Hi, > > I have a multi-instance postfix config and am trying to figure out why > > Microsoft 365 is marking my email from the outbound instance as SPF > > softfail. > > Because you're forwarding email received from an external domain, > and it is *that* (envelope sender) domain's SPF records that count, > not yours.
Oh yes, I also thought that may have been a possibility, thanks. > > Authentication-Results: spf=softfail (sender IP is 209.222.90.109) > > smtp.mailfrom=gmail.com; dkim=pass (signature was verified) > > header.d=gmail.com;dmarc=pass action=none > > header.from=gmail.com;compauth=pass > > reason=100 > > Unless you're "google.com", or "google.com" lists your IPs in its SPF > records, SPF is *supposed* to fail. This is why DKIM was invented, it > survives simple verbatim forwarding. So signing my message as it leaves my server is the right approach, or are you referring to Gmail signing the mail as it's sent from their server originally? This problem has apparently been all over the internet for years, so I don't think it's an unintentional bug by Microsoft. https://answers.microsoft.com/en-us/msoffice/forum/all/routing-to-exchange-online-results-in-spf-softfail/367e14ac-a3ce-46a2-8949-ffbc8f66edc7 It doesn't look like the EHLO from my server is recorded anywhere in the email headers, but it does hit on SPF_HELO_NONE from spamassassin, apparently from Gmail: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.208.49; helo=mail-ed1-f49.google.com; envelope-from=mysqlstud...@gmail.com; receiver=<UNKNOWN> Would $smtp_helo_name apply here? The postfix instance is processing mail for a number of domains, so if so, I'm unsure how I would set it other than the $myhostname default. I've also added SPF records to each host to include itself ("v=spf1 a -all"). But is it even necessary, considering no mail actually originates on this server?
