I configured hardfail SPF for my domain and DKIM message signing on my SMTP server. Since this is the only SMTP server that should be used for outgoing mail from my domain, I didn't foresee any complications.
However, consider the following situation: I sent an e-mail message via my SMTP server to my colleague's university e-mail. The problem is that my colleague forwards his university e-mail to his GMail account. These are the headers
of the message after it reaches his GMail mailbox:
Received-SPF: fail (google.com: domain
of [email protected] does not designate 192.168.128.100 as permitted sender) client-ip=192.168.128.100;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain
of [email protected] does not designate 192.168.128.100 as permitted sender)
[email protected]; dkim=hardfail (test mode)
[email protected]
(Headers have been sanitized to protect the domains and IP addresses
of the non-Google parties)
GMail checks the last SMTP server in the delivery
chain against my SPF and DKIM records (rightfully so). Since the last STMP server in the delivery
chain was the university's server and not my server, the check results in an SPF hardfail and DKIM failure. Fortunately, GMail did not mark the message as spam but I'm concerned that this might cause a problem in the future.
Is my implementation
of SPF hardfail perhaps too strict? Any other recommendations or potential issues that I should be aware of? Or maybe there is a more ideal configuration for the university's e-mail forwarding procedure? I know that the forwarding server could possibly change the envelope sender but I see that getting messy.
