Google’s gmail MX is doing the right thing by enforcing SPF rules, but the wrong thing by sending bounces (backscatter) to the address that those SPF rules indicate is forged.
I got the following message from the google mailer daemon (addresses obscured, of course, but email@example.com does list google’s mail domains in its MX DNS records):
This is an automatically generated Delivery Status Notification THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipient has been delayed: firstname.lastname@example.org Message will be retried for 1 more day(s) ----- Message header follows ----- Received: by 10.210.34.2 with SMTP id h2mr1736737ebh.122.1209639751111; Thu, 01 May 2008 04:02:31 -0700 (PDT) Return-Path: <email@example.com> Received: from 1FF8A9589B7343C ([188.8.131.52]) by mx.google.com with SMTP id c14si3720766nfi.16.2008.05.01.04.02.23; Thu, 01 May 2008 04:02:31 -0700 (PDT) Received-SPF: fail (google.com: domain of firstname.lastname@example.org does not designate 184.108.40.206 as permitted sender) client-ip=220.127.116.11; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of email@example.com does not designate 18.104.22.168 as permitted sender) firstname.lastname@example.org Date: Thu, 01 May 2008 04:02:28 -0700 (PDT) X-Originating-IP: [22.214.171.124] X-Originating-Email: [email@example.com] X-Sender: firstname.lastname@example.org Message-Id: <20080501150227.5583.qmail@1FF8A9589B7343C> To: <email@example.com> Subject: SALE 73% OFF on Pfizer From: <firstname.lastname@example.org> MIME-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit ----- Message body suppressed -----
So, some spammer is using my mail address in the FROM reverse-path of his SMTP transactions (but the target address in the From mail header), and google is correctly rejecting it, indicated by “spf=hardfail”. However, the daemon sends a failure message to my mail address, which it thinks has been forged, because it thinks it was forged—for multiple days per original spam message. Ugh!
The google groups post I made on the topic would be a good place to offer some insight.