On Wed, 13 Apr 2022, Paulo Pinto wrote:
Why on earth is gmail checking the IP address of the message sender (ISP assigned home address, for instance) against the sender's domain SPF
I've mentioned it before to which got a "I don't think we do that" when it was plain they did (their own SPF results claimed that's what they checked).
Google appears to be trying to decide if it was submitted from a "bad" place thus is likely a bad message by checking SPF as if they were the initial receiver, with the same checks applying to messages they fetch from elsewhere. On the surface it seems a reasonable way to catch submissions using stolen credentials but it also penalizes submissions aren't made entirely "inside" -- their checking ignores RFC1918 addresses. To avoid Google's non-compliant behavior you must put the encoded information in a non-standard header, or toss it and rely on your logs.
/mark _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
