On Tue, Sep 30, 2025 at 1:11 PM Marcel Becker via mailop <[email protected]> wrote:
Marcel, first, thank you for the reply - I know you have better things to do than to feed me SPF clue! On Tue, Sep 30, 2025 at 1:27 PM Royce Williams via mailop <[email protected]> > wrote: > >> >> Today, Yahoo is explicitly erroring with "SPF failed" when it did not. >> From my testing, the actual rejections were happening because the DMARC >> "p=" was set to "none" >> > > Your assumption is incorrect. > Yes, you are right, my apologies. My testing jumped to this conclusion in error, but read on ... > I have at least one example (alpca.org >> <https://urldefense.com/v3/__http://alpca.org__;!!Op6eflyXZCqGR5I!GlNZ5HjfVg_FI1FpANbqJMeYWNLlE-xFpAeQm5eiNyGJCUTftEHBAuIVKfwzlKBU_mxKxdPL8SOa_lI378uq$>) >> where SPF was valid (though messy): >> >> alpca.org >> <https://urldefense.com/v3/__http://alpca.org__;!!Op6eflyXZCqGR5I!GlNZ5HjfVg_FI1FpANbqJMeYWNLlE-xFpAeQm5eiNyGJCUTftEHBAuIVKfwzlKBU_mxKxdPL8SOa_lI378uq$> >> descriptive text "v=spf1 +a +mx +ip4:207.58.131.169 +ip4:207.58.131.172 >> +ip4:207.58.131.168/29 >> <https://urldefense.com/v3/__http://207.58.131.168/29__;!!Op6eflyXZCqGR5I!GlNZ5HjfVg_FI1FpANbqJMeYWNLlE-xFpAeQm5eiNyGJCUTftEHBAuIVKfwzlKBU_mxKxdPL8SOa_nAak9-D$> >> +include:_spf.google.com >> <https://urldefense.com/v3/__http://spf.google.com__;!!Op6eflyXZCqGR5I!GlNZ5HjfVg_FI1FpANbqJMeYWNLlE-xFpAeQm5eiNyGJCUTftEHBAuIVKfwzlKBU_mxKxdPL8SOa_prjKhEp$> >> ~all" >> > > I guess you are using this domain as a "send as" alias on a Gmail set up. > If you do that, Gmail will use "gmail.com" as the SPF From, not your > domain. So that SPF record is not even consulted. Gmail.coms record is > consulted. > Yes, this customer is using that feature, which is why I had (perhaps naively?) +include'd Google's _spf.google.com on their behalf some time ago. We require (most) senders to authenticate their traffic with either SPF or > DKIM and either the SPF or DKIM domain need to align with the "header from" > domain. > That seems definitive. Does this mean that Yahoo does not accommodate Gmail's aliasing feature anymore? This has been working for this customer for years, as recently as August. I don't see how else the Gmail aliasing feature could work while requiring SPF alignment with the header-from domain? > I further guess that your emails are missing a DKIM signature and SPF is > probably not aligned if I am right about how you send those emails (via > gmail). > There *is *DKIM, but since these emails are being emitted by Gmail, it's Google applying the DKIM to that outbound message, not my customer. The DKIM DNS lookup for my recent test was driven by domain "d=1e100.net" and selector "s=20230601". But to your point, this DKIM wouldn't align with the "alpca.org" header-from, if I'm following along correctly, so that would leave only SPF alignment possible. > Btw: That link in the smtp bounce messages leads to a page which explains > this to you and the steps you can take to fix this. > I did review that. This client is not a bulk sender (but has had DMARC for some time anyway, running under "p=none", which I switched to "p=quarantine" today for a while for troubleshooting). The applicable Yahoo help page seems reasonable for non-bulk senders generally, but the Gmail aliasing aspect specifically may make this a bit of an outlier. But the "if you're using Google Workspace" links (the closest to commodity Gmail I could find) don't seem to cover the aliasing case that I could see. So, tl;dr, either: * Yahoo still supports the Gmail aliasing case, but I need to adjust some other SPF/etc policy on my client's sending side (not sure which?), * Yahoo still supports the Gmail aliasing case, but there is some other/unstated reason that the messages are being rejected, or * Yahoo does *not* support this case (and I'll have to start working on migrating the customer away from this feature) Royce
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
