I have postfix with dovecot set up on Ubuntu 13.10. I send emails via a node application (using email-templates).
If I send an email from noreply@mydomain.com to myacccount@gmail.com (email 1), the spf record passes.
If I send an email from noreply@mydomain.com to support@mydomain.com (email 2), the spf record fails.
My spf record:
v=spf1 a mx ~all
I've tried a variation by specifying the ip, but I get the same pass/softfail for emails 1 and 2.
I've linked my @mydomain.com emails to gmail, so I can read them from there and also check the headers from gmail.
Here is the header for the email 1, which passes:
Delivered-To: myaccount@gmail.com
Received: by 10.220.131.9 with SMTP id v9csp9729vcs;
Thu, 3 Apr 2014 02:07:44 -0700 (PDT)
X-Received: by 10.204.243.137 with SMTP id lm9mr3945288bkb.33.1396516062351;
Thu, 03 Apr 2014 02:07:42 -0700 (PDT)
Return-Path: <noreply@mydomain.com>
Received: from mydomain.com (mydomain.com. [81.4.107.88])
by mx.google.com with ESMTPS id de1si2116722bkc.265.2014.04.03.02.07.41
for <myaccount@gmail.com>
(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Thu, 03 Apr 2014 02:07:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) client-ip=81.4.107.88;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) smtp.mail=noreply@mydomain.com
Received: from [127.0.0.1] (mydomain [127.0.0.1])
(Authenticated sender: username)
by mydomain.com (Postfix) with ESMTPA id 2FE0730A095F
for <myaccount@gmail.com>; Thu, 3 Apr 2014 05:07:41 -0400 (EDT)
X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer;
smtp/0.3.23)
Date: Thu, 03 Apr 2014 09:07:41 GMT
Message-Id: <688fb886bd83cff1bb5e299cb01e69@mydomain.com>
From: noreply@mydomain.com
To: myaccount@gmail.com
Subject: Welcome to mydomain
Here is the header for the email 2, which fails:
Delivered-To: myaccount@gmail.com
Received: by 10.220.131.9 with SMTP id v9csp9756vcs;
Thu, 3 Apr 2014 02:08:20 -0700 (PDT)
X-Received: by 10.220.103.141 with SMTP id k13mr2007429vco.25.1396516099631;
Thu, 03 Apr 2014 02:08:19 -0700 (PDT)
Authentication-Results: mx.google.com;
spf=softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender) smtp.mail=noreply@mydomain.com
Received-SPF: softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender)
Received: by 10.220.241.77 with POP3 id ld13mf1851813vcb.12;
Thu, 03 Apr 2014 02:08:19 -0700 (PDT)
X-Gmail-Fetch-Info: support@mydomain.com 3 mail.mydomain.com 110 support
Return-Path: <noreply@mydomain.com>
X-Original-To: support@mydomain.com
Delivered-To: support@mydomain.com
Received: from [127.0.0.1] (mydomain [127.0.0.1])
(Authenticated sender: username)
by mydomain.com (Postfix) with ESMTPA id 2DF0730A095E
for <support@mydomain.com>; Thu, 3 Apr 2014 05:07:41 -0400 (EDT)
X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer;
smtp/0.3.23)
Date: Thu, 03 Apr 2014 09:07:41 GMT
Message-Id: <732468ffa47870963332c0e2dcebf3@mydomain.com>
From: noreply@mydomain.com
To: support@mydomain.com
Subject: New user signed-up
Content-Type: multipart/alternative;
boundary="----Nodemailer-0.6.1-?=_1-1396516061189"
MIME-Version: 1.0
I don't think the issue is with the node.js code that is sending the emails, as they both use the same transports and logins. Here is a simplified, but still long, version of the code:
var transport = nodemailer.createTransport("SMTP", {
service: "mydomain.com",
auth: {
user: "username",
pass: "password"
}
})
//THIS EMAIL FAILS SPF CHECK
exports.send_new_registration = function(username, email){
emailTemplates(templatesDir, function(err, template) {
console.log("Attempting to send email.");
if (err) {
console.log(err);
} else {
var locals = {
email : email,
username :username
};
// Send a single email
template('new_user', locals, function(err, html, text) {
if (err) {
console.log(err);
} else {
transport.sendMail({
from: 'noreply@mydomain.com',
to: 'support@mydomain.com',
subject: "New user signed-up",
html: html,
// generateTextFromHTML: true,
text: text
}, function(err, responseStatus) {
if (err) {
console.log(err);
} else {
console.log(responseStatus.message);
}
});
}
});
}
//THIS EMAIL PASSES SPF CHECK
exports.send_confirmation_email = function(email, token){
var link = "https://mydomain.com/email-confirmation/" + token;
emailTemplates(templatesDir, function(err, template) {
console.log("Attempting to send email.");
if (err) {
console.log(err);
} else {
var locals = {
link : link
};
// Send a single email
template('register', locals, function(err, html, text) {
if (err) {
console.log(err);
} else {
transport.sendMail({
from: 'noreply@mydomain.com',
to: email,
subject: "Welcome to mydomain",
html: html,
// generateTextFromHTML: true,
text: text
}, function(err, responseStatus) {
if (err) {
console.log(err);
} else {
console.log(responseStatus.message);
}
});
}
});
}
});
}
I don't think it's relevant, but I've yet to get TLS working on postfix. I've also tried to get postfix-policyd-spf-perl working, unsuccessfully, yet. When sending an email to my own account, from my own account, this add an additional header. I'm guessing it's related, but i'm not certain.
As an FYI, if I add check_policy_service unix:private/policy-spf to my /etc/postfix/main.cf, the additional header I see in the email from noreply@mydomain.com to support@mydomain.com is:
Received-SPF: softfail (mydomain.com: Sender is not authorized by default to use
'support@mydomain.com' in 'mfrom' identity, however domain is not currently prepared for false
failures (mechanism '~all' matched)) receiver=mydomain.com; identity=mailfrom; envelope-
from="support@mydomain.com"; helo="[an_ip]"; client-ip=a_diff_ip
I only add this is as I'm not sure if this is related or not to the google softfail check...
EDIT: To make the question clear, it's not clear to me why if I send an email to a gmail account, it passes the spf check, but if I send an email to my own domain, it fails.
