Gmail SPF fail based on client IP

Question

Gmail is failing SPF check based on the client IP. These are the relevant headers:

Received-SPF: fail (google.com: domain of johndoe@example.com does not designate 164.77.240.58 as permitted sender) client-ip=164.77.240.58;
Received: from johndoe (unknown [164.77.240.58])
    by mail.example.com (Postfix) with ESMTP id 993643FE2D

The client IP (164.77.240.58) is the IP of johndoe's computer. The sender IP, the IP of mail.example.com, is included in the SPF record.

Why is Gmail failing based on the client IP instead of the sender IP? Is this how SPF is supposed to work?

Answer 1

First, pull the spf record of example.com:

$ dig -t spf mail.example.com

Verify that example.com is on the senders list. Your spf record should look something like this:

"v=spf1 a:mail.example.com a:cname.example.com -all"

Take any domain names listed and do a DNS lookup on them to get the IP addresses:

$ dig mail.example.com

Then do a PTR look up to get the reverse DNS name for the IP:

$ dig -x XX.XX.XX.XX

The reverse IP lookup should match one of the records listed in the spf record. It would be helpful to start with the spf record though so we can see what's going on.

Answer 2

Yes, google is improperly flagging messages as spam (SPF Softfail) and citing the sender's client-IP-address as not an authorized sender. This is wrong on several levels.

The messages in question, were not sent to a google hosted mailbox. Instead, the gmail user has configured gmail to fetch mail (POP3) from an account hosted on an other service and make those messages available in the gmail users inbox.

As such, these messages are NEVER actually received by a google mail-server. The messages are being fetched by Google, not received. Google should not be rewriting the mail headers as if they received them. If they wish to apply filters, they should only be reading the headers as written by the (non-google) mail server that is hosting the account.

SPF Softfail based on Client-IP: Google is reporting: "spf=softfail (googlecom: domain of transitioning usr@example.com does not designate x.x.x.x (client-ip) as permitted sender)"

Client-IP is the internet address of the senders physical location (home, business, coffee-shop). It would be impossible to include all possible client-ips in an spf record. SPF check should only consider the IP of the mail-server that delivered the message to the recipients mail server, in this case, a non-google server.

In this example, Debi is the Gmail user. Debi has configured Gmail to fetch messages from an other mailbox 'editor' hosted at supercp.com. Shawn sends a message to Editor which is received at supercp.com. Debi's gmail connects using POP3 to download the message. Google flags it as spam based on the IP address (residential ISP WAN address) where Shawn happened to be when he had Thunderbird mail client send the message.

Example email headers

Answer 3

Yes, Google would be correct in identifying the SPF failure. The IP address that should be checked is the address that is connecting to Google's mail server. As there is no received header for Google, I suspect your mail server is checking SPF on the connection. It should only check SPF for unauthenticated connections from the Internet. Local connections and authenticated connections should bypass SPF validation.

SPF is intended to ensure the sending computer is permitted by the sending domain. Normally a domain would have 1 or 2 mail servers that handle all emails sent to or received from the Internet. These addresses should be the ones listed in the SPF record for the domain.

In this case, johndoe appears to be connecting to the domain's mail server. If the server is not on the domain's network, it is common to use an authenticated connection on the submission port (587). The mail server should then forward the message to Gmail and SPF should pass. If SPF still fails, the SPF record needs to be corrected to include IP of the mail server. There are several mechanisms that can be used.

My Email Policy ensures that all legitimate mail sent from my domain will pass SPF. There are some services that forward messages on behalf of my users which will fail SPF. However, the recorded failures I have received from servers validating DMARC have all been spammers.

Answer 4

Google is wrong to report this as an SPF failure because Google has no way of knowing what the last hop is, so they have no way of correctly assessing the SPF policy. Every single message fetched will always fail the SPF policy.

Google is now adding an extra "Be careful with this message" warning for messages that either fail or lack both SPF and DKIM. That means if you are using Gmail to fetch mail from another mail provider, you will get this on every email that lacks a DKIM record regardless of whether it should have properly passed the SPF test.