100% of the time.

Saying you use the system as it was not intended to be used and then claiming that the technology is crap is really not getting us anywhere.

Re:Simple answer: stop forwarding

I'm not really sure that this is a problem. Forwarding being broken will lead to a huge reduction in forwarding spam.

But in seriousness though, when forwarding the new server is supposed to be taking responsibility for the message and not forwarding messages that are from untrustworthy sources.

Forwarded messages will be fine

[addikt10]

If you are having problems with forwarded messages, then none of the emails from your server would make it in to gmail.
Forwarded messages will have all the headers and information to indicate they came from your server.
Bounced messages, where none of the headers are rewritten but it seems to come from your server, is the issue you are describing and it isn't one that I have an easy answer for.
The only solution that I can think of would use greasemonkey and special rules on your server to make it easy to reply, forward, etc from gmail.

Re:Forwarded messages will be fine

[Znork]

Depending on the configuration of forwarding they will still have the original From: tho, so the way it usually works is like this:

The mail will have the original From, and the rewritten headers indicating the mail came from the forwarding server. Upon googles SPF check, the SPF record will not contain the forwarding server as an appropriate or permitted sender for the From: field in question. The mail is rejected (or, rather, silently dropped).

It's not a trivial problem to solve unless you have control over all the mailservers involved. You have to rewrite the From field so it no longer appears to originate from the original domain. It could rewrite with a valid name (something at the forwarding server), or by adding something to the domain name, creating a non-SPF protected From field, but however you do that you end up with a not-quite-accurate (or more accurate, depending on your view) From field. Which may cause problems in your client as you reply to the mail.

If you have control of the destination mailserver, it's much easier: you could simply not check for valid SPF records for mails coming from the forwarding server.

Re:Forwarded messages will be fine

[Sancho]

Actually, the term "forwarding" applies both to client-forwarding (remailing the mail with all of the headers) and server-forwarding (what you call bouncing.) It's the difference between clicking forward and using a .forward file (hey, why do you think they called it that?)

silently dropping is not unexpected

[Ungrounded+Lightning]

What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response -- i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears -- it's not even in my gmail spam filter ... so there is no trace of it at all.

While the RFCs specify that an MTA that is dropping should notify the sender in various ways, modern MTAs often violate these parts of the spec, pretending to accept and then dropping the mail and/or failing to send bounce notifications.

This is deliberate. Not sending bounce messages reduces the load on the servers and net (now that most mail traffic bounces). Pretending to accept mail which is actually dropped is a defense against guessing email addresses and probing filters to see what gets past them.

Re:silently dropping is not unexpected

[X0563511]

It violates RFCs and causes problems like we are reading about now. It needs to stop.

Re:silently dropping is not unexpected

[Klaus_1250]

Hotmail has been doing the same for years... And it is bad bad bad. There is a reason for those RFC's you know. I've had several complaints from people that I was loosing their mail. Checked the server logs and the mails were sent to Hotmail and it replied with a nice message received and accepted. Yet it dropped them afterwards even though it was 100% Ham. Fantastic. I get complaint about their mistakes, it takes me time and effort, and best of all, you can't contact them about it.

Re:silently dropping is not unexpected

[oyenstikker]

That means you Hotmail!

Re:silently dropping is not unexpected

[X0563511]

No, fuck the spammer. Either respect the RFC, or come up with a solution with at least as much attention as the RFCs were given.

Or, give up and come up with a proper solution from the start, and let traditional email rot.

Re:silently dropping is not unexpected

[AVee]

That would be true is google would actually first accept the email and then send a bounce message because it doesn't like it after all.
What they should do is reject the email immediately, in which case they don't have to send a bouce email but the mail is properly logged as being rejected. Ofcourse this does mean google will have to do all of their checks before accepting the message which is a bit harder to do but it is the only correct solution for the bounce problem.

Re:silently dropping is not unexpected

This makes sense for "blocked due to invalid recipient" and perhaps for "blocked due to spam score."

As far as I can tell, however, there really isn't much info provided when you let someone know you blocked due to SPF, while it hugely helps debugging. Don't send a "we blocked your message" email, just give the appropriate 5XX status code (I think either 518, 570, or 571).

Re:silently dropping is not unexpected

[kju]

It violates RFCs and causes problems like we are reading about now. It needs to stop.

It is also illegal in certain jurisdictions, e.g. in Germany. Its called unlawful suppression of entrusted messages (202, Section 2 StGB).

Re:silently dropping is not unexpected

[anom]

Mod parent up, the only good way to do SPAM filtering is to ONLY deliver a 250 Queued message if the email is actually going to be delivered.

Re:silently dropping is not unexpected

[Culture20]

Hotmail used to drop 90% of the emails that I sent _to_myself_ from other accounts. I have no idea if it still does; that account was disbanded as unusable.

Re:silently dropping is not unexpected

[nurbles]

Silently dropping messages also prevents "bounce SPAM" where the spammer intentionally sends a message to a fake account from the TARGET, hoping that the bounce from the server will get through to the target. Wasn't Google a victim of that recently?

Re:silently dropping is not unexpected

[Ungrounded+Lightning]

... the only good way to do SPAM filtering is to ONLY deliver a 250 Queued message if the email is actually going to be delivered.

Which means an automated agent has the feedback necessary to "sniff out" the content filtering algorithm, trying variations until one gets through and remembering the result to get through more easily on the next message. Goodbye filters.

I'm not taking sides. I'm just pointing out a reason some people make this choice.

Re:silently dropping is not unexpected

[skis]

Receiving MTAs should NEVER send bounces. That is the job of the sending MTA. One of the problems here is that gmail is reporting a 250 OK, so the sending MTA sees no error and does not send a bounce message.

Re:silently dropping is not unexpected

[fimbulvetr]

The problem that we see now is NOT caused by this violation. In fact, if even if they hadn't violated the spec, the problem would still exist.

Now, as the admin for servers pushing 50M emails a day before spam, I say "Fuck You, pay for my bandwidth, servers and personnel to manage the support for forges", to all of those who whine about the spec and wanting to receive a bounce.

It might have been acceptable 10 years ago, but I assure you the spec wasn't designed at a time where you receive orderS of magnitude more spam than legit messages.

Re:silently dropping is not unexpected

[bugg]

Most MTAs are configured to send a bounce if message delivery permanently fails. That is, google won't be sending the bounce, but your mailserver will if google permanently refuses the message.

Re:silently dropping is not unexpected

[AVee]

That might be true, but my mailserver might do all kinds of other things. But regardless it won't cause any bounce spam, because it will reject (reject, not bounce) any incoming mail for the gmail domain unless it is from my internal netwerk. There might be bounces, but there is no way for a spammer to generate these bounces unless he is inside my network. That pretty much solves the bounce-spam issue.

Re:silently dropping is not unexpected

[AVee]

That's absolutly true for content filters, but SPF (which is the issue here) is designed to be used during the transfer. That's how it should be used when used at all. SPF is not exactly free of potential issues with legitimate email which makes silent dropping an even bigger issue.

Either way, you should never silently discard an email unless you are 110% sure it's spam. In all other cases it should either be dropped in the spam folder or be properly rejected. Anything else makes email totally unreliable. (And frankly, you shouldn't entrust your email to a company that thinks it ok to silently drop something addressed to you, but that another issue.)

Re:silently dropping is not unexpected

[vux984]

No, fuck the spammer.

Following the RFC fucks the innocent bystander, not the spammer. Is following the RFC worth fucking innocent bystanders over?

Either respect the RFC, or come up with a solution with at least as much attention as the RFCs were given.

In the meantime, while you come up with a solution, I'll disregard the RFC for this situation, because fucking innocent bystanders over while the world figures out a 'real solution' isn't acceptable.

Re:silently dropping is not unexpected

[Whitemice]

.Not sending bounce messages reduces the load on the servers and net (now that most mail traffic bounces). Pretending to accept mail which is actually dropped is a defense against guessing email addresses and probing filters to see what gets past them.

Rejecting mail isn't the same as generating a bounce. Rejecting while the connection is open doesn't generate a bounce (unless the remote chooses to).

Accepting and dropping is a clear violation of the RFC. I don't care if it is done my Google, Microsoft, or anyone else. What happened to "do no evil", violating an RFC is evil.

Re:silently dropping is not unexpected

[AK+Marc]

They are accepting the mail and dropping it without delivering it to a valid email box on that server. That is unacceptable. Prevent bounce spam with rejections at the time of connection. If they are dropping it before it reaches a user mail box, then it is something they can reject in real-time. You can reject a message without bounce-spam. And that's what should be implemented everywhere. If you accept an email message, you should do all you can to deliver it and you should send bounce spam if you accept but don't deliver it. If bounce spam is something you don't like, then have more SMTP rejections, rather than bounces, and you'll be RFC compliant and not be throwing your clients email into black holes where everyone says it was accepted and forwarded on without error, until it just disappears without a trace.

Re:silently dropping is not unexpected

[statusbar]

The rfc is broken, as it assumes no one would lie in their 'MAIL FROM' field.

Will you fix it for us?

--jeffk++

Re:silently dropping is not unexpected

[samson13]

Not following the RFC fucks more innocent bystanders.

We get lots of help desk calls because some stupid(but innocent) user spells an email address wrong and they don't get a bounce and they blame us for not delivering it.

If somebody has a problem with back scatter then they obviously don't have their SPF records set up correctly. They aren't so innocent. I'm getting spam traffic from their domain.

The problem gets worse when the spam lists blame a properly configured SPF configuration for back scatter. To solve that the bounces all come from a host that is on every black list know which is sort of embarrassing but seems to keep most people happy.

In this case I don't think gmail is breaking the RFC.. The email was deliverable. It was just definitely spam (the owner of the domain said so) because an RFC broken forwarder couldn't rewrite properly.

Re:silently dropping is not unexpected

[nurbles]

No argument here. I was just remembering that Google was not producing bounces because of some disconnect in their email system. I think it was something about one system accepting the email and enqueuing it to another for delivery. When the second system discovers that it cannot deliver for whatever reason, it cannot reject because the connection is long gone. So Google was producing bounce messages until SPAMmers discovered that Google bounces got through pretty much ALL filtering systems. Then the SPAMmers started generating GMail (and other) bounces on purpose, so GMail stopped bouncing -- hopefully only until they can figure out how to do it "right." But who knows?

Re:silently dropping is not unexpected

[Anonymous+Brave+Guy]

It violates RFCs

I'm giving up mods to post this, but it really needs to be said.

People need to stop blaming things on services who pragmatically choose to violate selected aspects of decades-old standards that don't address today's realities. The problem with modern e-mail is that the standard is hopelessly out of touch with modern demands. There should long ago have been a consistent standard that covered things like sender authentication, encryption and signing, formatted messages ("HTML e-mails"), smart handling of errors without treating them all as e-mails in their own right, and numerous other fundamentally broken parts of the original e-mail specs. But there isn't, so people try to do reasonable things and stay as true to the standard as they can without being dogmatic about it when it's obviously a stupid thing to do.

So no, I don't think silent dropping needs to stop under all circumstances. E-mail has never had useful reliability of delivery (another thing a replacement standard should deal with) so you can't count on it anyway. On the other hand, I'm sick and tired of getting a deluge of hundreds of unwanted e-mails in ten minutes because someone sent out a mail with webmaster@my.domain as the sender, and loads of people who were confident enough that the message was spam to block it still sent back a bounce message to an address that is 99.99% likely to have been faked as well in that case. I'm sorry, but that's just antisocial behaviour, and responsible sysadmins should take steps to avoid it: if you're confident enough to refuse delivery, why aren't you confident enough not to reverse-spam the innocent bystander? If you're running a sensible service where a user can whitelist specific senders or switch off spam filtering altogether for specific receiving addresses if they want to guarantee receiving everything, and they've opted in to your spam filtering, this shouldn't be a problem.

Re:silently dropping is not unexpected

[Anonymous+Brave+Guy]

If somebody has a problem with back scatter then they obviously don't have their SPF records set up correctly. They aren't so innocent. I'm getting spam traffic from their domain.

I'm sorry, Mr Holier Than Thou Standards Guru, but could you please point me to the standard that requires e-mail systems to support SPF?

You'll be there a while, because there is no such standard. Moreover, there probably never will be, because SPF is fundamentally broken in several ways. If you use SPF, either setting it up for your own domains or filtering on it, then you are not part of the solution, you are part of the problem. And it's is a lousy way to filter e-mail anyway, since it's statistically beyond hope of anything close to acceptable reliability, while any decent multi-pronged approach can easily get high-90s accuracy with negligible false positive rates.

Re:silently dropping is not unexpected

[vux984]

We get lots of help desk calls because some stupid(but innocent) user spells an email address wrong and they don't get a bounce and they blame us for not delivering it.

Vs getting lots of help desk calls because some stupid(but innocent) user gets dozens of email bounce messages to email he never sent?

If somebody has a problem with back scatter then they obviously don't have their SPF records set up correctly. They aren't so innocent. I'm getting spam traffic from their domain.

I'm not following. I'm sure you realize that SPF doesn't prevent people from sending spam traffic with someone elses domain name on it. That SPF only lets them tell you which hosts are authorized to send mail for their domain. It doesn't do jack squat in stopping spammers from sending you spam with their domain from unauthorized hosts. So I'm not sure why you think its their fault you are getting spam traffic from their domain.

And their properly set up spf doesn't prevent backscatter. Their SPF record isn't a factor to that, and your bounce messages are coming from your authorized server.

Or have I misunderstood something.

The problem gets worse when the spam lists blame a properly configured SPF configuration for back scatter. To solve that the bounces all come from a host that is on every black list know which is sort of embarrassing but seems to keep most people happy.

I'm afraid you lost me here. Its not clear to me what you are trying to say.

Re:silently dropping is not unexpected

[dbIII]

While it is a little bit convenient to just drop the messages typos do occur on important messages on occasion. Silently dropping messages intended for those with the power to dismiss you from your job is unwise even if you do not care about the other reasons to bounce. Gmail can get away with it because of their terms and conditions. It is a little more difficult to go to your company directors and explain that you wish to impose terms and conditions on their email such that communications to them are silently dropped - paticularly if you are doing it after such a thing has occured and caused problems.

Re:silently dropping is not unexpected

[mrbooze]

Are we sure about that? My understanding is that the server should be rejecting the message as undeliverable during the initial SMTP conversation, not sending any bounce messages afterwards.

This would mean that $SPAM_SERVER says "Hello, $LEGITIMATE_SERVER, please deliver this message to $RECIPIENT from $FAKE_SENDER" and $LEGITIMATE_SERVER says "Sorry, I don't know who $RECIPIENT is."

$LEGITIMATE_SERVER never sends a bounce message to anyone. It just says "no such address". What are the odds that a botnet spamming mail server is doing to waste CPU cycles returning undeliverable notices back up the chain that it already knows is fake? What would be the profit in that?

Re:silently dropping is not unexpected

[geminidomino]

People violate the RFC because spammers spoof the sender as the people they are spamming, so the bounce goes back to that person and they get the spam. The RFC does not account for this, so fuck it.

Only if the mail admin is incompetent. This comes up every time there's a story about something in mail that's been screwed by spammers.

Receiving mail server should not be sending ANYTHING to the sender's mail address, faked or not. The Receiving server's responsibility is to generate a 5xx error on a permanent error and send that back to the SENDING MTA. The Sending MTA has the responsibility to generate the appropriate mailer-daemon message

Re:silently dropping is not unexpected

[Mr.+Slippery]

The rfc is broken, as it assumes no one would lie in their 'MAIL FROM' field. Will you fix it for us?

The fix is called S/MIME.

Re:silently dropping is not unexpected

[Mr.+Slippery]

Which means an automated agent has the feedback necessary to "sniff out" the content filtering algorithm, trying variations until one gets through and remembering the result to get through more easily on the next message. Goodbye filters.

Yes, good-bye and good riddance, and once we're done with them perhaps we can turn our attention to solutions that won't just result in turning "Viagra" to "\/i4gr4".

Any real spam solution will be built on digital signatures.

Re:silently dropping is not unexpected

[statusbar]

Unfortunately, that fix is not good enough. It does not mention how the "MAIL FROM" command in smtp is verified.

RSA keys for each email account would be a nice idea but basically unusable with a web email client. "Don't give anyone your private keys!"

--jeffk++

Re:silently dropping is not unexpected

[Doug+Neal]

Exactly.

The RFCs aren't sacred texts. Of course they were written by people that know their shit, but they weren't infallible, and the spam problem as it is now was certainly not forseen at the time SMTP was devised.

Re:silently dropping is not unexpected

[ectoraige]

[i]E-mail has never had useful reliability of delivery (another thing a replacement standard should deal with) so you can't count on it anyway.[/i]

It was never meant to have reliability of delivery. However, what it does have is [b]reliable delivery status information[/b]. If the email you sent was not delivered, you would *know* about it.

I'd like to see you ideas of a replacement standard that can [b]guarantee[/b] delivery. So would the court services, I'm sure. What email reliably offered was that if you sent and email, it would either get there, or come back to you. Emails should never "get lost", and in all my years of running mailservers, I have never seen emails get lost in transit.

Silently dropping emails breaks this, and renders email unreliable.

The back-scatter is caused by anti-spam solutions that do not reject the email during the SMTP conversation, instead accepting the email and ending the SMTP transaction, and [i]only then[/i] decide to reject the message by starting a whole new email delivery. If gmail rejected the email during the SMTP transaction, they would not cause any backscatter.

Backscatter now outnumbers direct spam in my mailbox; ta very much to all those techs out there who thought delayed rejection was a good idea.

Re:silently dropping is not unexpected

[Anonymous+Brave+Guy]

However, what it does have is [b]reliable delivery status information[/b]. If the email you sent was not delivered, you would *know* about it.

That simply isn't true. After all, if you could reliably transmit an accepted/rejected acknowledgement, you could reliably transmit an e-mail in the first place, couldn't you?

The back-scatter is caused by anti-spam solutions that do not reject the email during the SMTP conversation, instead accepting the email and ending the SMTP transaction, and [i]only then[/i] decide to reject the message by starting a whole new email delivery. If gmail rejected the email during the SMTP transaction, they would not cause any backscatter.

They seem to have worked out a somewhat effective way around this, though: my mail service correctly bounces spam immediately, but lately I keep getting the bounce messages redirected to another randomly generated address at my domain, and it seems the extra content from doing this to a legitimate bounce message is enough to give the messages a significant chance of making it through the spam filters. I haven't worked out exactly what they are doing yet, but the end result is basically back-scatter anyway.

Re:silently dropping is not unexpected

[beegle]

The rfc is broken, as it assumes no one would lie in their 'MAIL FROM' field.

butbutbut... I thought that RFCs were writs directly from God. They are INFALLIBLE, I tell you! That is why they are never considered obsolete. EVER! Only heretics dare say otherwise.

Re:silently dropping is not unexpected

[ectoraige]

However, what it does have is [b]reliable delivery status information[/b]. If the email you sent was not delivered, you would *know* about it.

That simply isn't true. After all, if you could reliably transmit an accepted/rejected acknowledgement, you could reliably transmit an e-mail in the first place, couldn't you?

Granted if, immediately after your mailserver fails to find a server to accept your message, it then goes down, then yes, you will not receive notification of the the failed delivery. Once your mailserver comes back though, you will.

The reason you can not guarantee delivery, is quite simply, when you send the email, there is no knowledge about the state of the path to the recipient. SMTP is designed so that, if during the journey the path becomes impassable, then the email will return back. If kind of assumes the path behind doesn't disappear along the way. When people start silently dropping messages though, this is what can happen.

