SPF records and forwarded messages

When an email is delivered into the mailbox where forwarding of emails is set and the domain of sender has set SPF record, the forwarded email can be rejected due to the SPF hardfail.
 
The sender can get such message error:
 Remote host said: 550 5.7.1 Sender Policy Framework of `***' domain denied your IP address.

The Sender Policy Framework (SPF) system was designed to prevent abuse of domain in sender's email address of spams. SPF records are often set by banks etc.  In practice, the owner sets the SPF record (TXT record) for their domain. This record contains information about IPs which are allowed to send emails from their domain (eg. messages from the domain cnb.cz can be sent from IPs 193.179.126.192 to 193.179.126.223, 193.85.3.245, 193.85.3.246, 195.70.130.226 and 195.70.130.227):
cnb.cz.   IN   TXT   "v=spf1 mx ip4:193.179.126.192/27 ip4:193.85.3.245 ip4:193.85.3.246 ip4:195.70.130.226/31 -all"

Target mailserver can check, if the outgoing IP is allowed in the relative SPF record. If the message comes from allowed IP, it is accepted. Otherwise, it is rejected. Eg. if the email from the email address admin@cnb.cz comes from the IP 193.179.126.200, it is delivered.

If the email is delivered to the mailbox where forwarding of all emails is set, this email can be rejected with mailservers of the target email address of forwarding. The message is forwarded with the same parameters MAIL FROM and RCPT TO. It means, now the email comes from the same email address but from another IP.

If the email is sent from the email address admin@cnb.cz from the IP 193.179.126.200 to the mailbox on the server mxavas.forpsi.com, this email is delivered. If this email is forwarded to eg. a mailbox on seznam.cz, it is sent from the same email address admin@cnb.cz, but from the IP 81.2.195.200. This IP is not allowed in the SPF record of the domain cnb.cz, so, the forwarded email is rejected and the sender admin@cnb.cz gets an error message.

SPF record of the domain can be checked wit the nslookup tool. It is needed to run the query to the TXT record.

The owners of domains set SPF records from safety reason (banks etc.). The issue of the SPF record and forwarded messages can be solved these ways:
 
1. Use email addresses where no forwarding is set as recipient of emails being sent from domains where SPF record is used (banks, institutions...)
 
2. Remove forwording and use filter instead:
 
Click on the tab Options at the top menu.
main menu
If there is no such item in the menu (usually at lower resolution monitors or because of small size of the browser window), click the tab Other.
main menu low resolution
In the left main menu, click on the Account(@) icon and choose Forward / Auto reply. Tick off the choice Forward to and click on the OK button.
Click on the tab Messages at the top menu.
Click on Filters in the left menu and than cilck on + in the submenu to add a new filter.
Set the new filter, as you see on the picture bellow and save it.

Forwarding email using filter

 

Note: Our mailserver mxavas.forpsi.com also checks SPF records. It means, this article concerns also emails, that are forwarded from another mailserver to mxavas.forpsi.com or that are sent from IPs which are not allowed in SPF record (smtp server of Internet Service Provider etc.).

Note: If you have on your mailbox set forwarding of received messages to some of these domains: seznam.cz, email.cz, post.cz, spoluzaci.cz, stream.cz, firmy.cz, centrum.cz, volny.cz and atlas.cz, the forwarding might not work properly because of the SPF record setting. Please use filters instead of forwarding as described above.