Spf 通過或失敗取決於接收方地址
我在 Ubuntu 13.10 上設置了帶有 dovecot 的後綴。我通過節點應用程序(使用電子郵件模板)發送電子郵件。
如果我從
noreply@mydomain.com
tomyacccount@gmail.com
( email 1 ) 發送電子郵件,則 spf 記錄通過。如果我從noreply@mydomain.com
tosupport@mydomain.com
( email 2 ) 發送電子郵件,則 spf 記錄失敗。我的 spf 記錄:
v=spf1 a mx ~all
我通過指定 ip 嘗試了一種變體,但是對於電子郵件1和2我得到了相同的通過/軟失敗。
我已將我的 @mydomain.com 電子郵件連結到 gmail,因此我可以從那裡閱讀它們並檢查 gmail 的標題。
這是電子郵件 1的標頭,它通過了:
Delivered-To: myaccount@gmail.com Received: by 10.220.131.9 with SMTP id v9csp9729vcs; Thu, 3 Apr 2014 02:07:44 -0700 (PDT) X-Received: by 10.204.243.137 with SMTP id lm9mr3945288bkb.33.1396516062351; Thu, 03 Apr 2014 02:07:42 -0700 (PDT) Return-Path: <noreply@mydomain.com> Received: from mydomain.com (mydomain.com. [81.4.107.88]) by mx.google.com with ESMTPS id de1si2116722bkc.265.2014.04.03.02.07.41 for <myaccount@gmail.com> (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 03 Apr 2014 02:07:41 -0700 (PDT) Received-SPF: pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) client-ip=81.4.107.88; Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreply@mydomain.com designates 81.4.107.88 as permitted sender) smtp.mail=noreply@mydomain.com Received: from [127.0.0.1] (mydomain [127.0.0.1]) (Authenticated sender: username) by mydomain.com (Postfix) with ESMTPA id 2FE0730A095F for <myaccount@gmail.com>; Thu, 3 Apr 2014 05:07:41 -0400 (EDT) X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer; smtp/0.3.23) Date: Thu, 03 Apr 2014 09:07:41 GMT Message-Id: <688fb886bd83cff1bb5e299cb01e69@mydomain.com> From: noreply@mydomain.com To: myaccount@gmail.com Subject: Welcome to mydomain
這是失敗的電子郵件 2的標頭:
Delivered-To: myaccount@gmail.com Received: by 10.220.131.9 with SMTP id v9csp9756vcs; Thu, 3 Apr 2014 02:08:20 -0700 (PDT) X-Received: by 10.220.103.141 with SMTP id k13mr2007429vco.25.1396516099631; Thu, 03 Apr 2014 02:08:19 -0700 (PDT) Authentication-Results: mx.google.com; spf=softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender) smtp.mail=noreply@mydomain.com Received-SPF: softfail (google.com: best guess record for domain of transitioning noreply@mydomain.com does not designate <unknown> as permitted sender) Received: by 10.220.241.77 with POP3 id ld13mf1851813vcb.12; Thu, 03 Apr 2014 02:08:19 -0700 (PDT) X-Gmail-Fetch-Info: support@mydomain.com 3 mail.mydomain.com 110 support Return-Path: <noreply@mydomain.com> X-Original-To: support@mydomain.com Delivered-To: support@mydomain.com Received: from [127.0.0.1] (mydomain [127.0.0.1]) (Authenticated sender: username) by mydomain.com (Postfix) with ESMTPA id 2DF0730A095E for <support@mydomain.com>; Thu, 3 Apr 2014 05:07:41 -0400 (EDT) X-Mailer: Nodemailer (0.6.1; +http://github.com/andris9/nodemailer; smtp/0.3.23) Date: Thu, 03 Apr 2014 09:07:41 GMT Message-Id: <732468ffa47870963332c0e2dcebf3@mydomain.com> From: noreply@mydomain.com To: support@mydomain.com Subject: New user signed-up Content-Type: multipart/alternative; boundary="----Nodemailer-0.6.1-?=_1-1396516061189" MIME-Version: 1.0
我認為問題不在於發送電子郵件的 node.js 程式碼,因為它們都使用相同的傳輸和登錄。這是程式碼的簡化但仍然很長的版本:
var transport = nodemailer.createTransport("SMTP", { service: "mydomain.com", auth: { user: "username", pass: "password" } }) //THIS EMAIL FAILS SPF CHECK exports.send_new_registration = function(username, email){ emailTemplates(templatesDir, function(err, template) { console.log("Attempting to send email."); if (err) { console.log(err); } else { var locals = { email : email, username :username }; // Send a single email template('new_user', locals, function(err, html, text) { if (err) { console.log(err); } else { transport.sendMail({ from: 'noreply@mydomain.com', to: 'support@mydomain.com', subject: "New user signed-up", html: html, // generateTextFromHTML: true, text: text }, function(err, responseStatus) { if (err) { console.log(err); } else { console.log(responseStatus.message); } }); } }); } //THIS EMAIL PASSES SPF CHECK exports.send_confirmation_email = function(email, token){ var link = "https://mydomain.com/email-confirmation/" + token; emailTemplates(templatesDir, function(err, template) { console.log("Attempting to send email."); if (err) { console.log(err); } else { var locals = { link : link }; // Send a single email template('register', locals, function(err, html, text) { if (err) { console.log(err); } else { transport.sendMail({ from: 'noreply@mydomain.com', to: email, subject: "Welcome to mydomain", html: html, // generateTextFromHTML: true, text: text }, function(err, responseStatus) { if (err) { console.log(err); } else { console.log(responseStatus.message); } }); } }); } }); }
我認為這無關緊要,但我還沒有讓 TLS 在後綴上工作。我也嘗試過
postfix-policyd-spf-perl
工作,但沒有成功。從我自己的帳戶向我自己的帳戶發送電子郵件時,這會添加一個額外的標題。我猜它是相關的,但我不確定。作為一個僅供參考,如果我添加
check_policy_service unix:private/policy-spf
到 my ,我在to/etc/postfix/main.cf
的電子郵件中看到的附加標題是:noreply@mydomain.com``support@mydomain.com
Received-SPF: softfail (mydomain.com: Sender is not authorized by default to use 'support@mydomain.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mydomain.com; identity=mailfrom; envelope- from="support@mydomain.com"; helo="[an_ip]"; client-ip=a_diff_ip
我只添加這是因為我不確定這是否與 google softfail 檢查有關…
編輯:為了明確問題,我不清楚為什麼如果我向 gmail 帳戶發送電子郵件,它會通過 spf 檢查,但如果我向自己的域發送電子郵件,它會失敗。
SPF 沒有失敗。你誤解了結果。
當郵件發送到 GMail 帳戶時,Google 正在(正確地)進行檢查。Google 在通過 POP3 檢索時也添加了檢查。它不知道它來自哪裡,因此它標誌著一個軟失敗。
我不確定 Google 為什麼要檢查 POP3 檢索到的電子郵件,但不應該這樣。
您需要將它發送到一個地址,它自己進行 SPF 檢查並直接獲取它,而不是讓 Google 使用標題。