18 Jul 18:14
Re: SPF and Google Groups (sending on behalf of)
From: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz <at> gmail.com>
Subject: Re: SPF and Google Groups (sending on behalf of)
Newsgroups: gmane.mail.spam.spf.help
Date: 2008-07-18 16:14:20 GMT
Subject: Re: SPF and Google Groups (sending on behalf of)
Newsgroups: gmane.mail.spam.spf.help
Date: 2008-07-18 16:14:20 GMT
John Kirkwood wrote: > Google Groups then sends a group email, marked > From: user <at> un.org, but sent using a Google mailserver. Based on your header shown below this is an 2822-From, the ordinary From header field. SPF does not operate on the mail header, it uses the mail envelope. IOW there's no problem, in theory... Back to reality: > The SPF record at un.org does not designate Google > as a permitted sender. Yes, that's as it should be... > My ISP blocks the email ...that's also as it should be IFF there is really an SPF FAIL. For that your ISP should look at the HELO and the MAIL FROM (not the 2822-From mentioned above), based on what you found that is: | Received-SPF: pass (googlegroups.com designates | 209.85.146.244 as a trusted SMTP server) That's an SPF PASS for the HELO wa-out-0708.google.com (you see that HELO name in the Received header field). | Received-SPF: fail (un.org does not designate | 209.85.146.244 as a permitted sender) *Apparently* an SPF FAIL for MAIL FROM user <at> un.org But actually there was *no* such MAIL FROM, it was: | Return-Path: <grbounce-kig5qauaaaaznpbi2wszj0atqg4i62pa= | jkirkwood=kclinfo.com <at> googlegroups.com> Line split by me. What your ISP should have checked was the SPF policy of googlegroups.com, *NOT* un.org. Googlegroups.com have the SPF policy: "v=spf1 redirect=_spf.google.com" Redirect to _spf.google.com, SPF policy: "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ?all" The ip4:209. (etc.) covers the sending IP, the result should have been SPF PASS. BTW, this policy never results in a FAIL, at worst it is NEUTRAL for ?all. Your ISP checked the wrong policy. One case where that can happen is if a receiver confuses SPF with Microsoft's Sender ID for the "PRA". But the "PRA" is simplified "take 2822-Sender if it is there". The mail had an 2822-Sender: Sender: geneva-web-group <at> googlegroups.com Again Googlegroups, they have no PRA policy, and if a receiver is confused they could misinterpret SPF, and then would get the same PASS as explained above. Executive summary, what your ISP checks is wrong. SPF does not work on the 2822-From, and Sender ID PRA also does not work on the 2822-From (if there is an 2822-Sender). Apparently something with their SPF software or mail setup is broken. Very badly broken. Get a full refund and fire your postmaster broken. Frank
RSS Feed