As for the backscatter you are seeing, are they actually originating from your ISP? If so, tell them about it. I would guess that it is other ISPs doing accept-then-reject that are the cause.

Re:silently dropping is not unexpected

Apart from HTML emails (which are probably covered by the HTML standards), almost all the things you say are not covered by RFCs are covered by RFCs (mostly from the last millennium).

SMTP Email is reliable in the sense that the message is not deleted from one server till the receiving server okays it, and rejected messages are always reported to the sender (where senders details are correct). Short of always ensuring it is on two computers are once, I'm not sure what more reliability you think it needs.

Google's violation of the RFC is what is being complained about here. Perhaps this should give you pause for thought, that the RFCs weren't just dreamt up at a whim.

Sure the email environment has changed, but the basic principal is not deleting email till it is okayed by the receiver, and notifying failed delivery, are still basic to any messaging system.

If people implemented their own servers sensibly SMTP would work just fine. I think bad default MTA settings, and the poor end user system security are the main issues with SMTP. Sure the protocol could do with an overhaul, but there is a reason most spam filters score down email for those listed in RFC-Ignorant.

Re:silently dropping is not unexpected

[Anonymous+Brave+Guy]

I'm afraid you're confusing RFCs with standards. They are not the same. SPF, for example, is covered by RFC 4408, but it's still broken and it's hardly a standard, never mind a good one.

Easy answer

[mastropiero]

You need to implement sender-rewriting scheme in your mail server. Google it.

Next issue?

Re:Easy answer

See link in summary.

http://david.woodhou.se/why-not-spf.html

Solution is for your friend to use something OTHER than SPF

Re:Easy answer

[SatanicPuppy]

That's outstandingly unhelpful. How about attaching a link to a decent SRS implementation? Or sending them to OpenSPF?

Randomly throwing down on people legitimately asking for some technical help is a big problem in the OSS community. Whether or not /. is the appropriate place to ask this question is debatable, but since it made the front page and there is no helpful SRS faq on this site, might as well direct them somewhere.

Re:Easy answer

Next issue?

How to play the flute?

How black and white people can live together in peace and harmony?

How to reconcile the Russians and the Chinese?

Pull instead of push?

[Robotech_Master]

Doesn't GMail offer the ability to fetch your email from POP accounts now? It would probably not be the ideal solution, but perhaps you should stop forwarding and instead start POPping.

Re:Pull instead of push?

[SCHecklerX]

and wtf would one want to enable pop on a server that is already doing IMAP just fine? Maybe google should implement IMAP checking, then I wouldn't have to forward (it's temporary until my own web server is back online, but it certainly is convenient).

Re:Pull instead of push?

[i+kan+reed]

Or given the box of horrors that is POP, you could try IMAP, which google now also supports.

Re:Pull instead of push?

supports, and even implements their label scheme. i just moved my own domain to gmail and it's wonderful. imap makes it easy

Re:Pull instead of push?

[jon159785]

Probably wants to use gmail's filtering for spam. The spam filtering on most low end hosting solutions leaves much to be desired.

Re:Pull instead of push?

[Loether]

gmail does let you pull via pop3 BUT the scheduler is not configurable. Gmail checks pop randomly when it feels like it. For me it's about every 30 minutes to 1 hour. YMMV

Re:Pull instead of push?

[tgd]

Or better yet don't do either, just have the e-mail go to gmail. Google Apps for Domains is free, and less clunky than forwarding.

Re:Pull instead of push?

[ady1]

I'm using that for an old account and trust me, that is extremely slow. As one poster already pointed out, you can just host the email on google instead of forwarding it which is not efficient in the first place.

Re:Pull instead of push?

[VGPowerlord]

That means you have to implement an additional mail server program that does POP, as forwarding only requires SMTP.

Re:Pull instead of push?

[Firehed]

It's not even so much the filtering solution as simply the lack of data to filter on. Google is dealing with billions of messages a day, so their filtering algorithms can end up stupidly accurate.

Of course, those low end hosting solutions would be wise to aggregate their spam filtering data. I know, data privacy issues become a possibility, but whatever. Just use Google Apps For Your Domain and be done with it.

Re:Pull instead of push?

It's not really random, the time changes based on the number of and frequency of emails received.

Re:Pull instead of push?

You can force a check by selecting Settings> Accounts and click "Check Mail Now"

Re:Pull instead of push?

...which Google sort of supports.

Re:Pull instead of push?

In the gmail settings page there is a "Check mail now" link. And I'm sure some of those javascript based extensions to gmail can blend it in the main page.
I think it's a good solution to multiple addresses (on different domains), but it is not getting the mail from your other address that worries me, it's the inability to send mail from google with another email address (google makes sure you own it) if that other domain published such SPF rules.

Whitelisting known and trusted domains by default would be nice.

Re:Pull instead of push?

[adminstring]

You can force it to check mail using POP3 on demand; they just buried the feature in the UI.

Here's where it is: Click Settings in the upper-right, then click the Accounts tab, then in the "Get mail from other accounts" section, then finally click the "check mail now" link to the right of the name of the account you want to check. Then it will immediately check for messages using that POP3 account.

Re:Pull instead of push?

[__NR_kill]

Doesn't GMail offer the ability to fetch your email from POP accounts now? It would probably not be the ideal solution, but perhaps you should stop forwarding and instead start POPping.

Because you have to pay extra for storage. Email forwarding usually comes with the domain registration, as in my case.

Re:Pull instead of push?

Actually the POP-puller is based upon account activity. If you get alot of messages Gmail will POP-pull it about once every five minutes.

So the interval of pulling is about 5-mintues to 1 hour, depending on account activity.

As far as I have noticed.

Re:Pull instead of push?

[ceka]

... IMAP, which google now also supports.

Gmail claims to support IMAP, but if you try really using it, its awful.

Eg deleting an email from my mail client inbox only removes it from the Inbox label, it still stays in AllMail. And deleting from AllMail is impossible, the email reappears in thunderbird in a minute or two. Deleting attachments doesnt work. Etc.

I understand they want to keep my data as long as possible and also that they want to make IMAP work with their Labels, but I don't care I just want an IMAP compliant email account...

Re:Pull instead of push?

Look, google has free storage, free hosting, you pay your $14 for the .com, point all of the DNS stuff including MX entries to google apps, and you get free everything. The only thing you do not get is server side scripting, but if all you have is a little blog or site, and email, it does it all.

Re:Pull instead of push?

Actually, given the box of horrors that is IMAP, you could just use POP.

Re:I knew ..

[dot45]

I use my gmail account for catching all the junk mail you get for signing up for a mailing list.
I guess i need to have my email server just send me a message stating that i have new mail waiting.

Domain Keys doesn't have the same issue

[thadman08]

Domain Keys authenticates that the message was generated by a server with access to the DK private key. Forwarding the message does not affect the originator of the message, so the Domain Key authentication still checks out.

SPF and DKs solve similar issues, but in a much different manner.

Re:Domain Keys doesn't have the same issue

[SuperQ]

Yes, DKIM is a much better solution than SPF. I've been slowly adding keys to domains that I host on my mail server. None of them will stop spammers, but one of these days I can hope to eliminate some of the backscatter spam I get.

Re:Domain Keys doesn't have the same issue

[GreyFish]

Domain keys breaks mail sent through a mailinglist where the mailing list software dosn't strip the domain keys header.

All the vairous sender authentication stuff have two problems, they either break mailing lists, or forwarding, or both. Both problems are solvable but involve changing how you do mailing lists or forwarding.

Re:Domain Keys doesn't have the same issue

[Dolda2000]

I have no idea what you're talking about here. DKIM breaks neither mailing lists nor forwarding, and mailing lists are not supposed to strip the DKIM header (if they did, that would get the mail rejected for sure).

DKIM ensures the integrity of the message and that it, at some point, passed through the MTA for the domain in the "From" header. It does that by signing the body of the message along with a set of headers. As long as the mailing list is RFC 2821/2822 compliant and only adds new headers to the top of the message (only headers below the DKIM header are part of the signature), its integrity under DKIM is unaffected.

Dump SPF

SPF is deliberately designed to prevent this type of forwarding.

Tell your friend to stop publishing SPF records, and ask Google to stop checking.

SPF won't do anything to stop spam anyway (despite what some of it's proponents say.) It needs to die a quick death.

Re:Dump SPF

[Rashkae]

SPF stops phishing, and FROM forgery, not spamming, as the original poster already mentioned.

It's been a while since I read SPF specs, but there is a header you can add to the e-mail that identifies the sender domain of the forwarded e-mail, which will fix the SPF issue when you forward the mail from your server to gmail.. Unfortunately, a) I forget what the header is b) I have no clue how to configure sendmail so it inserts the header when it forward e-mails. I would be interested in these answers however.

Re:Dump SPF

[Phroggy]

SPF won't do anything to stop spam anyway (despite what some of it's proponents say.) It needs to die a quick death.

In case anyone doubts this, here's a brief list of domains that are owned by spammers that actually have SPF configured, as well as forward and reverse DNS for their dedicated IPs. Each of these domains also has a web site with an "unsubscribe" form on the front page. These are just a few of the domains that have tried to send me spam in the last couple of days.

amd-computer.com
bionona.com
bounce-spring.com
building-clam.com
building-pearl.com
cartoonchristmasornaments.com
catch-history.com
champion-clam.com
champion-starfish.com
chips-computer.com
classicshoesplus.com
eosubduo.com
fatherandsoncarpeting.com
finaglasses.com
finarunning.com
finasitting.com
gohan-saiyan.com
goku-saiyan.com
goten-saiyan.com
holiday-scallop.com
jekyllnews.com
jekyllreading.com
keeping-holiday.com
madalinesmarketplace.com
miasitting.com
miasliding.com
moniqueshiphopfashions.com
onedayshippingonyourdvdrental.compress-spring.com
rachelbuilding.com
rachelwalking.com
surfingisyourlife.com
talking-scallop.com
tieapple.com
vegeta-saiyan.com
walking-starfish.com

Re:Dump SPF

[bigstrat2003]

gohan-saiyan.com
goku-saiyan.com
goten-saiyan.com
vegeta-saiyan.com

That isn't spam, that's a feature!

