The Sender Policy Framework (SPF) system was designed to detect forged sender (email spoofing) in spam or phishing messages. SPF records are usually being set by the banks, government institutions...
, etc. SPF records provides a list of hosts and IPs addresses authorized to send messages for the given domain (eg. messages from the domain cnb.cz can be sent from IPs 193.179.126.192 to 193.179.126.223, 193.85.3.245, 193.85.3.246, 195.70.130.226 and 195.70.130.227):
cnb.cz. IN TXT "v=spf1 mx ip4:193.179.126.192/27 ip4:193.85.3.245 ip4:193.85.3.246 ip4:195.70.130.226/31 -all"
Receiver (target mailserver) can check, if the outgoing IP is allowed by the SPF record of the sender's domain. The message is accepted if is sent from the allowed IP, otherwise is rejected. For example the email with sender admin@cnb.cz received from the IP 193.179.126.200 will be accepted by recipient's mailserver.
SPF records breaks plain message forwarding. The forwarded message has changed the envelope recipient, but the envelope sender stays unchanged. Because the message contains the original envelope sender's address (MAIL FROM), email comes from the same email address but the server has another IP. Now the IP address of the forwarding email server is not included within the SPF record. For this reason the message could be rejected by the target mailserver.
The email sent from the email address admin@cnb.cz by the server with IP 193.179.126.200 will be delivered into the mailbox on the server mxavas.forpsi.com. If the mailserver mxavas.forpsi.com forwards the email to the mailbox on mailserver seznam.cz, the sender stays admin@cnb.cz, but the message is sent from the IP 81.2.195.200. This IP is not allowed by the SPF record of the domain cnb.cz. For this reason is the forwarded message rejected. An error message is delivered to the original sender - admin@cnb.cz.
SPF record of the domain can be checked with the nslookup command. Just set the query to be TXT.
1. Use the email addresses where no forwarding is set as recipient of emails sent from domains with SPF (banks, government institutions...)
2. Activate changing of envelope sender for the mailbox
Login to the
webmail as common user (the feature is not available in the
Administration).
In order to access forwarding, click on the tab Options at the top menu.
If there is no such item in the menu (usually at lower resolution monitors or because of small size of the browser window), click the tab Other.
Select Forward / Auto-Reply in the left menu.
Check the option Change the Envelope-Sender in the section Forward to and then click on the button OK.
3. Remove forwarding and use the filter instead
Login to the
webmail.forpsi.com the same way as in the previous step and access in the left menu an item
Forward / Auto-Reply.
Uncheck the checkbox Forward to and click on the button OK.
Now click on the tab Messages in the top menu and choose the item Filters. menu and than click on + in the submenu to add a new filter.
Set the new filter, as you see on the picture bellow and save it.