Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Gmail, SPF, and Broken Email Forwarding?

Posted by timothy on Thu Jul 10, 2008 03:20 PM
from the rejected-mail-for-too-many-ellipses dept.
Businesses Communications Google Spam The Internet IT
alek writes "I recently stopped getting Email from a friend ... which turns out to be related to his use of SPF records and my forwarding to gmail. This 'lost Email problem' may get worse with Google implementing Domain Keys." Alek is looking for a non-complicated solution to this non-trivial problem; read on below for more details.
"Background: Like many people, I have me@mydomain.com as my public facing Email address. When Email comes into my server, I forward it to me@gmail.com. But since my friend has published SPF (Sender Policy Framework) records that say only his server is allowed to send Emails for friend@frienddomain.com, gmail apparently rejects (silently buries actually!) the Email since it is forwarding through my server. Please note that this is exactly what SPF is designed to prevent — spammers from sending Emails with your address — but it breaks forwarding and has other problems.

What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response — i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears — it's not even in my gmail spam filter ... so there is no trace of it at all. If my friend sends directly to me@gmail.com, it shows up ... since his domain sends directly and the SPF test is passed. Note that on my gmail account, I associate me@mydomain.com with my me@gmail.com account ... so perhaps there should be a recipient test applied before SPF is tested on the sender ... although this arguably defeats the purpose of SPF.

The logical solution is to configure sendmail on my server to do Sender Rewriting — anyone have an easy FAQ to do this? But many people/domains aren't doing this ... and my Email forwarding to gmail is quite common, so I'm surprised that this issue hasn't gotten more attention. Is there another solution?"
+ -
story

Related Stories

[+] Does SPF Really Help Curtail Forged Email Headers? 90 comments
Intelopment asks: "My Domain name has recently been used a lot in the 'Reply' field by some inconsiderate spammer, and my ISP has suggested that I consider using the Open SPF service as a way to stop spammers from using my domain name for in their mail headers field. From what I can tell, it requires the receiving mail server to actually participate in the SPF service, which is where I have my doubts. Does anyone have any experience with this service? Does it work? Are many ISPs using Open SFP?"
Firehose:Gmail, SPF, and Broken Email Forwarding by xmas2003 (739875)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Gmail, SPF, and Broken Email Forwarding? 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Please adhere to RFC (Score:5, Informative)

    by DNS-and-BIND (461968) on Thursday July 10 2008, @03:28PM (#24140927) Homepage
    Please stop using mydomain.com and other such nonsense. Example.com is reserved by RFC 2606 [ietf.org] for use as a...wait for it...example domain name. Please make a habit of using it instead of whatever name strikes your fancy, as it is probably in use by real people.

    The Internet Assigned Numbers Authority (IANA) also currently has the following second level domain names reserved which can be used as examples.
    • example.com
    • example.net
    • example.org

  • Is there another solution? (Score:5, Informative)

    by jeffmeden (135043) on Thursday July 10 2008, @03:29PM (#24140967) Homepage Journal
    Yes, of course. Have all your email sent to Google in the first place! You don't have to switch everything over to the Google app tool, you can just set MX records for your domain pointing to them, and collect it all (or forward it inside or outside Google.) It's free (with a paid version available.) Check it out here http://www.google.com/a/help/intl/en/index.html [google.com]

    • Re:Is there another solution? (Score:5, Informative)

      by dch24 (904899) on Thursday July 10 2008, @03:33PM (#24141075) Journal
      It really works! (ob. disclaimer: satisfied customer)

      Our company forwards email to google (MX record in the DNS), where it runs through the spam filter and then a forwarding rule (an anything-but-spam rule) sends it on to our mailboxes.

      For free... :-)

  • Simple answer: stop forwarding (Score:5, Insightful)

    by mattbee (17533) <matthew@bytemark.co.uk> on Thursday July 10 2008, @03:30PM (#24140991) Homepage

    Effective spam filtering for forwarded email is pretty much impossible, as you lose vital information in the forwarding. Either get rid of your forwarding address, or have it hosted at Google as well. Probably the largest single reduction in spam I've ever made was the week that I got rid of years-old forwarding addresses. If the forwarding address is more important, just get it hosted at Google directly, or tell people to stop using it!

  • silently dropping is not unexpected (Score:5, Interesting)

    by Ungrounded Lightning (62228) on Thursday July 10 2008, @03:31PM (#24141025) Journal

    What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response -- i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears -- it's not even in my gmail spam filter ... so there is no trace of it at all.

    While the RFCs specify that an MTA that is dropping should notify the sender in various ways, modern MTAs often violate these parts of the spec, pretending to accept and then dropping the mail and/or failing to send bounce notifications.

    This is deliberate. Not sending bounce messages reduces the load on the servers and net (now that most mail traffic bounces). Pretending to accept mail which is actually dropped is a defense against guessing email addresses and probing filters to see what gets past them.

