Re: SPF and Google Groups (sending on behalf of)

On Fri, Jul 18, 2008 at 05:17:35PM +0200, John Kirkwood wrote:

> user <at> un.org posts a message to the email list server
> geneva-web-group <at> googlegroups.
> Google Groups then sends a group email, marked From: user <at> un.org, but sent
> using a Google mailserver.

and, important, using "Sender: geneva-web-group <at> googlegroups.com".

> The SPF record at un.org does not designate Google as a permitted sender.

no problem. The sender is googlegroups.com

> My ISP blocks the email (dotster.com / mail3.dotsterhost.com - quite strict
> on RFC and SPF imperfections, for example will <fail> on an invalid SPF
> record).
> 
>  Received-SPF: pass (googlegroups.com designates 209.85.146.244 as a trusted
> SMTP server)
>  Received-SPF: fail (un.org does not designate 209.85.146.244 as a permitted
> sender)
> 
> Any ideas? (Full headers of sent mail below - with sender's name changed -
> email retrieved from a Death2Spam mail relay server).

Real true SPF will only look at 'mail from' in the SMTP transaction. This is
visible as the return path in the message's headers.

SPF-by-microsoft abuses SPF records and pretend they're SenderID records.
Instead of rejecting in the SMTP session before any data is sent, it will
look at the headers of a message.

I believe that, if 'Sender: ' is present, it overrides 'From: ', so google
has even overcome the problem introduced by microsoft.

>  Received-SPF: pass (googlegroups.com designates 209.85.146.244 as a trusted
> SMTP server)
>  Received-SPF: fail (un.org does not designate 209.85.146.244 as a permitted
> sender)

And where does it find un.org ?

>  X-Sender: user <at> un.org

If microsoft's protocol states that X-Sender is more important than Sender,
then your ISP does the right thing.  Else it does not.

Either way: this does not, IMHO, belong on this list. This is SPF help, not
microsoft help.  Try contacting microsoft for clarification on their protocols.

HTH
Alex