Google’s gmail MX is doing the right thing by enforcing SPF rules, but the wrong thing by sending bounces (backscatter) to the address that those SPF rules indicate is forged.
I got the following message from the google mailer daemon (addresses obscured, of course, but firstname.lastname@example.org does list google’s mail domains in its MX DNS records):
This is an automatically generated Delivery Status Notification THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipient has been delayed: email@example.com Message will be retried for 1 more day(s) ----- Message header follows ----- Received: by 10.210.34.2 with SMTP id h2mr1736737ebh.122.1209639751111; Thu, 01 May 2008 04:02:31 -0700 (PDT) Return-Path: <firstname.lastname@example.org> Received: from 1FF8A9589B7343C ([126.96.36.199]) by mx.google.com with SMTP id c14si3720766nfi.16.2008.05.01.04.02.23; Thu, 01 May 2008 04:02:31 -0700 (PDT) Received-SPF: fail (google.com: domain of email@example.com does not designate 188.8.131.52 as permitted sender) client-ip=184.108.40.206; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of firstname.lastname@example.org does not designate 220.127.116.11 as permitted sender) email@example.com Date: Thu, 01 May 2008 04:02:28 -0700 (PDT) X-Originating-IP: [18.104.22.168] X-Originating-Email: [firstname.lastname@example.org] X-Sender: email@example.com Message-Id: <20080501150227.5583.qmail@1FF8A9589B7343C> To: <firstname.lastname@example.org> Subject: SALE 73% OFF on Pfizer From: <email@example.com> MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit ----- Message body suppressed -----
So, some spammer is using my mail address in the FROM reverse-path of his SMTP transactions (but the target address in the From mail header), and google is correctly rejecting it, indicated by “spf=hardfail”. However, the daemon sends a failure message to my mail address, which it thinks has been forged, because it thinks it was forged—for multiple days per original spam message. Ugh!
The google groups post I made on the topic would be a good place to offer some insight.