Pretty sure we don't do that.... well, I mean, if you set up a GSuite account and specify inbound gateways, we attempt to walk the Received headers to find the "true" external IP and do SPF based on that, but doing SPF on all received headers would be weird... and externally visible to anyone who uses macros in their SPF record.
Which isn't to say we don't sometimes inspect and learn things from Received headers, it just doesn't use SPF, and is a pretty rare signal these days anyways. More likely in this case, its a highly-spoofed/high-target domain (apple.com), coming from a low-volume/unknown service (they haven't started using it yet, this is just testing) and some other "normal" features of such messages... and then an overly pessimistic deep learning model. Brandon On Fri, Apr 12, 2019 at 11:51 AM Mark Milhollan <[email protected]> wrote: > Google inspects Received headers and checks SPF for each ignoring those > showing an RFC-1918 address, any of which failing means a pretty good > chance the message will be given the SPAM tag, i.e., SPF is checked not > just for the connected peer. So a message originated at 192.168.1.101 > and relayed via 192.0.0.x with SPF saying that only 192.0.0.0/24 is an > authorized sender then all is well, but if it had originated at 1.2.3.4 > Google would judge that it fails SPF and very likely be given a SPAM > tag. (Repeated more RFC-ishly at bottom) > > More specifically if the message originated at internal.apple.com at > 17.x.x.x then was relayed via the ESP at 192.0.2.x with SPF saying that > only 192.0.2.0/24 is an authorized sender of the FROM FQDN Google would > likely tag it SPAM because of the first Received header. > > > Given an SPF of "v=spf1 ip4:192.0.0.25 ~all". > > Okay: > Received: from ([192.0.0.25]) by Google > Received: from ([192.168.1.101]) by myserver > > Fail: > Received: from ([192.0.0.25]) by Google > Received: from ([1.2.3.4]) by myserver > > > /mark > > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
