Restricting to avoid spam on my address ;-).
(repost of original description with email domain redacted) Long story short, SPF doesn't work well with plain mail forwarding [1]. Let's consider a simple example: 1. I send a mail from mgorny@privatedomain.com to foo@gentoo.org, 2. foo@g.o has forwarding set, so gentoo.org forwards it to foo@example.com, 3. example.com looks up privatedomain's SPF and notices that gentoo.org is *not* allowed to send mail from that domain, 4. example.com rejects the mail and I get a bounce. Now, the same problem applies to any third-party mail server with strict SPF record sending mail to @gentoo.org. The worst thing is, people who have mail forwarding enabled may not even know they're bouncing valid mail. FWICS, there are two possible solutions [2] here: 1. Require everyone setting up mail forwarding (and people subscribing to Gentoo aliases) to whitelist the gentoo.org mail servers for SPF on their MTA. 2. Implement mail forwarding using SRS. Option 1 has the advantage of requiring no changes on Gentoo end (besides documenting the problem). In this case, whoever wants to use forwarding needs to use MTA-specific way of whitelisting the forwarding server. However, I'm not convinced that all public mail services rejecting mail based on SPF actually support that. Unless I'm mistaken, [3] suggests that on GMail you can do that via setting up a 'send mail as' address. While this would certainly work for developers forwarding their mail, I have serious doubts about users using this on project aliases and so on. As for SRS, I suppose you know more about than I do. FWICS, it's main advantage is that it should work out-of-the-box for everybody. However, it means rewriting the 'From' address (which might not be a bad thing after all) and FWICS gmail requires some fancy 'SPAM' dance [3] to avoid penalizing us for forwarding spam. [1]:http://www.openspf.org/FAQ/Forwarding [2]:http://www.openspf.org/Best_Practices/Forwarding [3]:https://support.google.com/a/answer/175365
FWIW, have you considered using mail-filter/postsrsd on woodpecker? It should normally work out of the box, with only a couple of lines in Postfix's main.cf.