      • Re:silently dropping is not unexpected (Score:5, Informative)

        by liquidpele (663430) on Thursday July 10 2008, @04:01PM (#24141697) Homepage Journal
        People violate the RFC because spammers spoof the sender as the people they are spamming, so the bounce goes back to that person and they get the spam. The RFC does not account for this, so fuck it.

        • Re:silently dropping is not unexpected (Score:5, Insightful)

          by AVee (557523) <slashdot&avee,org> on Thursday July 10 2008, @04:27PM (#24142233) Homepage
          That would be true is google would actually first accept the email and then send a bounce message because it doesn't like it after all.
          What they should do is reject the email immediately, in which case they don't have to send a bouce email but the mail is properly logged as being rejected. Ofcourse this does mean google will have to do all of their checks before accepting the message which is a bit harder to do but it is the only correct solution for the bounce problem.

  • Pull instead of push? (Score:5, Informative)

    by Robotech_Master (14247) on Thursday July 10 2008, @03:32PM (#24141039) Homepage Journal

    Doesn't GMail offer the ability to fetch your email from POP accounts now? It would probably not be the ideal solution, but perhaps you should stop forwarding and instead start POPping.

  • FAQ (Score:5, Informative)

    by RzTen1 (1323533) on Thursday July 10 2008, @03:47PM (#24141355)
    There's actually a fairly simple procmail fix right on the spf site: http://www.openspf.org/FAQ/Forwarding [openspf.org]

  • This is also known as, "The Problem With SPF." SPF breaks forwarding. This is well known. People who use SPF need to be aware of the ramifications.

    The SPF people have created SRS, as you are aware, to work around this problem. It is a complicated and unappealing workaround. I certainly won't do it.

    You have three options as I see it:

    1) Stop forwarding. It's really a terrible idea. Install webmail on your mailserver. Check out RoundCube, for instance.
    2) Wait for people to figure out that strict SPF policies break SMTP too badly for most users.
    3) Implement SRS. (this would probably be easier if you were using a modern MTA)

    I guess you were hoping for an easy fix, but there simply isn't one.

      • Re:maybe a silly question but.. (Score:5, Informative)

        by mkettler (6309) on Thursday July 10 2008, @04:51PM (#24142803)

        People over-generalize terms quite often, and "forwarding" has different meanings in different situations. Generally the difference boils down to if you're talking about a "server" implementation or a "mail client" implementation.

        In this case, the SPF folks are addressing server admins, so by "forwarding" they mean sending the message to a new recipient without altering the headers. This use problably originates back to the old ".forward" files on unix machines, but may go back further. Most server-side implementations use this meaning for "forward".

        However, forwarding by hitting the "forward" button most mail clients does something different. That creates a new message with new headers and preserves the old body text. sending with the same headers is called "redirect" in most mail clients.

        Isn't it great how mail clients and mail servers use different meanings for the same word?

        Even the client/server pair that go together from the same company have this problem. For example, Microsoft - exchange server has forwarding contacts, which forward without header changes, while Outlook clients do change the headers when you hit the "forward" button.

  • How to make it work (Score:5, Informative)

    by stefanb (21140) * on Thursday July 10 2008, @05:04PM (#24143067) Homepage
    Amazing what a bunch of unhelpful whiners take the time to *not* answer the actual question, and get modded up for it.

    For this example, I'm assuming that your email is joe@example.com and your gmail address is joe-example@gmail.com.

    Create an alias (/etc/mail/aliases) for the address that get's forwarded to gmail.

    joe: joe-example@gmail.com

    Also create an alias for <foo>-owner:

    joe-owner: joe

    Sendmail will look for this special <foo>-owner alias whenever sending mail to the <foo> alias, and use it as the envelope sender on the outgoing mail. So any mail that is sent to joe@example.com will be resent by sendmail with a sender address of joe@example.com. The header addresses will remain unchanged, so hitting reply will still go to the right person.

    Is this the solution to all SPF forwarding brokeness? Of course not, but it's a surpisingly simple solution to a number of common forwarding situation. Note that you better be careful about spam filtering on your machine, or your mail server (your sender's address) will appear to Google as a source of spam, and might get filtered.

      • Re:I knew .. (Score:5, Insightful)

        by cayenne8 (626475) on Thursday July 10 2008, @04:10PM (#24141843) Homepage Journal
        "I use my gmail account for catching all the junk mail you get for signing up for a mailing list. I guess i need to have my email server just send me a message stating that i have new mail waiting."

        At first I was wondering why they hell someone that had a working email server would shuttle it through Gmail, but then I read about using the spam filters, etc.

        While that sounds good on the surface, is anyone out there not a little apprehensive about having all your email, particularly if you're a business, going through and being stored on their servers? I mean, someday Google will bend completely for govt. wanting to search all emails for 'terrorists' activities, and God knows who else will too.

        I guess I'd want a bit more privacy on my emails, especially if they contained sensitive or proprietary information. I know...they're in plain text and could be intercepted if not encrypted, but, this is altogether different. It is stored on google's servers and there for easy data mining.

        I'm getting ready to dig out my old email server post Katrina...can you not use procmail and spamassassin to filter spam as effectively as Gmail does?

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.