Facebook
TwitterChrisMallabon
New Pleskian
TITLE:
Multiple Received-SPF Headers Added To Emails Sent To A Group Email Address
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:Plesk Onyx Version 17.5.3 Update #20
CentOS Linux 7.3.1611
PROBLEM DESCRIPTION:CentOS Linux 7.3.1611
After switching SPF checking mode from "Reject mail when SPF resolves to fail" to "Only create Received-SPF header" then back to "Reject", the SPF test starts added a Received-SPF header line for each member of a group email (forwarding to multiple addresses). Before doing that only one Received-SPF line was added. Appears to be testing SPF on internal emails from GROUP@DOMAIN.com to USER1@DOMAIN.com, USER2@DOMAIN.com, etc. which is unnecessary and causes emails to be blocked if user's email forwards to an external account.
STEPS TO REPRODUCE:Send email to an email address with multiple forwarding email addresses with SPF checking mode set to "Reject mail when SPF resolves to fail"
Verify email only has one Received-SPF header.
Change SPF checking mode to "Only create Received-SPF header", save then switch back to "Reject mail when SPF resolves to fail" and save
Send another email to group and check header to see extra Received-SPF headers.
ACTUAL RESULT:Verify email only has one Received-SPF header.
Change SPF checking mode to "Only create Received-SPF header", save then switch back to "Reject mail when SPF resolves to fail" and save
Send another email to group and check header to see extra Received-SPF headers.
SPF tests done in-between all internally forwarded email addresses with Received-SPF header for each email address in the group and for final user it was delivered to.
Sample header after temporarily switching to "Only create Received-SPF header":
Received: (qmail 3636 invoked by uid 30); 28 Aug 2017 16:52:10 -0500
Authentication-Results: domain.com;
spf=pass (sender IP is (null)) smtp.mailfrom=redacted@gmail.com smtp.helo=gmail.com
Received-SPF: pass (connection is authenticated)
Delivered-To: domain.com-USER_ADDRESS@domain.com
Received: (qmail 3596 invoked by uid 30); 28 Aug 2017 16:52:10 -0500
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Delivered-To: domain.com-GROUP_ADDRESS@domain.com
Received: (qmail 3578 invoked from network); 28 Aug 2017 16:52:10 -0500
Received-SPF: pass (domain.com: domain of gmail.com designates 209.85.192.182 as permitted sender) client-ip=209.85.192.182; envelope-from=redacted@gmail.com; helo=mail-pf0-f182.google.com;
Received: from mail-pf0-f182.google.com (209.85.192.182)
by domain.com with SMTP; 28 Aug 2017 16:52:10 -0500
EXPECTED RESULT:Sample header after temporarily switching to "Only create Received-SPF header":
Received: (qmail 3636 invoked by uid 30); 28 Aug 2017 16:52:10 -0500
Authentication-Results: domain.com;
spf=pass (sender IP is (null)) smtp.mailfrom=redacted@gmail.com smtp.helo=gmail.com
Received-SPF: pass (connection is authenticated)
Delivered-To: domain.com-USER_ADDRESS@domain.com
Received: (qmail 3596 invoked by uid 30); 28 Aug 2017 16:52:10 -0500
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Received-SPF: pass (connection is authenticated)
Delivered-To: domain.com-GROUP_ADDRESS@domain.com
Received: (qmail 3578 invoked from network); 28 Aug 2017 16:52:10 -0500
Received-SPF: pass (domain.com: domain of gmail.com designates 209.85.192.182 as permitted sender) client-ip=209.85.192.182; envelope-from=redacted@gmail.com; helo=mail-pf0-f182.google.com;
Received: from mail-pf0-f182.google.com (209.85.192.182)
by domain.com with SMTP; 28 Aug 2017 16:52:10 -0500
Only one Received-SPF header before delivery to group email address.
Sample header from before temporarily switching to "Only create Received-SPF header":
Received: (qmail 11634 invoked by uid 30); 9 Aug 2017 14:12:01 -0500
Delivered-To: domain.com-USER_ADDRESS@domain.com
Received: (qmail 11578 invoked by uid 30); 9 Aug 2017 14:12:01 -0500
Delivered-To: domain.com-GROUP_ADDRESS@domain.com
Received: (qmail 11559 invoked from network); 9 Aug 2017 14:12:01 -0500
Authentication-Results: domain.com;
dmarc=pass (p=NONE sp=NONE) d=gmail.com; header.from=gmail.com;
dkim=pass header.i=redactedr@gmail.com;
dmarc=pass (p=NONE sp=NONE) d=gmail.com; header.from=gmail.com;
dkim=pass header.i=redacted@gmail.com;
spf=pass (sender IP is 209.85.214.49) smtp.mailfrom=redacted@gmail.com smtp.helo=mail-it0-f49.google.com
Received-SPF: pass (domain.com: domain of gmail.com designates 209.85.214.49 as permitted sender) client-ip=209.85.214.49; envelope-from=redacted@gmail.com; helo=mail-it0-f49.google.com;
Received: from mail-it0-f49.google.com (209.85.214.49)
by domain.com with SMTP; 9 Aug 2017 14:12:01 -0500
ANY ADDITIONAL INFORMATION:Sample header from before temporarily switching to "Only create Received-SPF header":
Received: (qmail 11634 invoked by uid 30); 9 Aug 2017 14:12:01 -0500
Delivered-To: domain.com-USER_ADDRESS@domain.com
Received: (qmail 11578 invoked by uid 30); 9 Aug 2017 14:12:01 -0500
Delivered-To: domain.com-GROUP_ADDRESS@domain.com
Received: (qmail 11559 invoked from network); 9 Aug 2017 14:12:01 -0500
Authentication-Results: domain.com;
dmarc=pass (p=NONE sp=NONE) d=gmail.com; header.from=gmail.com;
dkim=pass header.i=redactedr@gmail.com;
dmarc=pass (p=NONE sp=NONE) d=gmail.com; header.from=gmail.com;
dkim=pass header.i=redacted@gmail.com;
spf=pass (sender IP is 209.85.214.49) smtp.mailfrom=redacted@gmail.com smtp.helo=mail-it0-f49.google.com
Received-SPF: pass (domain.com: domain of gmail.com designates 209.85.214.49 as permitted sender) client-ip=209.85.214.49; envelope-from=redacted@gmail.com; helo=mail-it0-f49.google.com;
Received: from mail-it0-f49.google.com (209.85.214.49)
by domain.com with SMTP; 9 Aug 2017 14:12:01 -0500
Symptoms are similar to PPPM-5476 which is multiple DKIM keys when there are CC and/or BCC addresses. Per forum, PPPM-5476 is fixed in 17.8 Preview 4 so there's a chance it has been fixed in latest preview.
In our setup, most users have their company email forwarded to their personal email. Some major email providers block the emails due to too many Received headers.
Unsuccessfully attempted to fix by turning SPF off then on again with different settings to see if it would clear out additional checks. Switching to the headers only seems to either have added unnecessary SPF tests or permanently changed the header notifications to be more verbose.
We currently are unable to use SPF and therefore also unable to use DMARC. A work around or fix in next update would be greatly appreciated.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:In our setup, most users have their company email forwarded to their personal email. Some major email providers block the emails due to too many Received headers.
Unsuccessfully attempted to fix by turning SPF off then on again with different settings to see if it would clear out additional checks. Switching to the headers only seems to either have added unnecessary SPF tests or permanently changed the header notifications to be more verbose.
We currently are unable to use SPF and therefore also unable to use DMARC. A work around or fix in next update would be greatly appreciated.
Help with sorting out
