Forwarding broken by SPF - need SRS to mend it

[wemail]

Sites prematurely imposing SPF compliance, e.g. waitrose.com, can cause a big nuisance by rejecting emails sent to them using forwarding.

I have rDNS already, and have created an SPF record on my DNS, and so these have satisfied the basic SPF problem on our server. Emails sent from accounts on our server are getting through OK even if forwarded.

Email sent from elsewhere which use forwarding via our server is still a problem, and isn't satisfied by SPF compliance.

There appears to be consensus amongst lots of sites that the solution for servers which need to use forwarding, is to have Sender Rewriting Scheme (SRS) support in the MTA.

Exim supports this as from v4.50 and we are using v4.63. However this "support" seems to be a bit of an exaggeration.

I have found a lot of instructions on SRS and how to activate it in the Exim config, including:

http://www.openspf.org/SRS
http://www.libsrs2.org/overview.html

I can't find an actual code and config patch, except in a file from Brazil, where I do not understand the comments, and I am not competent to write my own without spending a lot of time. It appears to be a minor addition, which must be in use at lots of Exim sites.

Any pointers please?

 

[sparek-3]

One question to ask is why are you using e-mail forwarders?

If you are just going to be checking your AOL address, then you should advertise your AOL address as your e-mail address. Does it look less professional? Probably, but its just a price you have to pay if you are only willing to check your AOL address.

If you want to use your domain name based e-mails, then consider setting up real POP accounts and using an e-mail program, like Thunderbird, to check those mail accounts for messages. This way you don't run into an issue with the SPF records.

 

[wemail]

One question to ask is why are you using e-mail forwarders?

This is organization policy. Forwarding is essential for several reasons and has been in use for years.

If you are just going to be checking your AOL address, then you should advertise your AOL address as your e-mail address. Does it look less professional? Probably, but its just a price you have to pay if you are only willing to check your AOL address.

Sorry, this isn't relevant to our problem.

If you want to use your domain name based e-mails, then consider setting up real POP accounts and using an e-mail program, like Thunderbird, to check those mail accounts for messages. This way you don't run into an issue with the SPF records.

We cannot impose this on the users. I suggested it occasionally but users wish to stay with their service provider. If everybody would use the local addresses on our server with either the built-in webmail or a good client like Pegasus Mail, it would be easier. But they won't.

So, we need to use SRS.

 

[internetfab]

Has anyone looked into more deeply? Just got a case where this is happening

 

[AlexV.]

wemail:

I would be more than glad to take a look at the brazilian file. I know a thing or two about portuguese. :D

We are working on getting SRS support on the Exim RPM.

internetfab:

Could you please contact me directly: [email protected] or open a support ticket (ATTN Alex). Would like to look into the forwarding/spf issue you are experiencing.

Thank you.

 

[lloyd_tennison]

If you rewrite the headers - besides violating the RFC's - any email that you send that is spam - you are now the spammer as your server sent the spam message because you removed the "real" sender.

 

[wemail]

SPF/SRS is documented on its own site.

There is good news on availability in "SPF Implementation" thread.