SPF, mail forwarding, and SRS

Long time readers of this blog (yes, both of you) may remember the struggles I had with DKIM, an anti-spam measure which breaks mailing lists. Today I bring you SPF which, it transpires, breaks mail forwarding.

SPF is yet another anti-spam measure and is one we've used for a long while. It works like this. A domain, the-hug.org say, publishes an SPF record as one of its DNS records. This SPF record indicates which IP addresses will send email purporting to come from the-hug.org.

So in the case of the-hug.org it looks like this:

which means we send email from our server with one IPv4 address and a block of IPv6 addresses plus we may send email from home.the-hug.net (which is the FTTC coming into our house) and map.the-hug.net (another, now redundant, server).

A receiving SMTP server (at BT Internet say, for reasons which will become clearer in a moment) receives mail from us, checks to see if we have an SPF record and, if we have, checks that the sending SMTP server is in the list specified in the SPF record. If it's not it may choose to treat the email as spam.

Now you don't have to publish an SPF record, but having one counts as an uptick in spam scoring so it's worth doing and is recommended by all the big ISPs, especially if you send bulk email (as we do).

Which brings us to the problem with mail forwarding in that it breaks SPF. In our case we sent email as walklakes.co.uk, which also has an SPF record, to a customer whose email address forwards to a BT Internet account.

It seems that in the last couple of days BT Internet have changed their policy on SPF so they hard bounce any emails which fail SPF checking (I suspect they just dropped it into the customer's "Spam" folder before).

So in this case the email was forwarded by the customer's SMTP server to BT Internet's SMTP server. The mail envelope said that it was from walklakes.co.uk so it checked the IP address of the customer's SMTP server against our SPF record and rejected the mail.

We also had another instance of this where mail from a user at tiscali.co.uk (who also have an SPF record) to an email address which we host and forward to a BT Internet address was bounced for the same reason.

So there you have it: SPF breaks mail forwarding. Another own goal for anti-spam.

There is a solution, although it's an almighty bodge. It's called SRS and you can find it described here. Essentially you re-write the envelope from address so that the email seems to originate from your server and also provide a reverse channel so that any bounces are echoed back across your server to the originating server.

Postfix, which is the MTA we use, doesn't support SRS but there's several add ons which do and I used PostSRSd which you can build from source and pretty much works out of the box with Ubuntu.

I found instructions on setting it up in several places but ended up following the ones here.

However the WalkLakes customer remains unreachable via his forwarding address as his SMTP server isn't doing SRS. I've emailed him directly at his BT Internet address and told him he needs to talk to whoever set it up for him.

Oh yes, and 36 hours ago before I worked out what was going on I emailed, on the advice of @BTCare, their postmaster at to ask why email was suddenly bouncing.

I've yet to hear back. If you use BT Internet for your email then bear that in mind.