Cloudron SPF record does not permit IP
-
@girish
None of my outgoing mail is being rejected, but headers contain the following (first example sending from Thunderbird on Linux; second example sending from FairEmail on Android):-received-SPF: Fail (my.sharona.cloud: domain of groveland.place does not designate 138.199.6.239 as permitted sender) receiver=my.sharona.cloud; identity=mailfrom; client-ip=138.199.6.239 Authentication-Results: my.sharona.cloud; auth=pass (plain); spf=fail smtp.mailfrom=groveland.place
Received-SPF: Fail (my.sharona.cloud: domain of citharas.org does not designate 86.15.69.112 as permitted sender) receiver=my.sharona.cloud; identity=mailfrom; client-ip=86.15.69.112 Authentication-Results: my.sharona.cloud; auth=pass (login); spf=fail smtp.mailfrom=citharas.org
In both cases, the IP addresses belong to the sending mail client, not the server.
One of the 3 domains hosted uses an external relay, the other 2 use the internal SMTP.
Also, each domain's SPF record uses minus all, not tilde all --- so any rejection is not just a softfail:-
TXT v=spf1 a:my.sharona.cloud -all
Although nothing is rejected by the receiving server, receiving clients show:-
FairEmail shows a waving flag, as per its FAQ:-
"...FairEmail can show a small red warning flag when DKIM, SPF or DMARC authentication failed on the receiving server. You can enable/disable authentication verification in the display settings"
https://github.com/M66B/FairEmail/blob/master/FAQ.mdThe DKIM Verifier Thunderbird extension shows "SPF: fail"
https://addons.thunderbird.net/en-GB/thunderbird/addon/dkim-verifier/So, the bottom line of all this is that the headers incorrectly show that the mail client is the authorised sender. Clearly, as the message passes through the Cloudron mail server (since v7.4.x), something is processed in a manner to cause this.
Hope all this makes sense!
-
That definitely isn't normal or correct behaviour. However: my.sharona.cloud is your sending mailserver, correct? The SPF fail shown is not a result of a check the receiving server is making then.
I noticed something similar in a mail I just sent as a test from Outlook to a Gmail address. An SPF fail was also present in the headers (checked by Haraka using the IP of the Outlook client) but there is also (as expected) an SPF pass for the server IP, as that is what was checked by the receiving SMTP server. In other words I don't see a risk that mail delivery will fail due to SPF checks, but it would still be important to identify why Haraka is doing this.
-
I would also like to add that I have been seeing this behavior as well. I am getting SPF failures for IP mismatch as the header is showing the IP of whatever client is sending email, not the SMTP server.
-
SPF fails reported by your own server though, right?
-
Yes, I get that, but which server is failing it? Your mailserver or the recipient's? Look again at the header and you will most likely see two SPF checks - one by your mailserver, which fails (that is the problem described in this thread) and one by the receiving mailserver which should be checking your server IP and should therefore pass.
-
Yes, but the incoming mail would show the header anyway if it is being sent by your server. Sorry to ask again, but are you sure the sending client IP is really being checked by the recipient SMTP server? That would mean that either your mailserver is not even sending the server IP when it connects, which I find hard to believe and would be concerning, or the recipient's mailserver is misconfigured.
On the line in the header showing the softfail, which of the following appears?:
received-SPF: SoftFail (**YOUR MAILSERVER**: domain of **yourdomain.tld** does not designate **IP** as permitted sender) receiver=**YOUR MAILSERVER**
or
received-SPF: SoftFail (**RECIPIENT MAILSERVER**: domain of **yourdomain.tld** does not designate **IP** as permitted sender) receiver =**RECIPIENT MAILSERVER**
-
Here's my header showing the SPF failure. I'm using mxtoolbox.com for testing. I'm also using Sendgrid as an SMTP relay with an API key. Sending domain is different than the MX domain as I have a couple different domains I send email from.
Received: (Haraka outbound); Sun, 07 May 2023 15:40:12 +0000
Authentication-Results: mymxdomain.com;
auth=pass (plain);
spf=softfail smtp.mailfrom=sendingdomain.com
Received-SPF: SoftFail (mymxdomain.com: domain of sendingdomain.com does not designate sending client public IP as permitted sender) receiver=mymxdomain.com; identity=mailfrom; client-ip=sending client public IP helo=[LAN IP]; envelope-from=<mailbox@sendingdomain>
Received: from [LAN IP] ([sending client public IP])
by mymxdomain.com (Haraka/3.0.1) with ESMTPSA id 6F7C9FA2-9E4D-4C74-932F-D177277F2FCC.1
envelope-from <mailbox@sendingdomain.com>
tls TLS_AES_256_GCM_SHA384 (authenticated bits=0);
Sun, 07 May 2023 15:40:12 +0000 -
As I suspected, that is Haraka on your own server softfailing the client IP. The recipient SMTP server should only be checking the Sendgrid IP and passing it as long as it is included in the SPF record for the domain in question.
-
-
-
-
-