Hi,
I have a multi-instance postfix config and am trying to figure out why
Microsoft 365 is marking my email from the outbound instance as SPF
softfail.
I am trying to send mail from my gmail account to the multi-instance
postfix system through to my Microsoft 365 account, where I've set up
mail filters to accept mail from all postfix instances without
blocking or filtering. All IPs involved are listed in the SPF record
for the domain:
example.org. 978 IN TXT "v=spf1
ip4:209.222.90.0/24 include:spf.protection.outlook.com -all"
There are two MX records set for this domain - relay1.example.com
(209.222.90.118) and relay2.example.com (209.222.90.113). I believe
the problem is that mail is leaving through the postfix-out instance
(209.222.90.109), and although all IPs are listed in the SPF record,
it appears Microsoft doesn't like that it's not being sent from the
same IP as it was received?
I suppose my question is why is SPF failing when the sending IP is
included in the SPF record? Should I be thinking about a postfix
config change here, or is this inherent to SPF?
I've also set up DKIM and it is correctly signing the outgoing
message, it appears. I believe this is the relevant info from the mail
headers after it's received on my Microsoft 365 account:
Received: from MW2NAM12FT043.eop-nam12.prod.protection.outlook.com
(2603:10b6:300:81:cafe::10) by MWHPR14CA0068.outlook.office365.com
(2603:10b6:300:81::30) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12 via Frontend
Transport; Fri, 4 Feb 2022 18:18:44 +0000
Authentication-Results: spf=softfail (sender IP is 209.222.90.109)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass
reason=100
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
gmail.com discourages use of 209.222.90.109 as permitted sender)
Received: from armor.example.com (209.222.90.109) by
MW2NAM12FT043.mail.protection.outlook.com (10.13.180.195) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4975.5 via Frontend Transport; Fri, 4 Feb 2022 18:18:43 +0000
Received: from localhost (localhost [127.0.0.1])
by armor.example.com (Postfix) with ESMTP id AAF593A448A;
Fri, 4 Feb 2022 13:18:42 -0500 (EST)
Authentication-Results-Original: armor.example.com (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from iceman.example.com ([209.222.90.113])
by localhost (armor.example.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id oQI7eXvdPtSt; Fri, 4 Feb 2022 13:18:39 -0500 (EST)
Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=209.85.218.50; helo=mail-ej1-f50.google.com;
envelope-from=exam...@gmail.com; receiver=<UNKNOWN>
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by iceman.example.com (Postfix) with ESMTPS id D5356600025CF
for <jre...@example.org>; Fri, 4 Feb 2022 13:18:39 -0500 (EST)
Received: by mail-ej1-f50.google.com with SMTP id j2so21487350ejk.6
for <jre...@example.org>; Fri, 04 Feb 2022 10:18:39 -0800 (PST)
