Cloudron SPF record does not permit IP
-
That definitely isn't normal or correct behaviour. However: my.sharona.cloud is your sending mailserver, correct? The SPF fail shown is not a result of a check the receiving server is making then.
I noticed something similar in a mail I just sent as a test from Outlook to a Gmail address. An SPF fail was also present in the headers (checked by Haraka using the IP of the Outlook client) but there is also (as expected) an SPF pass for the server IP, as that is what was checked by the receiving SMTP server. In other words I don't see a risk that mail delivery will fail due to SPF checks, but it would still be important to identify why Haraka is doing this.
-
I would also like to add that I have been seeing this behavior as well. I am getting SPF failures for IP mismatch as the header is showing the IP of whatever client is sending email, not the SMTP server.
-
SPF fails reported by your own server though, right?
-
Yes, I get that, but which server is failing it? Your mailserver or the recipient's? Look again at the header and you will most likely see two SPF checks - one by your mailserver, which fails (that is the problem described in this thread) and one by the receiving mailserver which should be checking your server IP and should therefore pass.
-
Yes, but the incoming mail would show the header anyway if it is being sent by your server. Sorry to ask again, but are you sure the sending client IP is really being checked by the recipient SMTP server? That would mean that either your mailserver is not even sending the server IP when it connects, which I find hard to believe and would be concerning, or the recipient's mailserver is misconfigured.
On the line in the header showing the softfail, which of the following appears?:
received-SPF: SoftFail (**YOUR MAILSERVER**: domain of **yourdomain.tld** does not designate **IP** as permitted sender) receiver=**YOUR MAILSERVER**
or
received-SPF: SoftFail (**RECIPIENT MAILSERVER**: domain of **yourdomain.tld** does not designate **IP** as permitted sender) receiver =**RECIPIENT MAILSERVER**
-
Here's my header showing the SPF failure. I'm using mxtoolbox.com for testing. I'm also using Sendgrid as an SMTP relay with an API key. Sending domain is different than the MX domain as I have a couple different domains I send email from.
Received: (Haraka outbound); Sun, 07 May 2023 15:40:12 +0000
Authentication-Results: mymxdomain.com;
auth=pass (plain);
spf=softfail smtp.mailfrom=sendingdomain.com
Received-SPF: SoftFail (mymxdomain.com: domain of sendingdomain.com does not designate sending client public IP as permitted sender) receiver=mymxdomain.com; identity=mailfrom; client-ip=sending client public IP helo=[LAN IP]; envelope-from=<mailbox@sendingdomain>
Received: from [LAN IP] ([sending client public IP])
by mymxdomain.com (Haraka/3.0.1) with ESMTPSA id 6F7C9FA2-9E4D-4C74-932F-D177277F2FCC.1
envelope-from <mailbox@sendingdomain.com>
tls TLS_AES_256_GCM_SHA384 (authenticated bits=0);
Sun, 07 May 2023 15:40:12 +0000 -
As I suspected, that is Haraka on your own server softfailing the client IP. The recipient SMTP server should only be checking the Sendgrid IP and passing it as long as it is included in the SPF record for the domain in question.
-
G girish referenced this topic on
-
J jdaviescoates referenced this topic on
-
G girish forked this topic on
-
G girish has marked this topic as solved on
-
L lukasgabriel referenced this topic on