On a serious note, what the hell kind of spam are you getting from domains like that?

Re:Dump SPF

[jonbryce]

SPF isn't supposed to stop spam. It is supposed to stop backscatter from people spamming with your email address in the "from" field.

If the SPF doesn't match, that means the email has a faked "from" field, so the receiving server shouldn't bounce it back to you. In that respect, Google's approach of silently eating the mail is probably the "correct" approach. Perhaps it should put it in the spam folder though.

Re:Dump SPF

[DamnStupidElf]

Wouldn't the existence of such a header break SPF? Spam could just come "forwarded" from the spoofed sender.

Re:Dump SPF

[Phroggy]

Nothing to do with the actual domain name used; they're obviously pretty random.

Actually I'm not sure what kind of spam they're sending, since I've been rejecting it. I set up a script to check the reverse DNS hostname of the connecting host, and if it matches a particular pattern, send an HTTP query to see if that host has a web site, and if so, whether the web site has an unsubscribe form on the front page. If all these conditions are met, the IP is cached in a database and the message is rejected; otherwise the IP is cached as being OK (the majority of servers connecting to me that match this hostname pattern are spammers, but there are a lot of legit servers too). But with the HTTP test on top of that, I've had no false positives.

Interestingly enough, I've been using this code on two different servers, and since I cleared the database a couple days ago, only one of them has seen this type of spam, and that server only hosts a single domain, while the other server hosts several domains.

Re:Dump SPF

[Rashkae]

Not really, the client is able to tell that there a discrepenc in From and Sender: and notify the user appropriately...

Again, SPF was never to stop spam, just prevent domain forging.... btw, believe it not, the header you have to insert is Return Path: which means I have a solution for the OP

Re:Dump SPF

[Curmudgeonlyoldbloke]

Tell your friend to stop publishing SPF records

It's possible that his friend sends emails to people other than him - he may have set up SPF so that his mail DOES get delivered to those people.

For example, Hotmail (which I'm assured that some people still use!) recommends SPF use:

http://postmaster.hotmail.com/Guidelines.aspx

(although to say that mail delivery to Hotmail is a bit unreliable is a bit like saying that Saddam Hussein wasn't a nice bloke)

Re:Dump SPF

[stabiesoft]

Interesting, I've been doing a DNS lookup of authority section and rejecting from
name-services.com, domaincontrol.com and existservers.com. I don't like it, as it is too
generic, but in my case, my email is from companies who use higher grade name servers.

Re:Dump SPF

[CyprusBlue113]

No, SPF is meant to stop from forged spam directly by not accepting mail from non authorized sources

Re:Dump SPF

[Matt+Perry]

SPF won't do anything to stop spam anyway (despite what some of it's proponents say.)

Of course it won't stop spam. It wasn't designed to. Its purpose is to stop joe jobs.

Re:Dump SPF

[statemachine]

In case anyone doubts this, here's a brief list of domains that are owned by spammers that actually have SPF configured, as well as forward and reverse DNS for their dedicated IPs.

Don't you think that's quite helpful of the spammers to identify their servers for you? Now you can block them if you choose. I don't see how this is a bad thing.

Re:Dump SPF

[Glendale2x]

Maybe they don't want their messages to be forwarded without their consent and intentionally publish SPF to prohibit it.

setup gmail to grab the email directly...

gmail > settings > accounts > get mail from other accounts...

downloads via pop3.

Don't forward

When Email comes into my server..

That's your problem right there. Don't have email sent to your server. Update your MX records so your email is sent directly to google. Then you can turn off sendmamil on your server.

Re:Don't forward

[Klaus_1250]

So you can't see if Google has silently deleted any other of your email? Doesn't make sense to me.

Easy -- sign up for Google Apps for your Domain

[ahecht]

Sign up for Google Apps, and then you can have all mail sent to me@mydomain.com be handled by GMail. All you have to do is sign up at http://www.google.com/a/ and link your domain. Then point your domain's MX records to aspmx.l.google.com.

In the future, all you have to do in order to get your mail is to go to http://mail.google.com/a/mydomain.com/ instead of http://www.gmail.com (and you can even set it up so that http://mail.mydomain.com CNAMES to your email login page)

Re:Easy -- sign up for Google Apps for your Domain

[The+End+Of+Days]

OMG you didn't use example.com as your domain. You're risking the nerdwrath of that dude above.

Re:Easy -- sign up for Google Apps for your Domain

Unfortunately, http://mail.example.com goes to http, not https.

And of course, you get cert warnings if you try https://mail.example.com.

And yes, I know in either case the authentication part is secure, but the post-auth part is not.

you want https://mail.google.com/a/example.com

Re:Easy -- sign up for Google Apps for your Domain

Funny thing is on the "Learn more" section of Google Apps, when talking about the Gmail capabilities "Google" yes the ever mighty Google uses "jsmith@yourdomain.com" as an example in its wording.

How dare they ... we need to get the example.com police on their ass!

FAQ

[RzTen1]

There's actually a fairly simple procmail fix right on the spf site: http://www.openspf.org/FAQ/Forwarding

Re:FAQ

[yuna49]

Remember that forwarding via procmail means the message will be sent from the unqualified username on the account. So if the message comes to the mailbox for joe, the forwarded message will be addressed as coming from joe@thishost.example.com unless appropriate domain-level masquerading is employed. This may seem trivial but if the receiving server rejects mail for which a valid MX record does not exist, messages from joe@thishost.example.com may not be delivered. (This is especially common when the mail server is behind a firewall.)

For sendmail users, the alternative is to maintain a genericstable that will map joe to joe@example.com.

SPF is only the first half, choose to use SRS also

[spottedkangaroo]

If you're forwarding mails from SPF tagged domains you should also be using SRS... it's kinda your own fault for forwarding without re-writing return path.

You seem to have answered the question already

[RevDigger]

This is also known as, "The Problem With SPF." SPF breaks forwarding. This is well known. People who use SPF need to be aware of the ramifications.

The SPF people have created SRS, as you are aware, to work around this problem. It is a complicated and unappealing workaround. I certainly won't do it.

You have three options as I see it:

1) Stop forwarding. It's really a terrible idea. Install webmail on your mailserver. Check out RoundCube, for instance.
2) Wait for people to figure out that strict SPF policies break SMTP too badly for most users.
3) Implement SRS. (this would probably be easier if you were using a modern MTA)

I guess you were hoping for an easy fix, but there simply isn't one.

Re:You seem to have answered the question already

Umm... webmail itself is a terrible idea. Really. Gmail may suck a little less than most others, but that doesn't mean it doesn't suck.

I hadn't seen RoundCube before, but it appears to be Yet Another PHP/MySQL-based potential security hole. Yeah, just what I need -- another app to worry about.

Re:You seem to have answered the question already

[BobMcD]

Or...

1) Stop forwarding...

...and use Gmail to fetch stored mail instead.

Re:You seem to have answered the question already

I guess you were hoping for an easy fix,
but there simply isn't one.

Actually, yes, there is. Set your MX records to use Gmail directly, as someone posted above.

Re:You seem to have answered the question already

[alphamugwump]

This is not always an option. I have shell accounts on machines all over the place, few of which are running POP. If the admin or anybody else sends me an email, I want it to be forwarded to me. I realize there are security issues with forwarding, but it's convenient as hell, and it's a perfectly reasonable thing to want to do to email.

Re:You seem to have answered the question already

[BobMcD]

GMail handles the POP(IMAP). If the mail is in the account, it will get picked up.

Pull vs Push

Re:You seem to have answered the question already

The more general problem is that mail servers don't adjust their behaviour based on user settings. What the user really wants is for gmail to allow forwarded mail from his server for his account.

In an ideal solution, a user could set up a whitelist of mail servers (or addresses, domains, etc) in whatever mail client he uses. The client would store the user's settings to the server, and the server would consider users' whitelists and blacklists in addition to the server-wide settings.

Unfortunately, the ideal solution relies on protocols and programs that do not exist. MAPI seems to store some settings on the server, but I don't know how useful it would be for such a solution and I also know how popular it is with this crowd. Also, in all current systems that I know of, the message would be discarded by server-wide checks before the user's settings are considered, while in the suggested solution, the user's settings would have to be considered first to avoid that.

Support SPF

[ergo98]

SPF won't do anything to stop spam anyway (despite what some of it's proponents say.) It needs to die a quick death

I put SPF on my domain not because I think that it'll solve the world's spam problem, but because it helps reduce the (large) number of bogus returns that come back to my domain (the more recipients that have SPF checking on, and realize that some sender in China isn't a legitimate source for emails from my domain, eats and discards the message rather than bouncing back some wasteful return spam to me).

SPF is great. It isn't a total solution, and there are negatives, but it certainly is better than the anyone is anyone free for all.

Re:Support SPF

[Anonymous+Brave+Guy]

SPF is great. It isn't a total solution, and there are negatives, but it certainly is better than the anyone is anyone free for all.

Actually, statistically it is not much better than that.

Hint: For those domains that have valid SPF records set up, what proportion do you think just allow sending from anywhere?

Re:Support SPF

[foom]

You don't actually need SPF for that. Instead, you should do return-path-rewriting on your *own* outgoing mail, which will completely solve the bogus bounces problem for you, without requiring anyone else to change anything.

It's basically just like SRS (which you need to use if you use SPF) except using it on your own outgoing mail instead of forwarded mail. And by using it, SPF becomes utterly worthless.

The idea is that you use a unique MAIL FROM: for all legit mail you sent, and simply reject all bounce messages that isn't going to these addresses.

See here and here: here for more details.

