When an email is delivered into the mailbox where forwarding of emails is set and the domain of sender has set SPF record, the forwarded email can be rejected due to the SPF hardfail.
The sender can get such message error:
Remote host said: 550 5.7.1 Sender Policy Framework of `***' domain denied your IP address.
The Sender Policy Framework (SPF) system was designed to prevent abuse of domain in sender's email address of spams. SPF records are often set by banks etc. In practice, the owner sets the SPF record (TXT record) for their domain. This record contains information about IPs which are allowed to send emails from their domain (eg. messages from the domain cnb.cz can be sent from IPs 22.214.171.124 to 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 18.104.22.168):
cnb.cz. IN TXT "v=spf1 mx ip4:22.214.171.124/27 ip4:126.96.36.199 ip4:188.8.131.52 ip4:184.108.40.206/31 -all"
Target mailserver can check, if the outgoing IP is allowed in the relative SPF record. If the message comes from allowed IP, it is accepted. Otherwise, it is rejected. Eg. if the email from the email address email@example.com comes from the IP 220.127.116.11, it is delivered.
If the email is delivered to the mailbox where forwarding of all emails is set, this email can be rejected with mailservers of the target email address of forwarding. The message is forwarded with the same parameters MAIL FROM and RCPT TO. It means, now the email comes from the same email address but from another IP.
If the email is sent from the email address firstname.lastname@example.org from the IP 18.104.22.168 to the mailbox on the server mxavas.forpsi.com, this email is delivered. If this email is forwarded to eg. a mailbox on seznam.cz, it is sent from the same email address email@example.com, but from the IP 22.214.171.124. This IP is not allowed in the SPF record of the domain cnb.cz, so, the forwarded email is rejected and the sender firstname.lastname@example.org gets an error message.
SPF record of the domain can be checked wit the nslookup tool. It is needed to run the query to the TXT record.
The owners of domains set SPF records from safety reason (banks etc.).
1. Use email addresses where no forwarding is set as recipient of emails being sent from domains where SPF record is used (banks, institutions...)
2. Remove forwarding and use filter instead:
Click on the tab Options
at the top menu.
If there is no such item in the menu (usually at lower resolution monitors or because of small size of the browser window), click the tab Other.
In the left main menu, click on the Account(@) icon and choose Forward / Auto reply. Tick off the choice Forward to and click on the OK button.
Click on the tab Messages at the top menu.
Click on Filters in the left menu and than cilck on + in the submenu to add a new filter.
Set the new filter, as you see on the picture bellow and save it.
Note: Our mailserver mxavas.forpsi.com also checks SPF records. It means, this article concerns also emails, that are forwarded from another mailserver to mxavas.forpsi.com or that are sent from IPs which are not allowed in SPF record (smtp server of Internet Service Provider etc.).
Note: If you have on your mailbox set forwarding of received messages to some of these domains: seznam.cz, email.cz, post.cz, spoluzaci.cz, stream.cz, firmy.cz, centrum.cz, volny.cz and atlas.cz, the forwarding might not work properly because of the SPF record setting. Please use filters instead of forwarding as described above.