Softfail in forwarded messages and delayed delivery
 

I've set my mail server to forward all incoming messages from certain user (my_name) to his Gmail account.

Certain sender, sender_name@sender_domain.com sends an email to my_name@my_domain.com

I've set my mail server my_mail_server.com(ip=nnn.nnn.nnn.nnn) to forward all incoming messages to a Gmail account myname@gmail.com

The problem is (despite local times) that the messages are delayed (42-18=24 minutes in this case) to deliver to Gmail inbox I don't know why.

Here's the message header I attached with highlights


> Delivered-To: myname@gmail.com
>
> Received: by 10.114.10.195 with SMTP id k3csp88470ldb;
> Mon, 12 Aug 2013 06:42:22 -0700 (PDT)
>
> X-Received: by 10.50.87.36 with SMTP id
> u4mr8103347igz.40.1376314941978;
> Mon, 12 Aug 2013 06:42:21 -0700 (PDT)
>
> Return-Path: <sender_name@sender_domain.com>
>
> Received: from my_mail_server.com ([nnn.nnn.nnn.nnn])
> by mx.google.com with ESMTP id im4si12630666icb.34.2013.08.12.06.42.20
> for <myname@gmail.com>;
> Mon, 12 Aug 2013 06:42:21 -0700 (PDT)
>
> Received-SPF: softfail (google.com: domain of transitioning
> sender_name@sender_domain.com does not designate nnn.nnn.nnn.nnn as
> permitted sender) client-ip=nnn.nnn.nnn.nnn;
>
> Authentication-Results: mx.google.com;
> spf=softfail (google.com: domain of transitioning sender_name@sender_domain.com does not designate nnn.nnn.nnn.nnn as
> permitted sender) smtp.mail=sender_name@sender_domain.com
>
> Received: by my_mail_server.com (Postfix) id E3D2360D8E14; Mon, 12
> Aug 2013 10:18:03 -0300 (UYT)
>
> Delivered-To: myname@my_mail_server.com
>
> Received: from dug.privatedns.com (dug.privatedns.com
> [209.172.41.128]) by my_mail_server.com (Postfix) with ESMTP id
> 75C5F60D8E13 for <my_name@my_domain.com>; Mon, 12 Aug 2013 10:18:03
> -0300 (UYT)
>
> X-ASG-Debug-ID: 1376313481-029b1e0e4e9deee0001-7hAX0y
>
> Received: from mailhost.sender_domain.com (mailhost.sender_domain.com
> [212.23.37.186]) by dug.privatedns.com with ESMTP id 7hgO0xgLOgEHf4es
> for <my_name@my_domain.com>; Mon, 12 Aug 2013 09:18:01 -0400 (EDT)
>
> X-Barracuda-Envelope-From: sender_name@sender_domain.com
>
> X-Barracuda-Apparent-Source-IP: 212.23.37.186

> Received: (from uucp@localhost)

Thank you

Highlighted version

The Google mail server checks the SPF records of the sender domain, and discovers that the sending server is not listed. It then delays the delivery of the message.

It seems everything is working as it should. Checking the SPF records is a Good Thing, and I'm actually a bit surprised that the message is just delayed rather than rejected.

If your mail server is going to be sending mails from a given domain, its IP address should be added to the SPF records for that domain.

Thanks Ser Olmy for your help.

This domain, my_domain.com, has this SPF record:
my_domain.com. IN TXT "v=spf1 ip4:nnn.nnnn.nnn.nnn a a:my_domain.com -all"
my_domain.com. IN MX 5 mace.privatedns.com

A summary of an authentication report from verifier.port25.com is
SPF check: pass
DomainKeys: neutral
DKIM check: pass
Sender-ID check: pass
Spamassassin check: ham

Occassionally I am getting some problems with Google Mail: first time a user receives a mail from my server it goes to spam folder.
The problem I described in my first post (the delay) appears after a month of forwarding mails to gmail.
Today I asked that sender to send me a test mail and no delay occurred.
Anyway, I checked the header and still the lines about softfail.
I can reproduce here the complete header if you think it would help.
Thank you,
M

And the highlighed IP address is the (external) IP address of your mail server? And it's the exact same IP address as in the Received-From header and the softfail error message?

Again, the highlighted IP addresses should a) be the same, and b) not be identical to the SPF data, if the error message is to be believed.
If the IP addresses in the SPF record and the softfail message are indeed the same, there's something very strange going on. The error message from Google is quite straightforward; it can't find the server IP in the SPF record for the sender domain. Perhaps the problem is related to a specific MTA at Google.

Have you considered adding a "true" SPF record (as defined by RFC 4408) to the DNS zone in addition to the existing TXT record?

Hi Ser Olmy,

Yes.
Yes. Every mention of nnn.nnn.nnn.nnn refers to my external IP

It is true that "sender_name@sender_domain.com does not designate nnn.nnn.nnn.nnn as permitted sender"
But I am not sending mails in name or him, I'm just forwarding a mail he sent to me.
I don't understand what's wrong with that.

I don't get the point b)
Please explain to me what a true spf means. I'm not very knowledgeable in these matters.
Thanks a lot.
M

I think you just identified the source of the problem. The Google server believes "sender_name@sender_domain.com" to be the From: address of the e-mail, while your intention was to forward a mail you received from that sender to a Gmail account. There could be something wrong with the format of the header or the mail body.

You should capture the entire SMTP transaction and look for malformed or misplaced headers. The culprit could be your mail client.
When SPF was first launched, the SPF data was put in TXT records in the domain zone. Since then, a dedicated DNS record type called "SPF" has been defined. Most mail servers check both. It is of no importance in this case, as the softfail error is not really related to SPF, as the wrong sender domain is being checked against SPF data.

Ser Olmy,

The forward configuration is not made from email client, it is set from server, Postfix.
I guess I have to ask Virtualmin folks for this problem because I use their control panel and I just checked a box "Forward to..."

Thanks a lot for your help
M