SPF, mail forwarding, and SRS
Long time readers of this blog (yes, both of you) may remember the struggles I had with DKIM, an anti-spam measure which breaks mailing lists. Today I bring you SPF which, it transpires, breaks mail forwarding.
SPF is yet another anti-spam measure and is one we've used for a long while. It works like this. A domain,
the-hug.org say, publishes an SPF record as one of its DNS records. This SPF record indicates which IP addresses will send email purporting to come from
So in the case of
the-hug.org it looks like this:
which means we send email from our server with one IPv4 address and a block of IPv6 addresses plus we may send email from
home.the-hug.net (which is the FTTC coming into our house) and
map.the-hug.net (another, now redundant, server).
A receiving SMTP server (at BT Internet say, for reasons which will become clearer in a moment) receives mail from us, checks to see if we have an SPF record and, if we have, checks that the sending SMTP server is in the list specified in the SPF record. If it's not it may choose to treat the email as spam.
Now you don't have to publish an SPF record, but having one counts as an uptick in spam scoring so it's worth doing and is recommended by all the big ISPs, especially if you send bulk email (as we do).
Which brings us to the problem with mail forwarding in that it breaks SPF. In our case we sent email as
walklakes.co.uk, which also has an SPF record, to a customer whose email address forwards to a BT Internet account.
It seems that in the last couple of days BT Internet have changed their policy on SPF so they hard bounce any emails which fail SPF checking (I suspect they just dropped it into the customer's "Spam" folder before).
So in this case the email was forwarded by the customer's SMTP server to BT Internet's SMTP server. The mail envelope said that it was from
walklakes.co.uk so it checked the IP address of the customer's SMTP server against our SPF record and rejected the mail.
We also had another instance of this where mail from a user at
tiscali.co.uk (who also have an SPF record) to an email address which we host and forward to a BT Internet address was bounced for the same reason.
So there you have it: SPF breaks mail forwarding. Another own goal for anti-spam.
There is a solution, although it's an almighty bodge. It's called SRS and you can find it described here. Essentially you re-write the envelope from address so that the email seems to originate from your server and also provide a reverse channel so that any bounces are echoed back across your server to the originating server.
Postfix, which is the MTA we use, doesn't support SRS but there's several add ons which do and I used PostSRSd which you can build from source and pretty much works out of the box with Ubuntu.
I found instructions on setting it up in several places but ended up following the ones here.
However the WalkLakes customer remains unreachable via his forwarding address as his SMTP server isn't doing SRS. I've emailed him directly at his BT Internet address and told him he needs to talk to whoever set it up for him.
Oh yes, and 36 hours ago before I worked out what was going on I emailed, on the advice of @BTCare, their postmaster at to ask why email was suddenly bouncing.
I've yet to hear back. If you use BT Internet for your email then bear that in mind.
|Tags: linux||Written 11/01/17|
We send out emails and since 9 January have hit the same problem with recipients who forward the email to a btinternet.com address. There was a similar problem about 9 months ago but seemingly btinternet.com then softened its filters. Seems like we all need to email firstname.lastname@example.org with the faint hope they will undo this policy change. (I suspect BT would really like all its email users to just disappear and focus on more profitable services like BTtv and BTsport.)
Yeah, we did finally get a reply from BT asking for more info. So I mailed them explaining what I'd found out. Not heard a word since.
Meanwhile we continue to have problems with customers who are forwarding to btinternet.com addresses and there's nothing we can do about it. Very frustrating, for both us and our customers.
You can follow these posts on Twitter at @Wibblings