Can MTA send mail via a relay without being told so?relay mail from one postfix server to anotherZimbra doesn't send mail via smtp relay anmorePostfix: 'Relay access denied' - all incoming mail is rejectedSetting up SPF and initial questionsUsing SPF for spoof protectionCan't send mail from own server to GoogleAllowing a partially trusted server to send mail for one given address via SPF / DKIMSPF with -all includes directive with ~all?Setting SPF record for mail relay servers to avoid softfailSPF setup for mail and relay server
Does higher resolution in an image imply more bits per pixel?
Junior developer struggles: how to communicate with management?
My ID is expired, can I fly to the Bahamas with my passport
Visa for volunteering in England
Is it always OK to ask for a copy of the lecturer's slides?
Historically, were women trained for obligatory wars? Or did they serve some other military function?
Why do computer-science majors learn calculus?
I caught several of my students plagiarizing. Could it be my fault as a teacher?
How to implement float hashing with approximate equality
Which skill should be used for secret doors or traps: Perception or Investigation?
How do I tell my manager that his code review comment is wrong?
What are the spoon bit of a spoon and fork bit of a fork called?
Why are there synthetic chemicals in our bodies? Where do they come from?
What is the limiting factor for a CAN bus to exceed 1Mbps bandwidth?
Binary Numbers Magic Trick
Can a cyclic Amine form an Amide?
Feels like I am getting dragged into office politics
A non-technological, repeating, phenomenon in the sky, holding its position in the sky for hours
How could a planet have most of its water in the atmosphere?
How to get SEEK accessing converted ID via view
When and why did journal article titles become descriptive, rather than creatively allusive?
Is lying to get "gardening leave" fraud?
How to back up a running Linode server?
Meaning of "individuandum"
Can MTA send mail via a relay without being told so?
relay mail from one postfix server to anotherZimbra doesn't send mail via smtp relay anmorePostfix: 'Relay access denied' - all incoming mail is rejectedSetting up SPF and initial questionsUsing SPF for spoof protectionCan't send mail from own server to GoogleAllowing a partially trusted server to send mail for one given address via SPF / DKIMSPF with -all includes directive with ~all?Setting SPF record for mail relay servers to avoid softfailSPF setup for mail and relay server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm thinking of adding an SPF to a domain. So I'm concerned if there are circumstances under which my MTA would use some relay when sending mail. Like, when the destination servers are too busy or something? I'm mainly interested in postfix's or exim's default settings.
email postfix exim spf
asked Mar 30 at 13:45
x-yurix-yuri
449816
add a comment |
I'm thinking of adding an SPF to a domain. So I'm concerned if there are circumstances under which my MTA would use some relay when sending mail. Like, when the destination servers are too busy or something? I'm mainly interested in postfix's or exim's default settings.
email postfix exim spf
asked Mar 30 at 13:45
x-yurix-yuri
449816
On the sending site MTAs can use long chains of relays, that’s typical In an enterprise setting, passing through site local installations, enterprise Gateways, spam filters and possibly a public cloud/isp service for sending, The chain is however configured or enforced privately. Once the public MTA sends it only picks a primary or secondary MX. It is not uncommon to use secondary MXs of your provider and your filtering must deal with it. It is however something you configure with your MX DNS records, so it is configured by the recipient admins.
– eckes
Mar 30 at 20:34
add a comment |
I'm thinking of adding an SPF to a domain. So I'm concerned if there are circumstances under which my MTA would use some relay when sending mail. Like, when the destination servers are too busy or something? I'm mainly interested in postfix's or exim's default settings.
email postfix exim spf
asked Mar 30 at 13:45
x-yurix-yuri
449816
I'm thinking of adding an SPF to a domain. So I'm concerned if there are circumstances under which my MTA would use some relay when sending mail. Like, when the destination servers are too busy or something? I'm mainly interested in postfix's or exim's default settings.
email postfix exim spf
email postfix exim spf
asked Mar 30 at 13:45
x-yurix-yuri
449816
asked Mar 30 at 13:45
x-yurix-yuri
449816
asked Mar 30 at 13:45
x-yurix-yuri
449816
asked Mar 30 at 13:45
x-yurix-yuri
449816
asked Mar 30 at 13:45
x-yurix-yuri
449816
449816
On the sending site MTAs can use long chains of relays, that’s typical In an enterprise setting, passing through site local installations, enterprise Gateways, spam filters and possibly a public cloud/isp service for sending, The chain is however configured or enforced privately. Once the public MTA sends it only picks a primary or secondary MX. It is not uncommon to use secondary MXs of your provider and your filtering must deal with it. It is however something you configure with your MX DNS records, so it is configured by the recipient admins.