Re:Support SPF

[ergo98]

Hint: For those domains that have valid SPF records set up, what proportion do you think just allow sending from anywhere?

Not many? Even if it was a lot, why does that matter to me?

Open relays aren't as huge of a concern nowadays, having been beaten down pretty hard by the various blacklists. If someone has an open relay, probably sitting on various blacklists, I doubt they're the ones forging ahead with SPF.

Re:Support SPF

[higuita]

hint: filter (or at least, give big spam points) those domains that have "allow all" SFP records... also, with spf, you can trust the received emails, so you can WHITELIST then... with that, you can play more hardball with the unknown domains, they could start with 5 spam points instead of zero...

Re:I knew ..

[Zero__Kelvin]

Really? What was it? gmail is doing exactly what it is supposed to do in this case, so what is your reason?

^---- what jeffmeden said.

[klocwerk]

Another satisfied google hosted apps customer chiming in. I have a reseller webhosting account that I keep about 10-15 domains on for myself/friends/family which does acceptable e-mail, but I advise everyone to just shove their e-mail over to gmail/a instead.

You get your own hosted mail/webmail service with (currently) 7gb of storage per/account, no preset account limit, POP and IMAP, as well as great spam-filtering.
All free.

And for $50/acct/year you can have 25gb/acct storage, API access to customize it for single-signon and/or gateways, a full Postini implementation, and 99.9% uptime guarantee.

Hate to sound like a shill, but it's a fantastic service and I don't mind pimping it.

Re:^---- what jeffmeden said.

[nstlgc]

My biggest problem with Google Apps is that you need to open seperate accounts for each domain instead of managing several domains from the same administrative account. I know you can set up "domain aliases" but that's not exactly what I was thinking about. Also, when automatically forwarding email from a Google account, it doesn't seem to be filtering out messages it regards as spam. I had hoped it would.

Comment removed

[account_deleted]

Comment removed based on user account deletion

boring

BORING!!!!!

SPF and mail forwarding DONT work togther, never have NEVER WILL

Get over it

proper forwarding

[ArbitraryConstant]

Proper forwarding should rewrite the SMTP envelope sender (leaving the "From" header intact). There's just no other way to do it that doesn't break with SPF and other things these days.

Yes, that means the new sender address will have to be valid. Yes, that means it'll look like spam is coming from your domain if your forwarding service is easy to abuse. You might also want to preserve what's happened in headers for future reference and debugging uses, and rewrite the SMTP envelope sender to something that makes obvious which forwarding address caused the forwarded message to be sent.

E-mail is easy to get wrong. Don't try this at home.

Don't send TO gmail, have gmail get FROM

[Andraax]

Instead of forwarding mail from your server to gmail, setup gmail to pick up mail from your server automatically. SPF shouldn't fire in that case. It's under Settings/Accounts/Get mail from other systems. If you have POP3 access to your current mailbox, it's trivial to setup.

Re:I knew ..

[cayenne8]

"I use my gmail account for catching all the junk mail you get for signing up for a mailing list. I guess i need to have my email server just send me a message stating that i have new mail waiting."

At first I was wondering why they hell someone that had a working email server would shuttle it through Gmail, but then I read about using the spam filters, etc.

While that sounds good on the surface, is anyone out there not a little apprehensive about having all your email, particularly if you're a business, going through and being stored on their servers? I mean, someday Google will bend completely for govt. wanting to search all emails for 'terrorists' activities, and God knows who else will too.

I guess I'd want a bit more privacy on my emails, especially if they contained sensitive or proprietary information. I know...they're in plain text and could be intercepted if not encrypted, but, this is altogether different. It is stored on google's servers and there for easy data mining.

I'm getting ready to dig out my old email server post Katrina...can you not use procmail and spamassassin to filter spam as effectively as Gmail does?

It's just an example in a text message

[r39525]

For God's sake. It's just text! RFC 2606 doesn't specify what you're allowed to write in a text message.

If you're actually going to do some testing then it might matter. What matters here is can the reader understand the question. I can. Can you?

Re:It's just an example in a text message

Huh? Shakespeare's plays are also just text! And the declaration of independence, and the nazi accounts of what happened at Auschwitz. All text! holy god! What's your point? Maybe you're too ignorant to have a point.

Google will host your email for free

Use google apps free email hosting, they will host the email for your domain for free, you get a custom domain AND the gmail interface/features you love.

http://www.google.com/a/help/intl/en/index.html

Sorry, Swoosh belongs to Nike.

[johnny+cashed]

I think you're looking for whoosh.

Re:Sorry, Swoosh belongs to Nike.

[_ivy_ivy_]

RFC 9835 specifically calls for a "whoosh." The use of "swoosh" has been depreciated.

Re:Sorry, Swoosh belongs to Nike.

[Sciros]

deprecated

Re:Sorry, Swoosh belongs to Nike.

[neltana]

Actually, RFC 0444 has been reserved by the IETF for use as an example RFC number. Your joke should have used that.

Come on, people!

Re:Sorry, Swoosh belongs to Nike.

[verbamour]

RFC 8675309 requires "RFC 8675209" to be used whenever a bogus RFC number is publicized. The use of RFC 1149 has been deprecated to relieve the stress to carrier pigeons, and by subduction, so has RFC 9835. Thank you for your adherence to standards.

Re:Sorry, Swoosh belongs to Nike.

[neltana]

Joke leech!

RFC 0465 makes it clear that any joke that contains at least 50% of the same punchline material as a joke previously posted in reply to the same post in an internet forum SHOULD be considered a joke leech if such posting takes place within 20 minutes.

Re:Sorry, Swoosh belongs to Nike.

defecated

Re:Sorry, Swoosh belongs to Nike.

I believe swoosh is correct for use with one-eared cats.

Re:Sorry, Swoosh belongs to Nike.

No - he means it's worth less now...

Re:Sorry, Swoosh belongs to Nike.

decapitated!

There is an easy way to do e-mail forwarding...

[jafo]

There's an easy way to do e-mail forwarding, which unfortunately is wrong. We no longer live in a world where you can just create a .forward file with the destination address in it (unless it's on the same server).

If you're going to run your own mail server, there are things you need to do if you want it to run correctly. One of them is that if you are forwarding to a mail server that does SPF, you need to do SRS. Though you probably also need to be doing all the spam rejection on your mail server as well, because otherwise you may be allowing mail through that you wouldn't otherwise.

For example, say that your server doesn't check SPF, and you do SRS. Now you're basically bypassing the destination server's SPF checking.

How to do SRS? I would personally probably just change my .forward file from the destination address into a small script that re-injects the message with a different envelope sender, but I'm sure there are already scripts that do this and much more fancy....

Ideally, you probably just want to move your mail for your domain directly to google, as another repondant says. Don't have it shunting your your own server if at all possible. If you have mail that you want handled directly on your server, either forward it from gmail to your home machine, or use a different domain ("address@homebox.example.com").

Sean

Re:There is an easy way to do e-mail forwarding...

[Sancho]

How do you deal with the problem of being blacklisted as a spammer if you end up forwarding lots of spam mail off of your domain? Remember, SPF itself doesn't address the problem of spam, so the fact that you're checking SPF doesn't matter a lot in this regard.

Gmail Is Broken

[RAMMS+EIN]

Gmail has been silently dropping emails for as long as I remember. It's broken, and that's yet another reason I don't use it.

Re:I knew ..

[BizzyM]

If you are worried that your "sensitive" email could be stored and eventually used against you:
1) stop using email altogether.
2) you need to get to a drug rehab center... cocaine is a hell of a drug

Correct the Envelope Address

[rsd]

I am not rereading the specification, so I might be wrong.

SPF probably checks the Envelope Address and not the From: address which are not the same.

The envelope address is the address that the SMTP client says to the server who is the sender,
the From: address is what is in the message header.

Simply altering the Envelope Address to a valid mail from your server and google wont complain anymore.

.. easier to just update your MXs

[uncledrax]

True..

but if you have a web-presense where you don't want to deal with having another POP/IMAP server to maintain yourself, you can point your MX's to Gmail..

Frankly.. I use google web app tools and love em.

maybe a silly question but..

FYI here's the link to the SPF document on Forwarding.

Do I have my terminology wrong? I thought forwarding sent an email with the headers from the forwarders server? In their example isn't forwarding redirecting and remailing actually forwarding?

Re:maybe a silly question but..

[mkettler]

People over-generalize terms quite often, and "forwarding" has different meanings in different situations. Generally the difference boils down to if you're talking about a "server" implementation or a "mail client" implementation.

In this case, the SPF folks are addressing server admins, so by "forwarding" they mean sending the message to a new recipient without altering the headers. This use problably originates back to the old ".forward" files on unix machines, but may go back further. Most server-side implementations use this meaning for "forward".

However, forwarding by hitting the "forward" button most mail clients does something different. That creates a new message with new headers and preserves the old body text. sending with the same headers is called "redirect" in most mail clients.

Isn't it great how mail clients and mail servers use different meanings for the same word?

Even the client/server pair that go together from the same company have this problem. For example, Microsoft - exchange server has forwarding contacts, which forward without header changes, while Outlook clients do change the headers when you hit the "forward" button.

Re:maybe a silly question but..

[InakaBoyJoe]

That's because the "server" implementation you described really ought to be called "redirecting". As you said, there's *still* a lot of confusion about SPF because of the unfortunate ambiguity of this term. Blanket statements like "SPF breaks forwarding" don't help either.

So the title of this article really ought to be "Gmail, SPF, and Broken Email Redirecting" since most people's concept of "email forwarding" involves hitting the Forward button on their MUA client, or setting forwarding rules therein (which doesn't break under SPF).

It's 2008, folks. I can't believe we're still mired in confusion over terms like "forwarding" and "bouncing" (which could either mean generating a backscatter-prone bounce message, or rejecting the message during the SMTP transaction, which all MTAs really really really really really need to get on the ball with ...)

Re:maybe a silly question but..

