SPF domain alignment mismatch

AptHeart · December 24, 2023, 3:23pm

When emailing as a domain configured in apiscp - The senders address is down as:
SRS0=6qmUD7bc=ID=[customerdomain].co.uk=[usersname]@[myhostingplatformsdomain].uk

Is there a way for this to be presented, instead of [myhostingplatformsdomain].uk, to instead be
[emailrecipient]@[customerdomain].co.uk, so spf can get a match?

I ask as I haven’t much of a reputation as yet.

ver_maj: 3
ver_min: 2
ver_patch: 39

RHEL 4.18.0-513.9.1.el8_9.x86_64

msaladna · December 24, 2023, 7:17pm

This is part of SRS, which occurs whenever a message is delivered to a forwarded address on the server or if the destination is final on the server. For the former case, it’s necessary to restamp the Return-Path for SPF alignment (otherwise matt@apisnetworks.com delivered to matt@apiscp.com, which forwards to matt@gmail.com sees @apisnetworks.com for SPF).

In the latter case, Return-Path calculation doesn’t happen until before delivery. rspamd checks the message before this occurs but if you’re using SpamAssassin, then this could pose an issue.

What prompted this concern?

AptHeart · December 24, 2023, 10:44pm

Hey, apologies.

I had a whole explanation typed out - but the forum won’t let me post as it’s recognising the sudo-domains as links. I’m reaching the two links limit for new users.
No chance you could lift that limit for me so I can paste in the comment I wish to make

Thanks so much!

I will answer the call for concern tho - I haven’t much of a mail reputation, although I do have a clean IP. I’ve been blocked from sending mails to hotmail/outlook.com. I’ve since had that raised. As a result however, whilst I’m still building a reputation, it’d like to get SPF and DMARC aligned as best as possible.

msaladna · December 25, 2023, 2:06am

Upped to 10. SPF should align provided you’re not forwarding mail off the server. Do you have a specific case where the sending message to a destination didn’t align?

AptHeart · December 25, 2023, 12:30pm

Thank you! Appreciate it a ton
Hope you’re having fun holidays!

So this is sending mail outbound from a mailbox within apiscp to external addresses, so no forwarding in place - these are being sent directly.
Laying this out:

customers domain: apiscp.com
servers domain/hostname: apiscp.apisnetworks.com

emailng from matt@apiscp.com, from the server with ApisCP installed on apiscp.apisnetworks.com. On the recipients side (hotmail / gmail etc), it’s seeing the email sent from
SRS0=6qmUD7bc=ID=apiscp.com=matt@apisnetworks.com

Does this make sense?

So the recipient server is looking at the spf record for apisnetworks.com, but also noting the sender is matt@apiscp.com, so it’s seeing an SPF mismatch between the domains.

Hope this is making sense, it’s sending me in a wabble just typing this.

I’m used to using gsuite / o365 etc, when using those products, I’d expect the domains for both to match, so the spf would align. I’m wondering if there’s a way to set this?

msaladna · December 25, 2023, 5:11pm

How’s the message being sent? I sent a test email through webmail (SquirrelMail) from msaladna@futz.net to msaladna@gmail.com. The email’s return-path is msaladna@futz.net as expected. Same holds true when sending over port 465 or 587.

AptHeart · December 27, 2023, 2:46pm

You’re right,

In gmail it’s showing as SPF pass under the owners domain. learndmarc.com is showing otherwise - but I’m thinking this service is wrong.

Sorry, I’ve got one more question - I can start a new thread if you prefer?
I’ve got an account with several add-on domains. I want seperate mailboxes for each domain if possible, but the way it’s against a user doesn’t seem to work for my scenario.

I want info@domain1.com to go to one mailbox
I want info@domain2.com to go to another
etc.

Is there a way of going about this, with these domains within a single account?

Kind Regards,
Steve

msaladna · December 27, 2023, 10:29pm

Send me the samples as rendered to matt@apisnetworks.com to verify; I think it’s a matter of specimen.

https://kb.apiscp.com/email/separating-mail-user-different-domain/

I had a customer kickback the other day that the user@domain schema is confusing, because it suggests email addresses. In that situation, user#domain is also a valid way to login.

AptHeart · December 28, 2023, 8:37am

Appreciate it, but I think that’s sorted.

Yeah, I actually tried what your kb suggests just through logic, but you’re looking at setting the reply to address etc. Not really what I wanted, I ended up needing to split the domains out and give my friend 8 sets of credentials - I don’t like how mail users are handled at all, I’d originally expected mailboxes to exist with a specific address. Splitting the domains out has worked for now.

Thanks for your help.