> However most of the time I use my hosting at gandi.net to send my > E-Mail, so mail from ch...@isbd.co.uk originates on zbmc.eu, is > transferred by authenticated SMTP to mail.gandi.net and is sent on > from there to whatever its destination is. > > As I understand it the SPF records for mail.gandi.net purely confirm > to a receiving mail server that the mail is coming from mail.gandi.net > and reverse DNS look-up confirms that it really is mail.gandi.net. > Have I got that right? I.e. the fact that the mail's From: is not > connected in any way to the SPF record is irrelevant. The SPF record > simply confirms the SMTP relay host's IP and that it is meant to be > relaying mail for that IP.
Probably it's best to start with a simple smtp conversation. ch...@isbd.co.uk wants to send an email to b...@server.com: [u...@client.com ~]$ nc server.com 25 220 server.com ESMTP Postfix HELO client.com 250 server.com MAIL FROM: <ch...@isbd.co.uk> 250 2.1.0 Ok RCPT TO: <b...@server.com> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> From: <ch...@isbd.co.uk> To: <b...@server.com> Subject: test Hello, this is a test. . 250 2.0.0 Ok: queued as 4Nvabz5RcNabcHH3 QUIT 221 2.0.0 Bye SPF is about the envelope sender which is the address given at "MAIL FROM". The address at "From:" within the "DATA" stage is what your mailclient (Thunderbird, Outlook, ...) will display as the sender, which may be completely different and is not considered by SPF (or postfix). The envelope sender in our example is ch...@isbd.co.uk, so the receiving mailserver (server.com) will use this address for spf checks. Therefore it will look for a TXT record via DNS that contains spf info: $ host -t txt isbd.co.uk isbd.co.uk descriptive text "v=spf1 include:_spf.mythic-beasts.com ~all" This has an include option which requires another DNS query: $ host -t txt _spf.mythic-beasts.com _spf.mythic-beasts.com descriptive text "v=spf1 ip4:93.93.130.89 ... ~all" This returns ip addresses/networks that are allowed to send emails with senders @isbd.co.uk and a hint how to proceed (~all which means softfail or do not block right away). Now we have that smtp connection from client.com to server.com and server.com will check if client.com's ip address is included in the list returned via DNS txt/spf query. If so, client.com is authorized to send mail in the name of @isbd.co.uk and the mail is accepted. Otherwise it could reject that mail (-all) or take that into account while checking spam (~all), ... Given an email from ch...@isbd.co.uk, originating at zbmc.eu and sent via mail.gandi.net (authenticated smtp submission) to b...@server.com: - server.com sees the ip address of mail.gandi.net (incoming connection) - server.com querys DNS for ch...@isbd.co.uk (host -t txt isbd.co.uk) - server.com cannot find the ip address of mail.gandi.net within spf - server.com might quarantine or classify your mail as spam because of ~all. The solution would be to include mail.gandi.net's ips in the spf of isbd.co.uk (ip4, ip6, include, ...) so that it is authorized to send emails in the name of @isbd.co.uk. Best regards Gerald