[mkettler]

What about the other 17 different definitions for "forward"?

http://dictionary.reference.com/search?q=forward&x=0&y=0

Face it, the English language (as well as most others) is wildly inexact.

Re:I knew ..

[SQLGuru]

My e-mail goes through my domain, forwarded to Gmail, and then is downloaded to my computer via POP. Gmail is my offsite back-up (that is accessible from anywhere) and home is where I do most of my mail viewing/sending. All of those GB of space, local copies in case Gmail fails, remote copies in case my computer fails. And assuming Google is "not evil", then I should be ok.

Layne

The solution, Return Path Header

[Rashkae]

SPF will validate the Return-path header if there is one instead of the From: address.

Unfortunately, I don't know how to make either sendmail or postfix insert a return path when they forward an e-mail, but the easy work around is to install mail list software as your forwarder. You can create a mailing list as your incoming e-mail, with only 1 mail list member, (which is your g-mail account). Mail list software will automagically insert the appropriate return-path header that is needed in this case.

Re:The solution, Return Path Header

For Postfix, you may want to look at "man header_checks." Header_checks is the default configuration file for email filtering based on headers. It can automatically rewrite, delete or add headers to email.

In this case, it can add the Return-path or change the Received line, and then redirect the email. It's also easy to use: simple pattern matching.

Occam's Razor

Just POP your domain's email through Gmail. Problem solved, no more forwarding.

Re:Occam's Razor

[jamshid]

Too slow? Gmail's polling interval will delay incoming mail.

Maybe you're going about it backwards?

[MattSausage]

Er.. look I don't claim to be some super tech heavy.. er.. tech. But Gmail has the ability to go and FETCH email from other domains. The only problem is you have to give it your credentials, and since it is on your personal domain, you may not want to do that. But you can have Gmail go and collect email from several other email addresses (this is how I finally got my father to dump AOL completely, his Gmail Account automatically goes to look for his AOL mail and he can reply using either @gmail.com or @aol.com). Couldn't you do something similar with your own domain?

Try setting Return-Path in your MTA

[jeremy_fsu]

If you are able to, set the "return-path" to bounces@yourdomain.com. Maybe someone more knowledgeable than me can comment on this, but I think SPF is checked with the domain found in return-path? The side affect is if for some reason mail to your gmail account bounces, your friend will not get the bounce, but it will be sent to bounces@yourdomain.com instead. Don't set it to the same address you are forwarding, or bounces will end up in a loop. I successfully solved this very same problem by doing this recently. So far it's working, and in my application I was forwarding mail for lots of people with accounts on yahoo, hotmail, gmail, etc. There were a few more steps I had to take with getting yahoo and hotmail to accept the forwarded mail, but this alone solved trouble with SPF's. Note that I also setup an SPF for my domain, allowing my MTA server's IP.

DomainKeys DOES NOT HAVE THIS PROBLEM

[ZOP]

DKIM and DomainKeys work in a fundamentally different way. The message is SIGNED. Hosts are not indicated one way or the other. So any DKIM signed mail can transit any number of hosts provided they don't modify the signed sections.

SPF has no such luxury unless implemented in a much more advanced manner in terms of the senders publishing. And it's not GMail's fault for following the SPF records as published, they should do a better job of rejecting early rather than just /dev/null-ing the email though.

Use POP3 and Have Gmail.......

[SkyDude]

Have Gmail go get your email from your server using POP3. I've been doing this for at least three years now and it's always worked for me. My public email is a Gmail account, and my private email is a Gmail account. My double-secret private email is on another server under one of my domains and Gmail happily collects them all.

An anonymous coward essentially answered this under the subject "Occam's Razor" but since many users here screen out ACs, I've posted the solution in the open with my fabulous karma.

Re:Use POP3 and Have Gmail.......

I was just too lazy to log in. Thanks for the semi-bump.

MyDomain.com exists --they're my domain registrar!

[KWTm]

Please stop using mydomain.com and other such nonsense. Example.com is reserved ... for use as a[n] example domain name. Please make a habit of using it instead of whatever name strikes your fancy, as it is probably in use by real people.

You're right! I have my domain name registered under MyDomain.com. You can register a domain name for $9, and they'll include email forwarding, etc.

Please don't use them to test your email-fu.

Craigslist forwarding problems?

[jberryman]

I know this is a different issue, but I thought I would bring it up: has anyone been having issues with responding to, or receiving responses from craigslist's forwarding system? I'm highly suspicious that mail is being dropped.

And before you ask: no, I'm not trying to figure out why I haven't been getting any responses to my personals ad.

Hey Nerd!

No ones gives a fuck.

How to make it work

[stefanb]

Amazing what a bunch of unhelpful whiners take the time to *not* answer the actual question, and get modded up for it.

For this example, I'm assuming that your email is joe@example.com and your gmail address is joe-example@gmail.com.

Create an alias (/etc/mail/aliases) for the address that get's forwarded to gmail.

joe: joe-example@gmail.com

Also create an alias for <foo>-owner:

joe-owner: joe

Sendmail will look for this special <foo>-owner alias whenever sending mail to the <foo> alias, and use it as the envelope sender on the outgoing mail. So any mail that is sent to joe@example.com will be resent by sendmail with a sender address of joe@example.com. The header addresses will remain unchanged, so hitting reply will still go to the right person.

Is this the solution to all SPF forwarding brokeness? Of course not, but it's a surpisingly simple solution to a number of common forwarding situation. Note that you better be careful about spam filtering on your machine, or your mail server (your sender's address) will appear to Google as a source of spam, and might get filtered.

Re:How to make it work

[stefanb]

Argh, RTFM really helps.

It's owner-<foo>, not the other way around. So the aliases example should read:

joe: joe-example@gmail.com
owner-joe: joe

See the aliases man page for further details.

Re:I knew ..

.can you not use procmail and spamassassin to filter spam as effectively as Gmail does?

Short answer is, no. Google's large amount of incoming email, their patented algorithms, and the huge data mine they're sitting on give them a unique ability to provide very through and high-quality spam filtering.

Of course, that isn't to say that one can't do a half decent job with spamassassin, it just won't be as good as Google's filter.

Re:I knew ..

That's funny - I use it the opposite way. Google apps receives my mail to user@example.com and forwards it to user@z.example.com, my zimbra server. That way Google apps does all my spam filtering and archiving, and I still use a better mail server.

Gmail is becoming a spam problem, too...

[argent]

There's been people complaining about people blocking their mail because they're coming from GMail for some weeks now, and according to BOFHs I know this isn't just clueless admins... GMail's got spam problems.

They don't seem to be responding to queries about it either.

Need to apply some holy water in that part of Google, seems like there's some evil leaking in.

Re:Gmail is becoming a spam problem, too...

[Glendale2x]

Google has a *massive* outgoing spam problem and they don't seem to care. Check out the SPAM-L list archives. Of course, everyone else (including a growing number here) goes "yay google is wonderful and they host my domain for free!!1!" and gets everyone they know to use Google. Let the rest of the world not on Google be damned seems to be the goal.

It's no wonder they can filter incoming spam so easily - they have a crapload of spam they spew to the rest of the world to look at and use as an example of what to block from coming back in.

Re:I knew ..

there was a reason I did not want a gmail account

Couldn't find any friends to give you an invite, eh?

Cheer up... you don't need them any more.

Simple solution: Use procmail

Instead of the terrible SRS scheme, simply use procmail:

:0
   * !^FROM_DAEMON
   * !^FROM_MAILER
   ! <your gmail address>

Note that this is not forwarding. The mail is actually sent again from your server with a new Envelope-From header, so there are no problems with SPF.

Ditto "node.com"

[Ungrounded+Lightning]

Please stop using mydomain.com and other such nonsense. Example.com is reserved [...] for use as [an] example domain name.

And thank you, IETF.

The sysadmin of node.com (and node in the uucp mailnet), had a lot of trouble with lost mail, back in the days of roll-your-own sendmail configurations and bucket-brigade multihop mail delivery.

Every now and then some sysadmin would get the bright idea that mail to "user@node.com" or "node!user" meant some newbie had followed the manual too closely rather than filling in the actual address. So he'd hotwire the MTA configuration files to bounce the mail with a helpful (or derisive) message if the user was "user" or the site (node) was "node" or "node.com".

So every couple months somebody trying to hit a user or mailing list at node would get bounced, manage to report it by some alternate path, and there'd be another round of hunt-for-the-excessively-helpful site.

In self-defense the sysadmin of node set up the account "user" and configured the "vacation" program so the account was always "on vacation" and delivered the "helpful message" as the vacation notification. Thus it "provided the helpful message" for the whole net.

It also logged all the incoming mail. Turns out that the "problem" was a non-problem. Mail to "user@node.com" or "node!user" from the entire world averaged something like three letters per month.

Or at least it did until some fool webmaster used "user@node.com" for the "fill me in please" default field in a mailing-list subscription page. And then the spammers got hold of it...

You insensitive clod!

[Zombie]

Any idea how much spam I've been getting since you posted that?!

Regards,
Joe Example

SPF, Gmail, and SRS

[statemachine]

Since you are running your own SMTP server, you signed on to be a sysadmin. I am replying to you as a fellow sysadmin and I'll give sysadmin-style answers. Please don't take my response to be negative in any way, as I'm trying to help.

The logical solution is to configure sendmail on my server to do Sender Rewriting -- anyone have an easy FAQ to do this?

If you follow the link that you just gave for Sender Rewriting, it answers your question. "Implementation" links to modules, source, and configurations.

But many people/domains aren't doing this ... and my Email forwarding to gmail is quite common, so I'm surprised that this issue hasn't gotten more attention. Is there another solution?"

I say that you don't know how many people are implementing SRS, nor do you know how many forward e-mail to Gmail. Let's stick to the basics before giving up so readily. I take it that you absolutely do not want to give up carte blanche forwarding from your own SMTP server to Gmail; so I'll tailor my reply to that.

