2

I have a Google Apps account set up for one of my domains. Wildcard email delivery is enabled on this domain for all emails (ie. anything@domain.com passes emails along to myemail@domain.com), and the records related to email delivery are configured as follows (to the best of my knowledge, configured to Google's recommendations):

MX: ASPMX.L.GOOGLE.COM with priority 10
TXT: v=spf1 include:_spf.google.com ~all
TXT: v=DKIM1; k=rsa; p=xxxxxxxxxxxxxxxxxxxxxxxxx

Recently, however, I have begun to receive an increased number of bounces/"out of office" emails from people who are apparently being spammed with people using email addresses from my domain. From the bounces, some headers:

Return-Path: <0379E403@domain.com>
Received-SPF: softfail (google.com: domain of transitioning 
    0379E403@domain.com does not designate 41.230.231.130
    as permitted sender) client-ip=41.230.231.130;
Authentication-Results: gmr-mx.google.com; spf=softfail (google.com:
    domain of transitioning 0379E403@domain.com does not designate
    41.230.231.130 as permitted sender) smtp.mail=0379E403@domain.com
From: "Secure.Message" <0379E403@domain.com>
To: <unfortunate_person@gmail.com>

(I can provide additional headers if needed.)

I looked into softfails but am not completely sure I understand it. I do wildcard emails to the domain so simply disabling wildcarding would probably not be a solution. Because emails to this domain are then forwarded on to a different email address (also within Google Apps, though), I would preferably also need to be able to send emails using Google's "send email as" ("on behalf of") feature.

Any ideas what to do now? Most importantly I am concerned about the reputation of my domain; I would very much want to keep it off of any spam lists.

Brandon Wang
  • 125

3 Answers3

5

When you use the SoftFail qualifier (the ~) in an SPF mechanism, you indicate that a matching sender should be treated with suspicion, but not outright rejected.

The Fail qualifier (the -) on the other hand, encourages receiving MTAs to reject the SMTP transfer immediately with a 5.1.7 DSN.

So when you are using ~all in the end of your record, you are only partially preventing spammers from abusing your domain and your reputation.

Read more about how check_host() results should be treated according to the RFC Specification here: IETF RFC 4408 ยง2.5 "Interpreting the results"

Mathias R. Jessen
  • 26,351
4

In addition to what Mathias said (which is good), note that key word encourages in his second sentense: "The Fail qualifier... encourages receiving MTAs to reject the email".

I would also recommend looking into DMARC. Once you have SPF and DKIM records in place, which it sounds like you do, DMARC is a way for you to tell receiving mail servers what to do with email that fails both the SPF and DKIM test.

When an email fails those tests, AND a receiving MTA honors DMARC records, then you can control what they do with that email: Reject it outright, mark it as a spam, or deliver it.

David W
  • 3,557
0

I am in the exact same situation, and changed my SPF records to perform a hard fail. It doesn't help. The administrators of the domains that send the bouncebacks seem to look at the spf record, see that it fails, and then ignore it. I am not worried about my domain reputation, since they are going to continue to send these emails whether or not I am here to see the bouncebacks. There is nothing you can do but make a rule to ignore the pattern of the reply to address.

Edwin
  • 1,041