On Fri, Feb 04, 2022 at 08:16:49PM -0500, Alex wrote: > > Unless you're "google.com", or "google.com" lists your IPs in its SPF > > records, SPF is *supposed* to fail. This is why DKIM was invented, it > > survives simple verbatim forwarding. > > So signing my message as it leaves my server is the right approach, or > are you referring to Gmail signing the mail as it's sent from their > server originally?
The message originated from Google, they DKIM signed it. There's little reason for you to sign it, unless you're modifying the message and take responsibility for its content. > This problem has apparently been all over the internet for years, so I > don't think it's an unintentional bug by Microsoft. > https://answers.microsoft.com/en-us/msoffice/forum/all/routing-to-exchange-online-results-in-spf-softfail/367e14ac-a3ce-46a2-8949-ffbc8f66edc7 If you're the primary MX operator for your own domain, and forwarding to Microsoft for actual mailbox hosting, your forwarding arrangement to Microsoft should be via some dedicated authenticated (or at least IP- restricted) channel, where Microsoft does not apply any SPF or DKIM checks, they should trust your server as authorised to forward mail into your users' mailboxes. Just relaying externally originated content to their public port 25 service is not a good idea. > Would $smtp_helo_name apply here? The postfix instance is processing > mail for a number of domains, so if so, I'm unsure how I would set it > other than the $myhostname default. You're barking up the wrong tree... SPF is key of the envelope sender, which isn't your domain. The real problem is not failing SPF, it is sending to Microsoft in a manner than has them doing any SPF or DKIM checks at all. -- Viktor.