But since my friend has published SPF (Sender Policy Framework) records that say only his server is allowed to send Emails for friend@frienddomain.com, gmail apparently rejects (silently buries actually!) the Email since it is forwarding through my server.

Your friend has published an SPF record because he doesn't want people forging his domain in the envelope-sender field. This is a common spam tactic that ruins the reputation of someone's domain, either through spammer apathy or sometimes pure malice. Your e-mail forwarding (especially since you run your own SMTP) to Gmail is out of pure convenience to you and is unnecessary, so don't ask your friend to drop his SPF record.

There are two ways to solve this:
1) Have your friend add your SMTP server to his SPF record.
2) Implement SRS if you want to solve it once and for all. If you follow your own links, there are explanations, examples, and actual code. You haven't said which SMTP server you're running, so you've limited the responses people can give you for your situation.

I publish SPF records for my domains. There isn't anything "broken" about wanting to protect my domains' reputations from forgery. Very few people have a problem with forwarding that they didn't create themselves. This exception I'm talking about is people who have old university accounts (or similar) which only allow e-mail checking through a shell account and forwarding purely through a ".forward" file (or similar), with no POP, IMAP, or administrative access. This is not you. But for anyone who this describes, because of the draconian service policies, they shouldn't be giving out that e-mail address to new contacts, publish on papers, etc.

My SMTP server checks SPF, but not DK. With SPF, the forged domains are instantly rejected, requiring minimal overhead. DK requires reception of the entire message (because the headers are in the DATA phase) in order to validate the message, on every message -- this uses unnecessary network bandwidth, and it places an extra load on my system since it would have to calculate and verify signatures for every single message. Maybe that's not an issue for you if you only receive a handful a day, but I receive thousands. Spammers know that including fake DK info in a message and then sending millions of these is effectively a Denial of Service attack on the servers that indiscriminately check DK signatures.

I also use backup relays. For the relays that are not under my control and don't implement SRS, I simply bypass SPF checks from those IP addresses.

About Google silently dropping your e-mail: Keep in mind that with your carte blanche forwarding, you're also forwarding spam. You are essentially spamming Gmail, even though it is you simply forwarding e-mail to your own account. It is difficult for Google to know this without human intervention or implementing some co

Re:SPF, Gmail, and SRS

[statemachine]

Replying to myself because I just spotted the article submitter did mention "sendmail" as his solution. There are plenty of solutions readily available for sendmail. Like I said above, he can follow his own links for that information, and many others here have helpfully posted sendmail solutions also.

I don't know why my eyes filtered out sendmail. Odd.

Re:I knew ..

[stevey]

Indeed. I've setup a small mail filtering / anti-spam service, and the privacy is a big part of that.

Some people just don't, won't, and shouldn't trust google...

It is in the SPF spec

Did whoever owns the domain even read how to implement SPF?

You could easily have added

+a:otherpermittedmailserver

in the TXT record...

See here: http://www.openspf.org/SPF_Record_Syntax

Act stupid now!

I recently stopped getting Email from a friend ... which turns out to be related to his use of SPF records and my forwarding to gmail.

Your friend in Nigeria?

This just in

[Dan541]

"Half assed approach to email has flaws, news at 11"

People need to start hosting their email addresses not just forwarding them.

Avoid Forwarding - Gmail can check POPs

[diggitzz]

Use Gmail's "Get mail from other accounts" feature to automatically retrieve the mail via POP3 from your private server, rather than having your server forward its mail to Gmail.

That should fix the problem.

Next?

It's the Big Yellow Light...

[MsGeek]

...in the Big Blue Room.

Stas Sushkov

I would act in this way.
Once you mostly use your mail server for redirecting mail to you gmail account. Why not use google's apps?
You can have a MTA set up on your server, which can use SPF, DK, DKIM, BATV (mine one uses first 3) and send emails to whom you need and in the same time you'll get rid of SPF problem by using Google's MX!

Re:I knew ..

[aztracker1]

I don't do anything critical over email... usually most of my immediate stuff is over IM. I've been using my gmail account more and more through their imap interface, and it works well, their filtering seems to work better than a well trained SpamAssassin setup.

Does business take gmail addresses seriously?

[tonyray]

One very good reason not to have your email address @gmail.com, if you are using it for your business, is that a LOT of businesses, wholesale vendors, even the federal government will not accept an @gmail.com address because of the large number of frauds associated with free email accounts (not just gmail, but also hotmail, yahoo mail, etc.) For example, this last tax season the federal govenment would not accept a gmail account for notification of your tax return status when filing electronically.

It is much better from a business standpoint to have your own domain and email sent to your domain. If your MX points at gmail, that's okay. Just don't make your email address me@gmail.com if you want to be taken seriously.

Re:Does business take gmail addresses seriously?

How odd.

The Federal Government happily accepted MY Gmail account for notification of tax return status when filing electronically. I had no issues whatsoever with that.

Do you have a source for your claim that they will not accept GMAIL addresses?

Re:Does business take gmail addresses seriously?

[theblondebrunette]

That's true. That's why I forward my me@example.com to both gmail and yahoo. Yahoo, as much as I don't like using it, always gets the email, while gmail does most of the time. My host is 1and1.com.

Re:Does business take gmail addresses seriously?

Yeah, but....

If you want to be taken seriously, run a proper mail instance on your domain.

Having an "official" looking domain for others to send mail TO, but having all your reply e-mail come from gmail, is NOT as impressive as you might think.

No offense to the original poster, but if you're going to have your own domain, do it "properly" or don't do it. The real issue is that "vanity domains" like yours, which exist just to give you a cool-looking e-mail address but have no other function, aren't really anticipated, and is what's creating the problem.

You want to host a domain that can receive mail? Do it properly! You already apparently have sendmail running. Set up your own webmail server (squirrelmail, roundcube, etc) and have done with it. Or swallow your pride and use your gmail address for your communication.

Sorry, but it annoys me how much time is spent trying to figure out how to "work around" these sort of issues.

Suggestion: Google Apps

[Buran]

Switch your domain to Google Apps for email. It's the same gmail interface, but it's your domain. My email address is set up on Google Apps, because I like the gmail setup (and they backup my email, etc.), archiving, spam protection, etc. etc.

Seems to me like that's best of both worlds and would solve your problem. Plus, the basic version is free.

Google Apps for Domains

[rjstanford]

Its not really a fix, but...

If the goal is to receive mail addressed to you@yourdomain.com and read it in Google, you can always sign up for Google Apps (free) and set your domain's MX records to send mail directly to Google. That doesn't solve the problem as stated, but it works, its dead easy, and in many ways its a cleaner solution.

Re:I knew ..

[CrazedWalrus]

I agree with cayenne8, but not quite for the same reason. I've been using my GMail account for a while now and loving it. There's nothing incriminating in the email, per se, but there probably would be enough to do a bang-up job of identity theft. More than the government, I'm worried about Google misplacing an unencrypted backup tape with my account on it.

The reasons I still use them are that I think the quality and utility outweigh the risk, and because my much-smaller web hosting company is more likely to do something bird-brained than Google is.

Fail/HardFail vs SoftFail

[n.e.watson]

Have your friend look up the SPF records for a bunch of big domains. He'll notice that most of them use "~all" - a SoftFail - which is accepted by Gmail. He's probably using "-all," which makes the message just drop. The only examples I've seen of SPF hardfails in the wild are from banks. However, loads of domains are using softfail - Facebook, Google, Microsoft, eBay, MIT, UC Berkeley - to name a few.

Re:I knew ..

[witherstaff]

I have a gmail account, I get a handful of spam a week slipping through. I don't ever advertise my gmail account, however it's a common enough username with no numbers so dictionary attacks would hit it.

I have a private email server, with clamav running spamassassin and postfix tuned to prevent spam (Simple settings really), I get even less spam than my gmail. This address has been published for years on multiple websites, I use for just about everything, in cleartext on websites that are spidered.

In my experience you can do just as well or better than gmail without any headaches and a simple setup. Expect a few hours initial setup, and maybe an hour every 6 months to check if you're missing something the auto-updates can't update. It's been like this for a few years so far.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Simple fix on the forwarder

There is a simple fix if you can control the forwarder to any extent.

Simply have the forwarding machine wrap the original email in a mime wrapper. (sorry can't remember the encoding type although rfc822 springs to mind).

The forwarded email will come from the correct source meanwhile the original email will arrive intact with all it's headers. Your mail reader should open it up without issue. This will also help you by letting you know who you have to inform about your new address.

You can impliment this yourself if you have access to maildrop of similar though your account on the forwarding system.

Re:I knew ..

[geminidomino]

And assuming Google is "not evil", then I should be ok.

Layne

I think you're ok either way, since if you can safely make that assumption, your email must not be particularly sensitive anyway.

SimpleR answer: have Gmail POP your mail elsewhere

[Mana+Mana]

1.) What are you talking about. Wrong, wrong. I do precisely what you say I should not do and Gmail filters UCE nicely.

I own a domain, on which I have one public email alias, that is 8 years old. It had/gets spam/UCE. Gmail POPs that account/alias for me. Gmail filters the spam quite nicely!

It is not perfect, occasionally I have to "report spam", train Gmail, but nothing overwhelming. I can understand most times why, as I have an alias that "forwards" to the above alias. And things come in that are "infrequent", e.g., yearly seminar newsletters and the like. Consequently I have to train Gmail to know about it. I am saying that it is understandable.

Gmail understands one's email aliases, or relationships if you have Gmail POP, OR, IMAP your non Gmail accounts.

And or use Gmail Domains / Google Apps?

2.) A different problem I have is that my domain registrar butchered my name during a transfer recently. They have suggested "it would be easier to do a change of ownership to fix the problem." I have asked around and it seems Netsol, Godaddy (as an example of fruity ass registrars, i.e., inept =) or dumb registrars will sometimes change the creation date of one's domain at a whim-- I haven't been able to find where in ICANN regs, RFC or elsewhere creation date guidelines, rules are spelled out. Anyone???

