Greetings,
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Daniel Gustafsson <daniel@yesql.se> writes:
> >> On 3 Jul 2023, at 15:05, hubert depesz lubaczewski <depesz@depesz.com> wrote:
> >> forwarding error mail that I'm getting when
> >> I'm sending to pgsql-bugs.
>
> > This is fairly common, IIUC GMail believes that the list sending email as you
> > is violating the SPF configuration for @depesz.com.
>
> I get similar gripes on a routine basis from diogojoliveira and some
> other addresses. As near as I can tell, the actual problem is that
> these people have arranged to forward list mail from their subscribed
> account to gmail, and the forwarding is being done in a way that
> makes it have the original sender's envelope FROM (... not the
> list's envelope FROM, nor the forwarding person's). But it's visibly
> coming from the forwarding machine. If there's a hard SPF policy for
> the envelope sender's domain, kaboom!
There's certainly up-sides and down-sides to rewriting FROM and From
lines. Generally speaking, the kind of forwarding that doesn't change
the email at all works pretty well and is exactly what the mailing lists
do and is what gmail recommends when forwarding to them, because it
doesn't end up breaking DKIM. The issue is that when the emails aren't
DKIM signed then there's no way to verify that they haven't been changed
by the forwarder and when there's an SPF rule saying to bounce those
emails, that's what happens.
It's also possible to set up ARC on the forwarder to provide assurance
that the forwarder validated the email when it arrived and to claim that
to the end system, but that only works if the end system trusts the
forwarding system and that doesn't tend to happen across organizations
(gmail may trust its own ARC signatures and so email that goes from a
random system to gmail and which gmail validates and then forwards on
while adding their ARC signature but breaking DKIM can be accepted by
gmail still, but my own efforts to get gmail to accept my ARC signatures
has gone exactly nowhere).
I've also looked into trying to not send bounces when this happens but
unfortunately there doesn't seem to be an easy way to make that happen
except to disable bounce reports from being generated at all, which
would be far worse.
For better or worse, these days if you care about delivery and avoiding
bounces, you pretty much have to be doing SPF+DKIM+DMARC with all the
annoyence that entails. If you don't care much about delivery then
you can expect to get such bounces.
Thanks,
Stephen