Re: SPF and forwarding

[Sebastian Nielsen]

No. Thats whats SPF is designed to prevent. Else every phisher would claim they "forwarded" the email, to bypass the whole SPF security system.

To: [target gmail adress mail is forwarded to]
Subject: Fwd: [Original Subject]
Content-Type: message/rfc822; boundary=xyz





Sent: Sunday, July 26, 2015 3:04 AM
To: postfix users list
Subject: SPF and forwarding

Hi,

I have a postfix-2.10.5 server on fedora, and have several users that
forward their mail through to gmail. This is apparently enough to
break SPF and make gmail think I'm the originator of the email,
instead of the actual sender. Consequently, gmail considers it spam
and moves it to a spam folder.

Is there anything I can do, including somehow rewriting the email, to
get gmail (and others, for that matter) to accept these forwarded
emails without considering them spam?

Can they be rewritten using our SPF information, somehow?

I've included the header (modified user/IP addresses) in case it's helpful.

Delivered-To: origu...@gmail.com
Received: by 10.13.203.214 with SMTP id n205csp587551ywd;
       Sat, 25 Jul 2015 06:39:29 -0700 (PDT)
X-Received: by 10.55.25.131 with SMTP id 3mr28553330qkz.85.1437831569919;
       Sat, 25 Jul 2015 06:39:29 -0700 (PDT)
Return-Path: <earl.ma...@example1.com>
Received: from orion.example.com (orion.example.com. [68.111.111.42])

       for <exam...@gmail.com>
       (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
       Sat, 25 Jul 2015 06:39:29 -0700 (PDT)
Received-SPF: neutral (google.com: 68.111.111.42 is neither permitted
nor denied by best guess record for domain of earl.ma...@example1.com)
client-ip=68.111.111.42;
Authentication-Results: mx.google.com;
      spf=neutral (google.com: 68.111.111.42 is neither permitted nor
denied by best guess record for domain of earl.ma...@example1.com)
smtp.mail=earl.ma...@example.com
Received: by orion.example.com (Postfix)
   id 4DC19A60368; Sat, 25 Jul 2015 09:39:29 -0400 (EDT)
Delivered-To: supp...@example.com
Received: from localhost (localhost [127.0.0.1])
   by juggernaut.example.com (Postfix) with ESMTP id CB94A181A9E
   for <supp...@example.com>; Sat, 25 Jul 2015 09:39:28 -0400 (EDT)
X-ActualMessageSizeBytes: 41474
X-ActualMessageSize:
X-Virus-Scanned: amavisd-new at example.com
X-Spam-Flag: NO
X-Spam-Score: -0.399
X-Spam-Level:
X-Spam-Status: No, score=-0.399 tagged_above=-200 required=5
   tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
   LOC_IMGSPAM=0.1, RDNS_NONE=0.8, RELAYCOUNTRY_LOW=0.5]
   autolearn=no autolearn_force=no
Received: from relay.example1.com (relay2.example1.com [206.111.111.44])
   (using TLSv1 with cipher AES128-SHA (128/128 bits))
   (No client certificate requested)
   by juggernaut.example.com (Postfix) with ESMTPS id 71AC0180271
   for <supp...@example.com>; Sat, 25 Jul 2015 09:39:21 -0400 (EDT)
Received: from HQXCHA402.example1.com ([fe80::e4d8:XXXX:53e5:e9d2]) by
HQXCHA401.example.com ([fe80::7199:XXXX:b314:a497%25]) with mapi id
14.03.0224.002; Sat, 25 Jul 2015 06:39:19 -0700
From: Operations <o...@example1.com>
To: Support <supp...@example.com>
CC: Operations <o...@example1.com>
Subject: User List Request
Thread-Index: AdDG30D3+GNpY2bR+6PMmxGK/70Bw==
Sender: "Marsh, Earl" <earl.ma...@example1.com>
Date: Sat, 25 Jul 2015 13:39:19 +0000
Message-ID: <68fcc58030b4164e802bb27ff159fe0535e6b...@hqxcha402.example.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [172.28.53.207]
Content-Type: multipart/related;
   boundary="_010_68FCC58030B4164E802BB27FF159FE0535E6B731HQXCHA402bes_";
   type="multipart/alternative"
MIME-Version: 1.0

Any ideas greatly appreciated.
Thanks,

There is two options here, except for disabling forwarding altogether and require gmail owners to fetch instead: Either, you replace the MAIL FROM and the "From:" altogheter with a mail adress on your system. It could be something like someuser@somedomain.invalid is rewritten to someuser.somedomain.inva...@example.org where "example.org" is the domain your server is authorative for. This is however incompatible with RFC. But it will atleast solve any SPF problems since the SPF will be validated against your domain. Remember to set up a own SPF record AND also check SPF on incoming mails. Or you encapsulate the old mail in a new message/rfc822-container. This is the RFC way to do it. When you encapsulate, embed the original mail in a new message/rfc822 container, Containing the following headers: From: forwar...@example.org (This is a mail adress on your system, preferable the email adress the mail was originally sent to) (This is how a mail client forwards a email when you ask the mail client to forward the original email as-is) In gmail, they will get the inner container as a .eml attachment inside the gmail web viewer, that can be opened to read the mail inside with "Cloud EML Viewer", or viewed locally on computer with their local email application. Some mail clients will show the inner container like a iframe, some email clients will show a button that will "expand" or "open" the inner container. -----Ursprungligt meddelande----- From: Alex by mx.google.com with ESMTPS id f79si14214872qki.10.2015.07.25.06.39.29 Alex

smime.p7s
Description: S/MIME Cryptographic Signature