How to properly configure a mailing list server to be SPF friendly?

Question

UPDATE: The SPF record I have in DNS for domain mailinglist.com:

mailinglist.com. 3600 IN TXT "v=spf1 mx ptr include:gateway.com ?all"

UPDATE2: The From:, Reply-To:, Sender: and Return-Path:headers from a failed message:

...
From: "bob" <bob@somewhere.org>
Reply-To: <list1@my.mailinglist.com>
Sender: <list1-request@my.mailinglist.com>
List-Post: <mailto:list1@my.mailinglist.com>
Return-Path: list1-owner@my.mailinglist.com
...

I've inherited a Sympa mailing list server from a previous Admin and am not very familiar with the whole process. Recently, we've been getting some calls from users that their posts to the various mailing lists are being marked as failing fraud detection checks.

I've been reading up on SPF and suspect that what is happening is when a user (bob@somewhere.org) posts to the list (my.mailinglist.com), the outbound message from the list server has the envelope sender set to "bob@somewhere.org". Our list server then relays the outgoing message to mail.gateway.com which then delivers it over the Internet. When the SMTP server at somewhere.org (or other domain) receives the post, it sees that it was sent by our relay, mail.gateway.com (13.14.15.16), which does not have it's IP address on the SPF record for somewhere.org.

In the mail headers of the outbound post sent from mail.gateway.com, I have an SPF line which reads:

Received-SPF: SoftFail (mail.gateway.com: domain of
 transitioning bob@somewhere.org discourages use of 13.14.15.16 as
 permitted sender)

We have many users from many different domains sending mail to our list server. Asking every domain to include the mail.gateway.com IP in their SPF record seems ridiculous, but that's what I gather is one way to fix this.

The other fix involves probably using a different envelope sender. I'm not sure how this would affect "Reply" and "Reply to" functionality. Right now it seems a bit wonky; Reply and Reply-to both go the the mailing list which seems odd. I'm trying to figure out where that is configured.

Are there some other ways to work this out that I have missed? Thanks

score 4 · Answer 1 · answered Jan 04 '17 at 15:26

As of 2017, the recommended and most used method used by the MX servers around the world (at least these who know SPF exits) is to use DMARC policies. Even under the most strict DMARC policy, a failed SPF is not a sufficient reason to fail/quarantine a message. You have also DKIM. If your users send DKIM-signed messages, they should be accepted even when not fulfilling SPF.

This is designed specifically to allow 3rd-party forwarders like you to function.

Just don't modify their body (maillist footer) or the signed headers (like "Subject" and others).

chutz · Answer 2 · 2017-01-04T16:30:50.720

0

You need to use an envelope sender that is under your control. So, if bob@somewhere.org is subscribed to yourlist@example.com, the return path of any mails posted to the list should look something like bounce+yourlist-XXXXX@example.com (just guessing after glancing at the Sympa docs). Anyway, the point is that the domain part should match the one of the mailing list. Check the headers of a list you are subscribe to, and see what the Return-Path: one is.

Once the Return-Path is correct, you can go about setting up the correct SPF record in the DNS for only the domain of your mailing list. From reading your question, it sounds like this part is already done and the outgoing relay mail.gateway.org is already SPF authorized for your domain, so this part should be fine.

Update:

You seem to be missing an SPF record for my.mailinglist.com (you only show one for mailinglist.com).

The mail.gateway.com: prefix in the warning implies that this warning was inserted by your upstream mail relay at mail.gateway.com. If you are using using an upstream relay then there is no reason why they should be doing SPF checks for email coming from you. The reason for this failure is a question you should raise with their support.

edited Jan 04 '17 at 16:30

answered Jan 04 '17 at 15:43

chutz

7,888
1
29
59

Thanks. As I understand, this would affect how users reply directly to the sender of the message, correct? The current functionality: "Reply" goes only to the user, "Reply-all" goes to the list and the user. I've updated post to reflect my SPF record in DNS. example.com in your reply is actually `my.mailinglist.com` in my SPF record. My upstream MX is on a different domain `mail.gateway.com` – Server Fault Jan 04 '17 at 16:00
Added update2 to original post. I checked mail headers and the `Return-Path` is indeed set to a `list1-owner@my.mailinglist.com`. Does SPF check the `From` field as well? – Server Fault Jan 04 '17 at 16:19
RE:"no reason why they should be doing SPF checks for email coming from you": actually, `mail.gateway.com` is the MX for mailinglist.com domain. the list server (`my.mailinglist.com`) has an internet routable DNS record which is a 1:1 NAT on the firewall. As far as I know, `mail.gateway.com` relays inbound/outbound mail for the list server. This is why SPF is set for `mail.gateway.com` -- all mail sent from `my.mailinglist.com` appears to come from last hop, `mail.gateway.com`. Is this still suspect? – Server Fault Jan 06 '17 at 17:06

Mike Waters · Answer 3 · 2017-01-04T16:00:57.707

-1

You'll need to add a TXT entry to the DNS with the spf string. See http://www.openspf.org/FAQ/Examples

If you cannot edit the DNS records yourself, then you'll have to ask the DNS administrator to do it for you.

EDIT: If I understand your post correctly, you only need to add an SPF record to your mail server's dns and your problem will go way.

edited Jan 04 '17 at 16:00

answered Jan 04 '17 at 15:22

Mike Waters

137
1
5

How to properly configure a mailing list server to be SPF friendly?

3 Answers3

Update: