Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail, SPF, and Broken Email Forwarding?

Posted by timothy on from the rejected-mail-for-too-many-ellipses dept.

alek writes "I recently stopped getting Email from a friend ... which turns out to be related to his use of SPF records and my forwarding to gmail. This 'lost Email problem' may get worse with Google implementing Domain Keys." Alek is looking for a non-complicated solution to this non-trivial problem; read on below for more details. "Background: Like many people, I have me@mydomain.com as my public facing Email address. When Email comes into my server, I forward it to me@gmail.com. But since my friend has published SPF (Sender Policy Framework) records that say only his server is allowed to send Emails for friend@frienddomain.com, gmail apparently rejects (silently buries actually!) the Email since it is forwarding through my server. Please note that this is exactly what SPF is designed to prevent — spammers from sending Emails with your address — but it breaks forwarding and has other problems.

What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response — i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears — it's not even in my gmail spam filter ... so there is no trace of it at all. If my friend sends directly to me@gmail.com, it shows up ... since his domain sends directly and the SPF test is passed. Note that on my gmail account, I associate me@mydomain.com with my me@gmail.com account ... so perhaps there should be a recipient test applied before SPF is tested on the sender ... although this arguably defeats the purpose of SPF.

The logical solution is to configure sendmail on my server to do Sender Rewriting — anyone have an easy FAQ to do this? But many people/domains aren't doing this ... and my Email forwarding to gmail is quite common, so I'm surprised that this issue hasn't gotten more attention. Is there another solution?"

15 of 300 comments (clear)

  1. Please adhere to RFC by DNS-and-BIND · · Score: 5, Informative
    Please stop using mydomain.com and other such nonsense. Example.com is reserved by RFC 2606 for use as a...wait for it...example domain name. Please make a habit of using it instead of whatever name strikes your fancy, as it is probably in use by real people.

    The Internet Assigned Numbers Authority (IANA) also currently has the following second level domain names reserved which can be used as examples.
    • example.com
    • example.net
    • example.org
    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  2. Is there another solution? by jeffmeden · · Score: 5, Informative

    Yes, of course. Have all your email sent to Google in the first place! You don't have to switch everything over to the Google app tool, you can just set MX records for your domain pointing to them, and collect it all (or forward it inside or outside Google.) It's free (with a paid version available.) Check it out here http://www.google.com/a/help/intl/en/index.html

  3. silently dropping is not unexpected by Ungrounded+Lightning · · Score: 5, Interesting

    What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response -- i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears -- it's not even in my gmail spam filter ... so there is no trace of it at all.

    While the RFCs specify that an MTA that is dropping should notify the sender in various ways, modern MTAs often violate these parts of the spec, pretending to accept and then dropping the mail and/or failing to send bounce notifications.

    This is deliberate. Not sending bounce messages reduces the load on the servers and net (now that most mail traffic bounces). Pretending to accept mail which is actually dropped is a defense against guessing email addresses and probing filters to see what gets past them.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:silently dropping is not unexpected by Anonymous+Brave+Guy · · Score: 5, Insightful

      It violates RFCs

      I'm giving up mods to post this, but it really needs to be said.

      People need to stop blaming things on services who pragmatically choose to violate selected aspects of decades-old standards that don't address today's realities. The problem with modern e-mail is that the standard is hopelessly out of touch with modern demands. There should long ago have been a consistent standard that covered things like sender authentication, encryption and signing, formatted messages ("HTML e-mails"), smart handling of errors without treating them all as e-mails in their own right, and numerous other fundamentally broken parts of the original e-mail specs. But there isn't, so people try to do reasonable things and stay as true to the standard as they can without being dogmatic about it when it's obviously a stupid thing to do.

      So no, I don't think silent dropping needs to stop under all circumstances. E-mail has never had useful reliability of delivery (another thing a replacement standard should deal with) so you can't count on it anyway. On the other hand, I'm sick and tired of getting a deluge of hundreds of unwanted e-mails in ten minutes because someone sent out a mail with webmaster@my.domain as the sender, and loads of people who were confident enough that the message was spam to block it still sent back a bounce message to an address that is 99.99% likely to have been faked as well in that case. I'm sorry, but that's just antisocial behaviour, and responsible sysadmins should take steps to avoid it: if you're confident enough to refuse delivery, why aren't you confident enough not to reverse-spam the innocent bystander? If you're running a sensible service where a user can whitelist specific senders or switch off spam filtering altogether for specific receiving addresses if they want to guarantee receiving everything, and they've opted in to your spam filtering, this shouldn't be a problem.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  4. Pull instead of push? by Robotech_Master · · Score: 5, Informative

    Doesn't GMail offer the ability to fetch your email from POP accounts now? It would probably not be the ideal solution, but perhaps you should stop forwarding and instead start POPping.

    --
    Editor Emeritus and Senior Writer, TeleRead.org
  5. FAQ by RzTen1 · · Score: 5, Informative

    There's actually a fairly simple procmail fix right on the spf site: http://www.openspf.org/FAQ/Forwarding

  6. Re:Easy answer by SatanicPuppy · · Score: 5, Insightful

    That's outstandingly unhelpful. How about attaching a link to a decent SRS implementation? Or sending them to OpenSPF?

