Forwarding Shaw mail to Gmail gets SPF softfail: d...

rickmacd · ‎2023-03-27

We want to forward 2 Shaw email accounts to Gmail. I began testing with one. It's simple to set up, but some emails get quarantined at the gmail end for up to 3 days. Things I've found on the web indicate Gmail thinks it's Shaw's problem.

I thought it strange that it's intermittent, but I found what seems to be an explanation from a Google support page:

*Important: *Starting November 2022, new senders who send email to personal Gmail accounts must set up either _SPF_ <https://support.google.com/mail/answer/81126#spf> or _DKIM_ <https://support.google.com/mail/answer/81126#dkim>. Google performs random checks on new sender messages to personal Gmail accounts to verify they’re authenticated. Messages without at least one of these authentication methods will be rejected or marked as spam. This requirement doesn’t apply to you if you’re an existing sender. However, we recommend you always set up SPF and DKIM to protect your organization’s email and to support future authentication requirements.

Does anybody know anything about "new senders" and "existing senders"?

Here are what seem to be the related heade

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=QJjFrzIs;
spf=softfail (google.com: domain of transitioning sender@gmail.com does not designate 3.97.99.42 as permitted sender) smtp.mailfrom=sender@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <sender@gmail.com>
Received: from omta011.cacentral1.a.cloudfilter.net (omta011.cacentral1.a.cloudfilter.net. [3.97.99.42])
by mx.google.com with ESMTPS id y6-20020a0cc546000000b0056f02266cb5si1568637qvi.522.2023.03.11.04.28.14
for <receiver@gmail.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Sat, 11 Mar 2023 04:28:14 -0800 (PST)
Received-SPF: softfail (google.com: domain of transitioning sender@gmail.com does not designate 3.97.99.42 as permitted sender) client-ip=3.97.99.42;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=QJjFrzIs;
spf=softfail (google.com: domain of transitioning sender@gmail.com does not designate 3.97.99.42 as permitted sender) smtp.mailfrom=sender@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

mdk · ‎2023-03-29

>> we recommend you always set up SPF and DKIM to protect your organization’s email and to support future authentication requirements.

In your case, the "organization" is Shaw.

Shaw is saying that any "new" organization that sets-up its own mail-server needs to add DKIM & SPF records for their mail-server.

Note:

Name: omta011.cacentral1.a.cloudfilter.net
Address: 3.97.99.42

is an IP-address assigned to the "outsourced" company that Shaw uses to process incoming/outgoing E-mail.

I see:

ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=QJjFrzIs;
spf=softfail

Return-Path: <sender@gmail.com>

Received-SPF: softfail (google.com: domain of transitioning sender@gmail.com does not designate 3.97.99.42 as permitted sender) client-ip=3.97.99.42;

Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=QJjFrzIs;

spf=softfail (google.com: domain of transitioning sender@gmail.com does not designate 3.97.99.42 as permitted sender) smtp.mailfrom=sender@gmail.com;
dmarc=pass

So, CloudFilter has deployed one of the methods that Shaw recommends.

Take a look at the date/time details on each of the "delayed" E-mail messages, to see at which "hop" that the delay occurs. For example, here are the (trimmed) headers from the STAPLES organization.

Received: from mi03-ssvc.dcs.int.inet (LHLO mi03.dcs.int.inet)
(10.0.153.220) by cds215.dcs.int.inet with LMTP; Wed, 29 Mar 2023 09:48:30 -0600 (MDT)

Received: from shw-ibgw-4003a.ext.cloudfilter.net (lb7f8hsrpno-dmz.dcs.int.inet [10.0.143.222])
by mi03.dcs.int.inet (Postfix) with ESMTPS id 3541D1280214
for <me@shaw.ca>; Wed, 29 Mar 2023 09:48:30 -0600 (MDT)

Received: from o925.easy.staples.ca ([149.72.157.222]) by cmsmtp with ESMTP
id hY2Hp7nyIWvxBhY2Hp9jvs; Wed, 29 Mar 2023 15:48:29 +0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staples.ca;

Received: by filterdrecv-574c9fc7f5-rj2jg with SMTP id filterdrecv-574c9fc7f5-rj2jg-1-64245D45-17F
2023-03-29 15:46:13.593366127 +0000 UTC m=+3082395.294229971

Received: from NzY3MzY2Nw (unknown) by geopod-ismtpd-22 (SG) with HTTP
id f2SLVGvXQQ-DR3MDV8BOLg Wed, 29 Mar 2023 15:46:13.514 +0000 (UTC)

So, the message was sent at 15:46:13 and received by Shaw at 15:48:30 (note the different timezones) -- "delayed" for only seventeen seconds.

Forwarding Shaw mail to Gmail gets SPF softfail: does not designate 3.97.99.42 as permitted sender

Email

>> we recommend you always set up SPF and DKIM to protect...