– eckes
Mar 30 at 20:34
add a comment |
On the sending site MTAs can use long chains of relays, that’s typical In an enterprise setting, passing through site local installations, enterprise Gateways, spam filters and possibly a public cloud/isp service for sending, The chain is however configured or enforced privately. Once the public MTA sends it only picks a primary or secondary MX. It is not uncommon to use secondary MXs of your provider and your filtering must deal with it. It is however something you configure with your MX DNS records, so it is configured by the recipient admins.
– eckes
Mar 30 at 20:34
On the sending site MTAs can use long chains of relays, that’s typical In an enterprise setting, passing through site local installations, enterprise Gateways, spam filters and possibly a public cloud/isp service for sending, The chain is however configured or enforced privately. Once the public MTA sends it only picks a primary or secondary MX. It is not uncommon to use secondary MXs of your provider and your filtering must deal with it. It is however something you configure with your MX DNS records, so it is configured by the recipient admins.
– eckes
Mar 30 at 20:34
On the sending site MTAs can use long chains of relays, that’s typical In an enterprise setting, passing through site local installations, enterprise Gateways, spam filters and possibly a public cloud/isp service for sending, The chain is however configured or enforced privately. Once the public MTA sends it only picks a primary or secondary MX. It is not uncommon to use secondary MXs of your provider and your filtering must deal with it. It is however something you configure with your MX DNS records, so it is configured by the recipient admins.
– eckes
Mar 30 at 20:34
add a comment |
3 Answers
3
active
oldest
votes
No, if you don’t configure any relay (and don’t fiddle around on the network layer) , an MTA will try to deliver to whatever DNS says should get the mail.
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
Can you please check out the other answer? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect?
– x-yuri
Apr 17 at 19:47
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it).
– Sven♦
Apr 17 at 21:58
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again.
– Sven♦
Apr 17 at 21:59
add a comment |
I'm concerned if there are circumstances under which my MTA would use
some relay when sending mail.
No. Your server will attempt to send email to the server whose host is described by the MX record(s) for the destination domain.
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
add a comment |
Of course there is. If you send mail from an address x-yuri@example.com and the recipient is john@nice-domain.com you don't know whether it will relay that mail. You will often see the situation that the mail lands finally in john.priv@google.com and you will get a report from google.com who report a quarantined message because of SPF failure.
This is why you always need DMARC and DKIM, and SPF is your backup mechanism for (rare) cases when DKIM fails on you. A good description is in chapter 1 and 2 of RFC 7489 (DMARC).
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
Isn't what you're talking about is forwarding, not relaying?
– x-yuri
Apr 15 at 11:37
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question.
– kubanczyk
Apr 15 at 13:56
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF break forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly?
– x-yuri
Apr 15 at 19:51
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of RFC 7489 (DMARC).
– kubanczyk
Apr 15 at 20:48
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached theMX-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached theMX-server? @Sven @joeqwerty Can you confirm?
– x-yuri
Apr 16 at 11:13
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960748%2fcan-mta-send-mail-via-a-relay-without-being-told-so%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
No, if you don’t configure any relay (and don’t fiddle around on the network layer) , an MTA will try to deliver to whatever DNS says should get the mail.
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
Can you please check out the other answer? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect?
– x-yuri
Apr 17 at 19:47
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it).
– Sven♦
Apr 17 at 21:58
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again.
– Sven♦
Apr 17 at 21:59
add a comment |
No, if you don’t configure any relay (and don’t fiddle around on the network layer) , an MTA will try to deliver to whatever DNS says should get the mail.
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
Can you please check out the other answer? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect?
– x-yuri
Apr 17 at 19:47
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it).
– Sven♦
Apr 17 at 21:58
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again.
– Sven♦
Apr 17 at 21:59
add a comment |
No, if you don’t configure any relay (and don’t fiddle around on the network layer) , an MTA will try to deliver to whatever DNS says should get the mail.
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
No, if you don’t configure any relay (and don’t fiddle around on the network layer) , an MTA will try to deliver to whatever DNS says should get the mail.
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
answered Mar 30 at 13:53
Sven♦Sven
88k10148202
88k10148202
Can you please check out the other answer? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect?
– x-yuri
Apr 17 at 19:47
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it).
