Google’s gmail MX is doing the right thing by enforcing SPF rules, but the wrong thing by sending bounces (backscatter) to the address that those SPF rules indicate is forged.
I got the following message from the google mailer daemon (addresses obscured, of course, but xxx@xxxxxxxx.com does list google’s mail domains in its MX DNS records):
This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
YOU DO NOT NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipient has been delayed:
xxx@xxxxxxxx.com
Message will be retried for 1 more day(s)
----- Message header follows -----
Received: by 10.210.34.2 with SMTP id h2mr1736737ebh.122.1209639751111;
Thu, 01 May 2008 04:02:31 -0700 (PDT)
Return-Path: <xxx@scarff.id.au>
Received: from 1FF8A9589B7343C ([121.27.142.217])
by mx.google.com with SMTP id c14si3720766nfi.16.2008.05.01.04.02.23;
Thu, 01 May 2008 04:02:31 -0700 (PDT)
Received-SPF: fail (google.com: domain of xxx@scarff.id.au does not designate 121.27.142.217 as permitted sender) client-ip=121.27.142.217;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of xxx@scarff.id.au does not designate 121.27.142.217 as permitted sender) smtp.mail=xxx@scarff.id.au
Date: Thu, 01 May 2008 04:02:28 -0700 (PDT)
X-Originating-IP: [121.27.142.217]
X-Originating-Email: [xxx@xxxxxxxx.com]
X-Sender: xxx@xxxxxxxx.com
Message-Id: <20080501150227.5583.qmail@1FF8A9589B7343C>
To: <xxx@xxxxxxxx.com>
Subject: SALE 73% OFF on Pfizer
From: <xxx@xxxxxxxx.com>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
----- Message body suppressed -----
So, some spammer is using my mail address in the FROM reverse-path of his SMTP transactions (but the target address in the From mail header), and google is correctly rejecting it, indicated by “spf=hardfail”. However, the daemon sends a failure message to my mail address, which it thinks has been forged, because it thinks it was forged—for multiple days per original spam message. Ugh!
The google groups post I made on the topic would be a good place to offer some insight.