[mailop] Google SPF checking intermediate server

Tue, 10 Jan 2017 09:52:26 -0800 

I have mail that comes from our in-house Jira which goes from the Jira
instance on 192.168.7.25 to a local postfix instance. This instance
forwards all mail to a public facing postfix using a public IP provided by
the firewall via NAT, 74.92.149.60, which ultimately delivers the mail to
gmail. The IP of the public facing postfix is 199.83.96.14 and that is
listed within our SPF record.

Google is claiming the messages are unauthenticated, with this:

Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning y...@kcilink.com
does not designate 74.92.149.60 as permitted sender) smtp.mailfrom=
y...@kcilink.com

Even though clearly it is receiving the message from the server at
199.83.96.14:

Received: from lorax.kcilink.com (lorax.kcilink.com. [199.83.96.14])
        by mx.google.com with ESMTPS id
r63si41213060qkb.179.2017.01.06.15.29.00
        for <x...@kcilink.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 06 Jan 2017 15:29:00 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning y...@kcilink.com
does not designate 74.92.149.60 as permitted sender) client-ip=74.92.149.60;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning y...@kcilink.com
does not designate 74.92.149.60 as permitted sender) smtp.mailfrom=
y...@kcilink.com
Received: from projects.int.kcilink.com (
74-92-149-60.static.comcast.kcilink.com [74.92.149.60]) by lorax.kcilink.com
(Postfix) with ESMTP id 440A219BF30 for <x...@kcilink.com>; Fri,
  6 Jan 2017 18:29:00 -0500 (EST)
Received: from projects.int.kcilink.com (projects.int.kcilink.com
[192.168.7.25]) by projects.int.kcilink.com (Postfix) with ESMTP id
28A6C2B2BF for <x...@kcilink.com>; Fri,
  6 Jan 2017 18:29:00 -0500 (EST)

Curiously, only sometimes does the gmail interface show the big red
"unauthenticated" question mark, even though every message I examine has
this same soft fail.

Why would gmail be checking the next-hop IP? It is part of my internal
infrastructure even though it has a routable IP. Am I misunderstanding
something of how this should be configured? Am I supposed to list all
intermediate IPs in my SPF too? I don't see that recommended anywhere.

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to