– Sven♦
Apr 17 at 21:58
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again.
– Sven♦
Apr 17 at 21:59
add a comment |
Can you please check out the other answer? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect?
– x-yuri
Apr 17 at 19:47
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it).
– Sven♦
Apr 17 at 21:58
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again.
– Sven♦
Apr 17 at 21:59
Can you please check out the other answer? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect?
– x-yuri
Apr 17 at 19:47
Can you please check out the other answer? The answers differ because yours targets part of the way from sending MTA to MX-server, and the other one from MX-server to the destination server (those last two might apparently match)? In other words, sending MTA would not use a relay unless told so, but after reaching MX-server an email might be relayed or forwarded elsewhere, is this it? Or the other answer is incorrect?
– x-yuri
Apr 17 at 19:47
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it).
– Sven♦
Apr 17 at 21:58
My answer deals with your question as written (and is correct as such :)). The other answers takes as step back, looking at the whole picture and explains why having an SPF record and no "accidental relay" is not necessarily enough to guarantee mail delivery. It's a good answer that rises important points, but in a strict sense,it doesn't correctly answer your question as written (but again: it's a good answer, don't ignore it).
– Sven♦
Apr 17 at 21:58
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again.
– Sven♦
Apr 17 at 21:59
The thing is: Mail is a mess, and "modern" additions like SPF, DKIM or DMARC have a tendency to create new problems that require us to consider a wider view then originally necessary. Traditionally, a mail server would drop off mail at the remote MX and it didn't need to care at all what happens afterwards. SPF can make this important again.
– Sven♦
Apr 17 at 21:59
add a comment |
I'm concerned if there are circumstances under which my MTA would use
some relay when sending mail.
No. Your server will attempt to send email to the server whose host is described by the MX record(s) for the destination domain.
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
add a comment |
I'm concerned if there are circumstances under which my MTA would use
some relay when sending mail.
No. Your server will attempt to send email to the server whose host is described by the MX record(s) for the destination domain.
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
add a comment |
I'm concerned if there are circumstances under which my MTA would use
some relay when sending mail.
No. Your server will attempt to send email to the server whose host is described by the MX record(s) for the destination domain.
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
I'm concerned if there are circumstances under which my MTA would use
some relay when sending mail.
No. Your server will attempt to send email to the server whose host is described by the MX record(s) for the destination domain.
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
edited Mar 31 at 1:32
Lightness Races in Orbit
275416
275416
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
answered Mar 30 at 16:53
joeqwertyjoeqwerty
96.8k465149
96.8k465149
add a comment |
add a comment |
Of course there is. If you send mail from an address x-yuri@example.com and the recipient is john@nice-domain.com you don't know whether it will relay that mail. You will often see the situation that the mail lands finally in john.priv@google.com and you will get a report from google.com who report a quarantined message because of SPF failure.
This is why you always need DMARC and DKIM, and SPF is your backup mechanism for (rare) cases when DKIM fails on you. A good description is in chapter 1 and 2 of RFC 7489 (DMARC).
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
Isn't what you're talking about is forwarding, not relaying?
– x-yuri
Apr 15 at 11:37
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question.
– kubanczyk
Apr 15 at 13:56
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF break forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly?
– x-yuri
Apr 15 at 19:51
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of RFC 7489 (DMARC).
– kubanczyk
Apr 15 at 20:48
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached theMX-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached theMX-server? @Sven @joeqwerty Can you confirm?
– x-yuri
Apr 16 at 11:13
|
show 1 more comment
Of course there is. If you send mail from an address x-yuri@example.com and the recipient is john@nice-domain.com you don't know whether it will relay that mail. You will often see the situation that the mail lands finally in john.priv@google.com and you will get a report from google.com who report a quarantined message because of SPF failure.
This is why you always need DMARC and DKIM, and SPF is your backup mechanism for (rare) cases when DKIM fails on you. A good description is in chapter 1 and 2 of RFC 7489 (DMARC).
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
Isn't what you're talking about is forwarding, not relaying?
– x-yuri
Apr 15 at 11:37
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question.
– kubanczyk
Apr 15 at 13:56
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF break forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly?
– x-yuri
Apr 15 at 19:51
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of RFC 7489 (DMARC).
– kubanczyk
Apr 15 at 20:48
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached theMX-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached theMX-server? @Sven @joeqwerty Can you confirm?
