Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 856967 - SPF failures with google
Summary: SPF failures with google
Status: UNCONFIRMED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Mailing Lists (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-08 05:58 UTC by Madhu
Modified: 2022-07-08 05:58 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
mail delivery report (delivery-failures.txt,1.31 KB, text/plain)
2022-07-08 05:58 UTC, Madhu 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Madhu 2022-07-08 05:58:37 UTC 
Created attachment 790580 [details]
mail delivery report

While trying to send mail to comrel@gentoo.org mailer daemon reported
delivery failures. I'm attaching the delivery report from postscript.



It was suggested that google was dropping the messages because the IP
the messages were coming from smtp.gentoo.com, but meer.net has a
strict sender policy that restricts the originating ip to my ISP.

However I want to note that this seemed to be a one-time transient
problem and my other messages to comrel did not generate any delivery
errrors.

So I suspect there may be way to get on a google whitelist

I believe that many other mailing lists I am on do use postsrs to deal
with google, where the FROM is rewritten to User-Name +
list-address. (Personally I find this obnoxious and repulsive.)



I'm appending the text of the mail I received from robbat, debugging
the problem: (without permission) I hope his is OK

```
From: <robbat2@gentoo.org>
Message-ID: <robbat2-20220708T043939-326610156Z@orbis-terrarum.net>
Date: Fri, 8 Jul 2022 04:48:04 +0000
Short-version: Google got stricter.

The IPv6 source IP for our mail recently had to change.
Somewhere, I think the old source IP was in a allow-list in Google.

Now that the IP is changed, we're being subjected to stricter SPF
checks.

Those really matter for mail forwarding cases.

Specifically, if the original source domain has a strict SPF rule:

$ dig meer.net IN TXT +short ; dig spf.ctinetworks.com IN TXT +short
"v=spf1 redirect=spf.ctinetworks.com"
"v=spf1 ip4:205.166.61.0/24 ip4:66.59.96.0/19 ip4:206.251.0.0/19 -all"

When the Gentoo mail server expands your mail to comrel@gentoo.org, and then forwards it to multiple recipients.
Some of those recipients are at @gmail.com.

the MAIL FROM path on the forwarded email says enometh@meer.net.
So Google runs a SPF check:
sender enometh@meer.net, IP (smtp.gentoo.org)
against your SPF policy for meer.net.

Which of course says "nope, not allowed to send, you're a spammer kthxbye"
And thus your mail was not ultimately delivered to gmail.com recipients.

PostSRS isn't a panacea because it breaks other use cases.
I'll try and see what else we can come up with.
```