SPF records and forwarded messages


Description of the situation
When an email is delivered into the mailbox where forwarding of incoming emails is set and the sender's domain has set SPF record, the forwarded email can be rejected due to the SPF policy (hardfail).
 
The sender can receive the error message like this
 Remote host said: 550 5.7.1 Sender Policy Framework of `***' domain denied your IP address.
The Sender Policy Framework (SPF) system was designed to detect forged sender (email spoofing) in spam or phishing messages. SPF records are usually being set by the banks, government institutions..., etc. SPF records provides a list of hosts and IPs addresses authorized to send messages for the given domain (eg. messages from the domain cnb.cz can be sent from IPs 193.179.126.192 to 193.179.126.223, 193.85.3.245, 193.85.3.246, 195.70.130.226 and 195.70.130.227):
cnb.cz.   IN   TXT   "v=spf1 mx ip4:193.179.126.192/27 ip4:193.85.3.245 ip4:193.85.3.246 ip4:195.70.130.226/31 -all"
Receiver (target mailserver) can check, if the outgoing IP is allowed by the SPF record of the sender's domain. The message is accepted if is sent from the allowed IP, otherwise is rejected. For example the email with sender admin@cnb.cz received from the IP 193.179.126.200 will be accepted by recipient's mailserver.

SPF records breaks plain message forwarding. The forwarded message has changed the envelope recipient, but the envelope sender stays unchanged. Because the message contains the original envelope sender's address (MAIL FROM), email comes from the same email address but the server has another IP. Now the IP address of the forwarding email server is not included within the SPF record. For this reason the message could be rejected by the target mailserver.

The email sent from the email address admin@cnb.cz by the server with IP 193.179.126.200 will be delivered into the mailbox on the server mxavas.forpsi.com. If the mailserver mxavas.forpsi.com forwards the email to the mailbox on mailserver seznam.cz, the sender stays admin@cnb.cz, but the message is sent from the IP 81.2.195.200. This IP is not allowed by the SPF record of the domain cnb.cz. For this reason is the forwarded message rejected. An error message is delivered to the original sender - admin@cnb.cz.

SPF record of the domain can be checked with the nslookup command. Just set the query to be TXT.

 
 
How to solve this issue
1. Use the email addresses where no forwarding is set as recipient of emails sent from domains with SPF (banks, government institutions...)
 
2. Activate changing of envelope sender for the mailbox
Login to the webmail as common user (the feature is not available in the Administration).
 
In order to access forwarding, click on the tab Options at the top menu.
main menu
 
If there is no such item in the menu (usually at lower resolution monitors or because of small size of the browser window), click the tab Other.
main menu low resolution
Select Forward / Auto-Reply in the left menu.
 
Check the option Change the Envelope-Sender in the section Forward to and then click on the button OK.
 
 
3. Remove forwarding and use the filter instead
Login to the webmail.forpsi.com the same way as in the previous step and access in the left menu an item Forward / Auto-Reply.
 
Uncheck the checkbox Forward to and click on the button OK.
 
 
Now click on the tab Messages in the top menu and choose the item Filters. menu and than click on + in the submenu to add a new filter.
 
Set the new filter, as you see on the picture bellow and save it.
 
Note 1: Our mailserver mxavas.forpsi.com also checks SPF records. It means, this article concerns also emails forwarded from another mailserver to mxavas.forpsi.com or sent from IPs which are not allowed by SPF record (smtp server of Internet Service Provider etc.).

Note: If you have on your mailbox set forwarding of received messages to some of these domains: gmail.com, outlook.com (hotmail.*), yahoo.com ... the forwarding might not work properly because of the SPF record setting. Please activate rewriting envelope sender or use filters instead as is described above.