domain of transitioning a@b.c does not designate x.x.x.x as permitted sender

February 23, 2019 3.5k views
Email

I have a big problem with my email. I have created an info@mydomain.com email address and that is forwarded to my gmail address. On my other websites it works. But on this website Google doesn’t consider the mail safe. I get at the top that the mail wasn’t put in my spambox because of my settings.

When I look inside the mail headers I see:
Received-SPF: softfail (google.com: domain of transitioning mymail@gmail.com does not designate 82.196.3.125 as permitted sender) client-ip=82.196.3.125;

Somewhere on the Google sites it was recommended to add a DNS TXT record with the content
google-site-verification=7qqT-JntQAqTsUMCredTcdWyH1cu8AwaVMBWRawoYVc
But this doesn’t help.

Does anyone have ideas how I came in this swamp and I how I can get out of it.

1 Answer

Hey friend,

So there’s a long version and a short version. The short version I’ll give you first:

Forwarding email is a dead art. Google may as well have killed it, because everyone uses them. Yet, all of their actions are defensible. They did it for their customers. The complexity of forwarding email, for the average person, is simply not worth it. Just don’t forward email. If you have to, forward it to and from mail servers you control, don’t forward to Google, Yahoo, AOL, or any major email service.

Now I’ll give you the long version:

Part One:

You don’t want someone sending email that claims to be from you, impersonating you. If you’re a business this can be devastating if someone believes that an email came from you, when it contains information that is malicious (phishing, etc). The answer to this is Sender Policy Framework (SPF). A common SPF (DNS TXT) record might look like this:

“v=spf1 +a +mx +ip4:192.168.0.1 -all”

Now let’s assume my domain is domain.com. This tells recipient services that any email claiming to be from “domain.com” must come from one of these locations:

  1. The A record for domain.com
  2. The MX record for domain.com
  3. 192.168.0.1

The “-all” means:

“If you receive email claiming to be from domain.com and it doesn’t match one of the above 3, please do not deliver it.”

Now, you’re sending from mymail@gmail.com to an address on the server at IP 82.196.3.125. Then you’re forwarding it to Gmail. Gmail receives the email which claims to be from mymail@gmail.com but originates from IP 82.196.3.125. Well 82.196.3.125 isn’t allowed to send from gmail.com, because Google has an SPF record published:

“v=spf1 redirect=_spf.google.com”

Note they’re masking it but the real record is found at _spf.google.com:

“v=spf1 include:netblocks.google.com include:netblocks2.google.com include:_netblocks3.google.com ~all”

Nested under that you find 3 netblocks as A records which are the IPs that Google owns, the ones they allow to send for gmail.com.

So when they’re filtering this to spam, they’re actually being kind. They should probably not deliver it at all. Many other recipient services will not. This is what is considered spoofed email, there is no way to determine the difference between impersonating someone and forwarding email in the way that you are. You have to know someone’s intent, and you can’t program that without creating a loophole that allows the malicious intent to pass through the same as the non-malicious intent.

Now, there is a standard that addresses this. It’s called Sender Rewriting Scheme (SRS). You can read about it here: https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme

SRS is something that you implement, but there’s a catch. The recipient server doesn’t have to support it or care that you’re using it. Google is about 50/50 on it. They are more likely to accept email based on the use of SRS, but are still more likely to filter it as spam even if they would not filter that same email to spam if sent directly to the Gmail address that it had been forwarded to. They also do not use SRS themselves on forwarding, their support of it is very minimal.

Now, assuming you’ve mastered setting up SRS on your mail server for forwarding, you have another problem next. That’s where we get into the next part of this post.

Part Two:

Google’s spam filters are very powerful. If you send too much spam to their server from an IP or IP block, they will block you for up to several hours at a time. You will receive spam, you will forward it. They will filter mail as spam that you don’t think is spam. No matter what, you will send email to Google that they think is spam, even if you disagree. By simply receiving more email than they appreciate in a given time frame, your forwarder will suddenly stop working for hours at a time (or worse). So now you have to add a new layer on top of your forwarding setup:

  • You need to filter inbound email. Use something like SpamAssassin or rspamd. I prefer rspamd myself. You need to reduce the spam you receive.

  • You need to filter outbound email. I use rspamd for this as well. This means you need to take some of that email you receive and systematically decide not to forward it. This may involve false positives, you may not receive some of the email you intend to. If you tune it down to receive it, you may find yourself getting blocked as I described above. Because, again, even if you don’t consider it spam AND Google would deliver it to the inbox if sent directly to the Gmail address, they may still consider it spam just because it was forwarded, and that may count against your IP reputation.

Summary:

In summary, to reliably forward email you need three things:

  • SRS
  • Inbound filtering
  • Outbound filtering

Side note:

There is someone out there who will read this later and say “I forward email to Google without issues and I don’t do any of this.” I’ve met this person. If one out of a million get lucky, it isn’t hard to find that great number of people on the internet. Though statistically small, they still exist, and they have an experience to share. Regardless, their situation applies to the minority of people. Most of us receive more emails than they do, receive more spam than they do, and Google doesn’t like what we forward. I congratulate that person for today, but they will eventually learn what you have today, what I’ve been dealing with every day since late 2013. Email isn’t easy anymore for most of us, and that is because of the constant fight against spammers.

Hope that helps :)

Jarland

Have another answer? Share your knowledge.