Solved Postfix + Virtual Mailbox Domain + email forwarding (SPF fail)

Hello.
I'm running on a Linode VPS Postfix for a couple of virtual domains. Those domains are configured as virtual mailbox domains.
One of those domains is a family domain which I would like to forward one address to a few @gmail.com addresses.

I'm getting multiple bounces from Gmail saying that the emails were blocked because they seem spam.

Code:
Jun  9 03:20:07 xx-yy-zz-aa postfix/smtpd[75263]: connect from ns1g-b.incoming-domain.com[10.20.30.10]
Jun  9 03:20:09 xx-yy-zz-aa postfix/smtpd[75263]: 339B7174497: client=ns1g-b.incoming-domain.com[10.20.30.10]
Jun  9 03:20:09 xx-yy-zz-aa postfix/cleanup[75268]: 339B7174497: message-id=<2b8521b0b13464f82d0bbfb55c90d4f1@rx099.cajval.incoming-domain.com>
Jun  9 03:20:09 xx-yy-zz-aa opendkim[27128]: 339B7174497: ns1g-b.incoming-domain.com [10.20.30.10] not internal
Jun  9 03:20:09 xx-yy-zz-aa opendkim[27128]: 339B7174497: not authenticated
Jun  9 03:20:09 xx-yy-zz-aa postfix/qmgr[27221]: 339B7174497: from=<noreply@originatingdomain.com>, size=2427, nrcpt=4 (queue active)
Jun  9 03:20:10 xx-yy-zz-aa postfix/smtp[75270]: 339B7174497: to=<email2@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[172.253.115.26]:25, delay=2.8, delays=2.1/0.02/0.26/0.35, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[172.253.115.26] said: 550-5.7.26 This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. u14-20020a05622a14ce00b00304def15cb0si9891148qtx.221 - gsmtp (in reply to end of DATA command))
Jun  9 03:20:10 xx-yy-zz-aa postfix/smtp[75270]: 339B7174497: to=<email1@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[172.253.115.26]:25, delay=2.8, delays=2.1/0.02/0.26/0.35, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[172.253.115.26] said: 550-5.7.26 This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26  https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. u14-20020a05622a14ce00b00304def15cb0si9891148qtx.221 - gsmtp (in reply to end of DATA command))
Jun  9 03:20:10 xx-yy-zz-aa postfix/smtp[75269]: 339B7174497: to=<email3@gmail.com>, orig_to=<invoices@myfamily.com>, relay=aspmx.l.google.com[172.253.122.27]:25, delay=2.9, delays=2.1/0.01/0.38/0.41, dsn=2.0.0, status=sent (250 2.0.0 OK  1654755614 j21-20020a05620a411500b006a6f8d26e7dsi2941964qko.122 - gsmtp)
Jun  9 03:20:11 xx-yy-zz-aa postfix/smtp[75271]: 339B7174497: to=<email4@yahoo.com>, orig_to=<invoices@myfamily.com>, relay=mta7.am0.yahoodns.net[67.195.228.106]:25, delay=4, delays=2.1/0.03/0.8/1.1, dsn=2.0.0, status=sent (250 ok dirdel)
Jun  9 03:20:11 xx-yy-zz-aa postfix/cleanup[75268]: 6F48D177531: message-id=<20220609062011.6F48D177531@xx-yy-zz-aa.ip.linodeusercontent.com>
Jun  9 03:20:11 xx-yy-zz-aa postfix/bounce[75272]: 339B7174497: sender non-delivery notification: 6F48D177531
Jun  9 03:20:11 xx-yy-zz-aa postfix/qmgr[27221]: 6F48D177531: from=<>, size=6692, nrcpt=1 (queue active)
Jun  9 03:20:11 xx-yy-zz-aa postfix/qmgr[27221]: 339B7174497: removed
Jun  9 03:20:13 xx-yy-zz-aa postfix/smtp[75270]: 6F48D177531: to=<noreply@originatingdomain.com>, relay=originatingdomain-com.mail.protection.outlook.com[104.47.56.110]:25, delay=2, delays=0.01/0/0.36/1.6, dsn=2.6.0, status=sent (250 2.6.0 <20220609062011.6F48D177531@xx-yy-zz-aa.ip.linodeusercontent.com> [InternalId=33612414060097, Hostname=CP2P152MB1409.LAMP152.PROD.OUTLOOK.COM] 15569 bytes in 0.413, 36.801 KB/sec Queued mail for delivery)
Jun  9 03:20:13 xx-yy-zz-aa postfix/qmgr[27221]: 6F48D177531: removed
Jun  9 03:20:14 xx-yy-zz-aa postfix/smtpd[75263]: disconnect from ns1g-b.incoming-domain.com[10.20.30.10] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

At first I thought I have missconfigured myfamily.com DNS. I got SPF, DKIM, and DMARC configured for myfamily.com but the problem is obviously the forwards are failing because myfamily.com is not listed as a valid source in SPF for the originating email. I installed postsrsd to rewrite those addresses but the mail keeps bouncing. It's a similar issue should be happening with mailing lists. Any ideas how it's dealt in those cases?