– x-yuri
Apr 16 at 11:13
|
show 1 more comment
Of course there is. If you send mail from an address x-yuri@example.com and the recipient is john@nice-domain.com you don't know whether it will relay that mail. You will often see the situation that the mail lands finally in john.priv@google.com and you will get a report from google.com who report a quarantined message because of SPF failure.
This is why you always need DMARC and DKIM, and SPF is your backup mechanism for (rare) cases when DKIM fails on you. A good description is in chapter 1 and 2 of RFC 7489 (DMARC).
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
Of course there is. If you send mail from an address x-yuri@example.com and the recipient is john@nice-domain.com you don't know whether it will relay that mail. You will often see the situation that the mail lands finally in john.priv@google.com and you will get a report from google.com who report a quarantined message because of SPF failure.
This is why you always need DMARC and DKIM, and SPF is your backup mechanism for (rare) cases when DKIM fails on you. A good description is in chapter 1 and 2 of RFC 7489 (DMARC).
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
edited Apr 15 at 20:50
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
answered Apr 13 at 9:02
kubanczykkubanczyk
10.7k32946
10.7k32946
Isn't what you're talking about is forwarding, not relaying?
– x-yuri
Apr 15 at 11:37
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question.
– kubanczyk
Apr 15 at 13:56
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF break forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly?
– x-yuri
Apr 15 at 19:51
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of RFC 7489 (DMARC).
– kubanczyk
Apr 15 at 20:48
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached theMX-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached theMX-server? @Sven @joeqwerty Can you confirm?
– x-yuri
Apr 16 at 11:13
|
show 1 more comment
Isn't what you're talking about is forwarding, not relaying?
– x-yuri
Apr 15 at 11:37
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question.
– kubanczyk
Apr 15 at 13:56
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF break forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly?
– x-yuri
Apr 15 at 19:51
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of RFC 7489 (DMARC).
– kubanczyk
Apr 15 at 20:48
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached theMX-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached theMX-server? @Sven @joeqwerty Can you confirm?
– x-yuri
Apr 16 at 11:13
Isn't what you're talking about is forwarding, not relaying?
– x-yuri
Apr 15 at 11:37
Isn't what you're talking about is forwarding, not relaying?
– x-yuri
Apr 15 at 11:37
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question.
– kubanczyk
Apr 15 at 13:56
@x-yuri You're right. Since these situations are indistinguishable and I think relevant in your scenario, I've reframed your question.
– kubanczyk
Apr 15 at 13:56
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF break forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly?
– x-yuri
Apr 15 at 19:51
AFAICT, the question and the other answers are about the sending side. Changing the question would invalidate the answers. Or not? But we can probably have a tangential answer. Although I have questions. You're talking about forwarding alone, or both (forwarding + relaying)? "Does SPF break forwarding? Yes, but only if the receiver checks SPF without understanding their mail receiving architecture." Can't I rely on most of the receivers to behave properly?
– x-yuri
Apr 15 at 19:51
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of RFC 7489 (DMARC).
– kubanczyk
Apr 15 at 20:48
Let it be a tangential answer. Forwarding is a real concern for a sender who wants to avoid phishing attempts. Re-mailing is not even an option nowadays - you are using outdated docs. What you probably need to read is chapter 1 and 2 of RFC 7489 (DMARC).
– kubanczyk
Apr 15 at 20:48
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached the
MX-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached the MX-server? @Sven @joeqwerty Can you confirm?– x-yuri
Apr 16 at 11:13
I'm really not sure what those two chapters were supposed to explain. I've set up SPF, DKIM and DMARC for a couple of domains lately. Let's put things straight. We're talking about a part of the path where an email has reached the
MX-server? Do your concerns has to do with forwarding, or both? Also, I'm surprised the other answers have received so many upvotes if what you're saying is true. Is this because of the way I have worded the question? The other answers are about a part of the way where an email hasn't reached the MX-server? @Sven @joeqwerty Can you confirm?– x-yuri
Apr 16 at 11:13
|
show 1 more comment
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960748%2fcan-mta-send-mail-via-a-relay-without-being-told-so%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
On the sending site MTAs can use long chains of relays, that’s typical In an enterprise setting, passing through site local installations, enterprise Gateways, spam filters and possibly a public cloud/isp service for sending, The chain is however configured or enforced privately. Once the public MTA sends it only picks a primary or secondary MX. It is not uncommon to use secondary MXs of your provider and your filtering must deal with it. It is however something you configure with your MX DNS records, so it is configured by the recipient admins.
– eckes
Mar 30 at 20:34