Friends tell me that a change in domain creation date matters for folks such as Google/Gmail as one data point in determining the spaminess of an email. IOW, I might look like a newborn spammer. Which is especially important to me considering that I use Gmail to send email that is not from @gmail.com, as I discussed above.

I wonder if SPF records for my domain can be created using the free Gmail Domains / Google Apps?

Boo hoo.

That's too fucking bad, either pay google to host your domain or set up your own webmail. Forwarding using your method is no different to open-relay from the end MTA's point of view, thus bad. What do you want for no cost? Google owes you nothing.

Re:I knew ..

[teknopurge]

The reasons I still use them are that I think the quality and utility outweigh the risk, and because my much-smaller web hosting company is more likely to do something bird-brained than Google is.

That's actually a foolish remark. Use google to search for things like "gmail outage" or "gmail issue". My favorite is "gmail security issue" with over 100k results.

I've heard stories personally about people logging into gmail and ending up in someone else's Inbox. Yes, that's right, full access to someone else's email. Or how about another goodie: mass deletes of random emails.

I don't understand why people have the idea that Google is better then competent system administrators - it's just plain foolish and naive.

Regards,

Re:I knew ..

[CrazedWalrus]

I stand corrected. Maybe I just hoped it was true, or simply expected it to be true.

With several banks and government agencies having lost gigs of data recently, it's hard to know who to trust anymore. One would expect the people you trust with your most vital information would take the necessary care, but that obviously isn't the case.

The question is, is it more likely to happen with a mom-n-pop web host, Google, Verizon, Bank of America, or the little credit union in town? The next question is this: Are some places more liable to lose data simply because they go through the effort of off-site backups, where maybe smaller shops don't lose data because it's all on-site? (I mean "lose" in the "Where the hell did that backup tape go?" sense, not "Uh oh, we just lost our only copy.")

I have no idea how this balances out. I guess I just made my assumptions and tried to be reasonably comfortable with them. It's very hard to know who to trust to do their jobs correctly nowadays.

Comment removed

[account_deleted]

Comment removed based on user account deletion

implement or die in the queue

[stefancaunter]

TFA actually states that they have been implementing DK since 04, and that they are now going to drop mail on the floor if it doesn't pass DK; DK works really well for legitimate large volume senders. I've been implementing it since 04 and it totally improves delivery rates to Hotmail, Yahoo and GMail; it is essential for professionals mail admins. DK does nothing in terms of message content, and filtering is a totally separate issue. It verifies that the sender controls their domain and mail infrastructure. All large orgs that send a lot of mail are onboard with this. Spammers are too, but they get shut out later in the MTA to MTA SMTP transaction that negotiates delivery to the final MX destination. For legitimate senders DK and SPF lets you prove you should be sending mail from your domain, and also makes it easier to fight phishers, which again was the point of TFA. Saying that mail will get dropped because of DK, while true, is missing the point, and all of this nonsensical posting about spam is irrelevant. Mail that should get ignored will be ignored. Senders will have to implement DK properly, or their mail won't land. This has been true for years now in the real world. Hotmail and Yahoo both throttle any sender who doesn't sign and why shouldn't they. Do it right, and you can deliver a thousand a minute. Ignore it, and die in the queue...

Re:Is there another solution? ... Maybe?

[lukej]

Actually, with Gmail... perhaps there is an unpublished solution?

I just got an email with this redacted SPF header. It was sent from example.net to my domain, example.com, and forwarded to my Gmail account (not gafyd):
Received-SPF: fail (google.com: domain of friend@example.net does not designate 111.111.111.111 as permitted sender) client-ip=111.111.111.111;Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of friend@example.net does not designate 111.111.111.111 as permitted sender) smtp.mail=friend@example.net

Incidentally, prior to that, my server had passed the SPF record from the original host.
Received-SPF: pass (smtp.example.com: SPF record at example.net designates 123.123.123.123 as permitted sender)

So why did I get the email, the header clearly says "fail" and "hardfail"? My only guess...

In my Gmail account, I have my an account at my (forwarding) domain setup as an authorized sender. I'm allowed to send as joe@example.com, having previously proved ownership by receiving an email from Google at that account.

To me, this makes sense. I would think that Google could make the leap of faith that if you receive email at a domain, they might as well relay all email from that domain to your Gmail account, and ignore mis-matched SPF.

And if this is not actually the case... well, it should be. So, my simple answer to the poster's question: add your domain (email addy) to your account.
Add another email address.

Got that beat.. and WTF ??

[dbcad7]

Have not gotten any incoming mail from excite for a week since they "upgraded" it.. Sad thing is, many people use it for business like ebay.. and one guy was waiting to here back from a potential employer.. I personally was stuck waiting for a tracking number for a package which has arrived, before any email has.

I guess it's not "cool" like gmail, so nobody gives a crap..

Re:I knew ..

[TrueKonrads]

There is always encryption available. Just add a filter to Your favourite mail system that encrypts contents of mails before sending.

Re:I knew ..

[evilandi]

use procmail and spamassassin to filter spam as effectively as Gmail does?

If you misconfigure Spamassassin, you can reduce its accuracy so that it filters spam only as effectively as Gmail, yes.

I've generally found a default up-to-date well-trained install of Spamassassin to be considerably more accurate than Gmail. Gmail FPs like a beeyatch- it dumps dozens of legit emails into the spam folder every week for me, and I typically have to spend 15 mins a week updating my whitelists to prevent this - only for it to FP on an entirely new lot of mails the next week.

But Gmail is very convenient when you're on the move. The iGoogle single-sign-on is ideal if you're hotdesking around friends' machines, and the Java/MIDP mobile phone client for basic cellphones (not even smartphones) is particularly good.

not unusable

Not unusable, but for webmail the private key may be of lesser value.

Any message so-signed, seemingly from a sender you trust and using a webmail provider you trust weakly is probably from that sender as far as spam-filtering goes.

We just need to add back introductions like they had 200 years ago, where you want to be properly introduced; and you can be confident that mail signed with a certificate in your "introduced" list is not spam, and if it is, you can always remove the certificate.

http://www.liddicott.com/~sam/?p=71

Sam

Use PGP

[widman]

That's why for sensitive stuff you can use FireGPG.

Did you bother to read the gmail post?

[Evil+Kerek]

Dude, did you actually read the article by gmail? I don't think the way google is working with paypal or ebay puts random email in much danger, unless of course your buddy is forging his email to be from paypal or ebay.

Relax. Just because they are a large successful company doesn't make everything they do automatically bad - though that does seem to be the thought process around here.

EK

Anonymous Coward

by far the simplest solution is to just have your friend add your domain to his spf record.

also, stop forwarding. its dumb.

Re:I knew ..

[remmelt]

> I don't understand why people have the idea that Google is better then competent system administrators

Cost. The almighty dollar. Bottom line. Shareholders.

> it's just plain foolish and naive.

Exactly.

Gmail on your domain

[trupoet]

You could also setup Gmail to handle mail for your domain (if you have control of the MX DNS records).

http://www.google.com/a/help/intl/en/index.html

Re:I knew ..

[wembley+fraggle]

The more important question is: how much spam does google block vs spamassassin? An anecdote about how much gets through isn't exactly as meaningful as saying, 'spamassassin lets through XX% of my incoming spam'. Of course, it may not be possible to tell how much spam gmail blocks quietly without even getting routed into your spam box.

Do not support SPF!

[Dolda2000]

SPF is great. It isn't a total solution, and there are negatives, but it certainly is better than the anyone is anyone free for all.

Actually, SPF sucks really badly, and if you've turned it on, you should turn it off immediately. The reason SPF sucks so bad is that it unconditionally and helplessly breaks all forms of forwarding and mailing lists. As such, it is indeed worse than anyone is anyone free for all.

Instead, you should support DKIM, which solves the same problem without those bugs.

Easy solution

[Albanach]

There's another easy solution. Make your mail available at the other end via pop3/imap and have google collect it for you. Then you don't need to worry about any SPF rules getting in the way.

If google can't do that then make your email available over imap and use the imapsync script and cron to sync your mailbox with gmail every 15 minutes or so.

you cant send emails that you dont control!!

[higuita]

you cant simply send a email using other people domains, that is what the SPF is for, to protect the domains.

If your friend setup a SPF record, is saying that ONLY those IPs/MX/etc can send that domain.

the forward using the same sender is a very broken way to work. please note that the email "From:" you can keep unchanged, but not the sender...when forwarding a email, its your server that is sending the email, not the original one, so the sender MUST reflect that.

So you must send/forward the email using a sender FROM YOUR SERVER. you can do that with SRS or plain use a valid email from your server.

you can use SRS, but that isnt even really required, SRS is to enable the bounce to the original sender, but most of the time he cant do anything, the problem is in YOUR side and it should be you to get the bounce and fix it.

so use the aliases owner-{email}: trick to force the forward with the correct sender (both sendmail and postfix support this, probably exim too... no idea about qmail) or use a procmail rule to do it for you... if not, install SRS

finally, some people are afraid that forward some spam with the their sender, it would get their domain blacklist, but first one must always try to filter all the spam, second, any blacklist would also apply to the IP, so its the same thing with and without the corrected sender. also, isnt just one email that puts a domain/ip in a blacklist, you need many...

i'm fairly certain the work around is to do this

[Alan+Doherty]

A add the forwarded address to your list of allowed from addresses via http://mail.google.com/support/bin/answer.py?hl=en_GB&ctx=mail&answer=22370 instructions here but it is criminal that they discard without an inline reject, its another case of google mail being the most antisocial of mail providers I'd suggest voting with your feet and leaving them to their 95% spammer userbase {after telling them why your moving} as A they inline reject nothing {as far as i can see} B they allow anything and everything out {thus 90% of smtp traffic we see from google gets inline rejected due to bad content} C they seem to not remove the spammers or react to the amount of bounces a user generates