Thanks!
 
use Postfix - Sender Rewriting Scheme (SRS) to rewrite the FROM during forwarding.


 
This message fails to pass SPF checks for an SPF record with a hard 550-5.7.26 fail policy (-all). To best protect our users from spam and 550-5.7.26 phishing, the message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. u14-20020a05622a14ce00b00304def15cb0si9891148qtx.221 - gsmtp (in reply to end of DATA command)) Jun 9 03:20:10 xx-yy-zz-aa postfix/smtp[75269]: 339B7174497: to=<email3@gmail.com>, orig_to=<invoices@myfamily.com>, relay=aspmx.l.google.com[172.253.122.27]:25, delay=2.9, delays=2.1/0.01/0.38/0.41, dsn=2.0.0, status=sent (250 2.0.0 OK 1654755614 j21-20020a05620a411500b006a6f8d26e7dsi2941964qko.122 - gsmtp)
This error may have to do with the SPF settings. You mentioned it too that my family.com done SPF is not properly set and you have how used Postfix SRS. Why don't you properly set the SPF first and manually send an email across the domains before introducing SRS? Gmail can also be finicky; you may need setup an outbound smtp relay with a reputable IP address. Several other domains are like that.
 
This error may have to do with the SPF settings. You mentioned it too that my family.com done SPF is not properly set and you have how used Postfix SRS. Why don't you properly set the SPF first and manually send an email across the domains before introducing SRS? Gmail can also be finicky; you may need setup an outbound smtp relay with a reputable IP address. Several other domains are like that.
You are right, it's with the SPF settings but I think since my server isn't rewriting the from addresses it is marked as trying to be originatingdomain.com and doesn't match my IP so SPF would fail.
 
use Postfix - Sender Rewriting Scheme (SRS) to rewrite the FROM during forwarding.


I have already installed, it rewrites the from however it seems it's not using it.

Code:
Jun 10 07:00:29 xx-yy-zz-aa postfix/qmgr[84933]: 82A69174497: from=<SRS0=D9O7=WR=incoming-domain.com=noreplymo@xx-yy-zz-aa.ip.linodeusercontent.com>, size=92773, nrcpt=4 (queue active)
Jun 10 07:00:29 xx-yy-zz-aa postfix/smtpd[97525]: disconnect from smht-115-214.dattaweb.com[200.58.115.214] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97535]: 82A69174497: to=<email1@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[142.251.111.27]:25, delay=2, delays=0.87/0.02/0.22/0.85, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.251.111.27] said: 550-5.7.1 [45.79.150.186      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. q1-20020ae9dc01000000b006a0f9ebb303si13194670qkf.161 - gsmtp (in reply to end of DATA command))
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97535]: 82A69174497: to=<email2@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[142.251.111.27]:25, delay=2, delays=0.87/0.02/0.22/0.85, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.251.111.27] said: 550-5.7.1 [45.79.150.186      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. q1-20020ae9dc01000000b006a0f9ebb303si13194670qkf.161 - gsmtp (in reply to end of DATA command))
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97535]: 82A69174497: to=<email3@gmail.com>, orig_to=<invoices@myfamily.com>, relay=gmail-smtp-in.l.google.com[142.251.111.27]:25, delay=2, delays=0.87/0.02/0.22/0.85, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.251.111.27] said: 550-5.7.1 [45.79.150.186      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. q1-20020ae9dc01000000b006a0f9ebb303si13194670qkf.161 - gsmtp (in reply to end of DATA command))
Jun 10 07:00:30 xx-yy-zz-aa postfix/smtp[97536]: 82A69174497: to=<email4@yahoo.com>, orig_to=<invoices@myfamily.com>, relay=mta6.am0.yahoodns.net[98.136.96.76]:25, delay=2.3, delays=0.87/0.03/0.56/0.82, dsn=2.0.0, status=sent (250 ok dirdel)
Jun 10 07:00:30 xx-yy-zz-aa postsrsd[97533]: srs_forward: <""> not rewritten: No at sign in sender address
Jun 10 07:00:30 xx-yy-zz-aa postsrsd[97534]: srs_reverse: <SRS0=D9O7=WR=incoming-domain.com=noreplymo@xx-yy-zz-aa.ip.linodeusercontent.com> rewritten as <noreplymo@incoming-domain.com>[CODE]
 
It looks like Google is on to your tricks and had adapted to block. I was going to suggest rewriting the headers with postfix header_checks, but it looks like SRS is a standardized version of this (had never heard of it before) and both of these solutions seem to be a thing Google does not like at all.


Using the gmail fetch is probably going to have to be the solution.
 
I registered a new domain for the vps (acme-vps.net), configured dkim/spf for that domain. Now postsrsd forwards the email correctly using acme-vps.net and now the emails gets delivered and SPF/DKIM passes. Now the next step is to make postfix use the appropiate envelope for each domain so the corresponding dkim/selector for that domain is used.
 
Back
Top