SPF Softfail From Client Ip

[shortguymark]

I'm getting an spf softfail from google.

spf=softfail (google.com: domain of transitioning [email protected] does not designate 1.2.3.4 as permitted sender)

Now, I fully understand that I can add 1.2.3.4 to the spf record and it should all work.

The part I'm having trouble with is that 1.2.3.4 is my home isp IP address. If I take my laptop to a coffee shop, or office, etc - that IP changes.

My cpanel server (and mail server) address is 10.11.12.13

10.11.12.13 is currently in the spf record as valid sender:
v=spf1 +a +mx +ip4:10.11.12.13 ~all

Shouldn't the mail be coming from 10.11.12.13?

My mail program is set to use my SMTP server for 10.11.12.13 - it's NOT using my ISP's mail server or anything. (using imap with smtp) I've added the account to both thunderbird and emMail in case I was configuring something wrong.

I don't want to add all the internet IP's that i'm connecting with to the spf as I move around. I work a lot of different places.

Is there a setting I'm missing somewhere, or a common configuration error on the server? I've spent a few hours researching, and I'm stumped.

 

[shortguymark]

Just an update - I sent an email last night and it worked fine with gmail. The headers had the proper IP - then another email this morning and it wasn't working again. Nothing has changed. I really don't get it.

I tested SPF with SPF test mail services and they all come up fine, showing the right IP and passing.

Is this just something with Google? Is it just reading the sender IP instead of the server IP? rI can't be the only one seeing this?

 

[shortguymark]

Another update:

When sending directly to a gmail address it's fine. Passes the spf check.

When sending to another email address on the server - which has a pop account in gmail to download for that account, it fails. So I'm thinking this may not be a big issue if just a localized problem.

Here's the layout

email "A" - an imap account i use from my desktop (email address created on my server)

email "B" - a pop account that is set up to retrieve in gmail. (email address created on my server)

email "C" - A regular gmail account. (gmail address)

Sending from A to C works fine. It passes. Google is happy. No question mark.

Sending from A to B (B is downloaded to gmail) fails. Google is confused. Question mark.

I wonder if it doesn't send all the required headers or something because it's going from an email address in the server to another email address in the server? Or if the server has to pass SPF before sending to google or something?

Any ideas?

 

[cPanelMichael]

Hello,

I believe the following option under the "Mail" tab in "WHM >> Exim Configuration Manager >> Basic Editor" should address this problem:

Enable Sender Rewriting Scheme (SRS) Support

This option rewrites sender addresses so that the email appears to come from the forwarding mail server. This allows forwarded email to pass an SPF check on the receiving server.

Thank you.

 

[EneTar]

I have exactly the same problem and I enabled Sender Rewriting Scheme (SRS) Support

When someone from [email protected] sends to [email protected] while user1 uses desktop email client and user2 has setup a POP3 at gmail to receive his email then gmail outputs a softfail and the message goes to spam.

spf=softfail (google.com: domain of transitioning [email protected] does not designate 22.22.22.22 as permitted sender) [email protected]

22.22.22.22 is the (changed by me) client address

I can also provide detailed email headers of what I see if that helps and my settings of EXIM. Please let me know what is needed.

Also in my EXIM configuration manager I have this (Not sure if it affects the above)

Send mail from account’s dedicated IP address  Off
Reference /etc/mailhelo for outgoing SMTP HELO Off
Reference /etc/mailips for outgoing SMTP connections Off

The SPF record of mydomain.com is

"v=spf1 +a +mx +ip4:xx.xx.xx.xx +ip4:xy.xy.xy.xy ~all"

Where xx... and xy are my server ips.

 

[EneTar]

In the previous example the ip 22.22.22.22 is the IP of the user and it's not the same as xx.xx.xx.xx xy.xy.xy.xy.

Should I switch Reference /etc/mailips for outgoing SMTP connections to on? Is there anything I should consider before doing so?

 

[cPanelMichael]

Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[EneTar]

Thank you Michael for your suggestion, I may do this but I think it is not a bug of WHM/cPanel. I think it is the way GMAIL works

There is a very interesting discussion about this at Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another

and it seems it can be fixed only by using add_header feature from exim 43. Access control lists

I really don't know how to do that, can this be done through WHM?

 

[cPanelMichael]

Hello,

It's normal for the IP address of the individual sender to be included in the message header by the email client you are using to send the email. Gmail detecting this IP address and failing the SPF due to it's detection is discussed on the URL you referenced:

Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another

Setting up a custom "add_header" Exim rule is not tested, and unsupported. However, should you want to try using the value, you can browse to "WHM >> Exim Configuration Manager >> Advanced Editor" to make custom changes.

Thank you.