    Randomly throwing down on people legitimately asking for some technical help is a big problem in the OSS community. Whether or not /. is the appropriate place to ask this question is debatable, but since it made the front page and there is no helpful SRS faq on this site, might as well direct them somewhere.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  7. Re:Sunblock by Anonymous Coward · · Score: 5, Funny

    I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women away.

    There, fixed that for ya.

  8. Re:Sorry, Swoosh belongs to Nike. by _ivy_ivy_ · · Score: 5, Funny

    RFC 9835 specifically calls for a "whoosh." The use of "swoosh" has been depreciated.

  9. Re:Sunblock by Spy+der+Mann · · Score: 5, Funny

    I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women away.

    There, fixed that for ya.


    . o <-- joke
    .
    . </sarcasm> tag
    . o <-- you
    ./|\
    ./ \

  10. Re:Sorry, Swoosh belongs to Nike. by Sciros · · Score: 5, Funny

    deprecated

    --
    I like basketball!!1!
  11. Re:Sunblock by Anonymous Coward · · Score: 5, Funny

    company that makes servers.

  12. How to make it work by stefanb · · Score: 5, Informative
    Amazing what a bunch of unhelpful whiners take the time to *not* answer the actual question, and get modded up for it.

    For this example, I'm assuming that your email is joe@example.com and your gmail address is joe-example@gmail.com.

    Create an alias (/etc/mail/aliases) for the address that get's forwarded to gmail.

    joe: joe-example@gmail.com

    Also create an alias for <foo>-owner:

    joe-owner: joe

    Sendmail will look for this special <foo>-owner alias whenever sending mail to the <foo> alias, and use it as the envelope sender on the outgoing mail. So any mail that is sent to joe@example.com will be resent by sendmail with a sender address of joe@example.com. The header addresses will remain unchanged, so hitting reply will still go to the right person.

    Is this the solution to all SPF forwarding brokeness? Of course not, but it's a surpisingly simple solution to a number of common forwarding situation. Note that you better be careful about spam filtering on your machine, or your mail server (your sender's address) will appear to Google as a source of spam, and might get filtered.

  13. Re:Sorry, Swoosh belongs to Nike. by neltana · · Score: 5, Funny

    Actually, RFC 0444 has been reserved by the IETF for use as an example RFC number. Your joke should have used that.

    Come on, people!

  14. SPF, Gmail, and SRS by statemachine · · Score: 5, Informative

    Since you are running your own SMTP server, you signed on to be a sysadmin. I am replying to you as a fellow sysadmin and I'll give sysadmin-style answers. Please don't take my response to be negative in any way, as I'm trying to help.

    The logical solution is to configure sendmail on my server to do Sender Rewriting -- anyone have an easy FAQ to do this?

    If you follow the link that you just gave for Sender Rewriting, it answers your question. "Implementation" links to modules, source, and configurations.

    But many people/domains aren't doing this ... and my Email forwarding to gmail is quite common, so I'm surprised that this issue hasn't gotten more attention. Is there another solution?"

    I say that you don't know how many people are implementing SRS, nor do you know how many forward e-mail to Gmail. Let's stick to the basics before giving up so readily. I take it that you absolutely do not want to give up carte blanche forwarding from your own SMTP server to Gmail; so I'll tailor my reply to that.

    But since my friend has published SPF (Sender Policy Framework) records that say only his server is allowed to send Emails for friend@frienddomain.com, gmail apparently rejects (silently buries actually!) the Email since it is forwarding through my server.

    Your friend has published an SPF record because he doesn't want people forging his domain in the envelope-sender field. This is a common spam tactic that ruins the reputation of someone's domain, either through spammer apathy or sometimes pure malice. Your e-mail forwarding (especially since you run your own SMTP) to Gmail is out of pure convenience to you and is unnecessary, so don't ask your friend to drop his SPF record.

    There are two ways to solve this:
    1) Have your friend add your SMTP server to his SPF record.
    2) Implement SRS if you want to solve it once and for all. If you follow your own links, there are explanations, examples, and actual code. You haven't said which SMTP server you're running, so you've limited the responses people can give you for your situation.

    I publish SPF records for my domains. There isn't anything "broken" about wanting to protect my domains' reputations from forgery. Very few people have a problem with forwarding that they didn't create themselves. This exception I'm talking about is people who have old university accounts (or similar) which only allow e-mail checking through a shell account and forwarding purely through a ".forward" file (or similar), with no POP, IMAP, or administrative access. This is not you. But for anyone who this describes, because of the draconian service policies, they shouldn't be giving out that e-mail address to new contacts, publish on papers, etc.

    My SMTP server checks SPF, but not DK. With SPF, the forged domains are instantly rejected, requiring minimal overhead. DK requires reception of the entire message (because the headers are in the DATA phase) in order to validate the message, on every message -- this uses unnecessary network bandwidth, and it places an extra load on my system since it would have to calculate and verify signatures for every single message. Maybe that's not an issue for you if you only receive a handful a day, but I receive thousands. Spammers know that including fake DK info in a message and then sending millions of these is effectively a Denial of Service attack on the servers that indiscriminately check DK signatures.

    I also use backup relays. For the relays that are not under my control and don't implement SRS, I simply bypass SPF checks from those IP addresses.

    About Google silently dropping your e-mail: Keep in mind that with your carte blanche forwarding, you're also forwarding spam. You are essentially spamming Gmail, even though it is you simply forwarding e-mail to your own account. It is difficult for Google to know this without human intervention or implementing some co