Found an interesting header when doing some tests with mail filtering:
Received: from qb-out-1314.google.com ([172.21.30.5]) by mx.google.com with ESMTP id k29si2692710qba.7.2008.09.06.14.48.05; Sat, 06 Sep 2008 14:48:06 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-IP=172.21.30.5; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) smtp.mail=user@domain.tld Received: by qb-out-1314.google.com with SMTP id d5so1543676qbd.6 for <destination@example.com>; Sat, 06 Sep 2008 14:48:04 -0700 (PDT)
See the problem? Look closely. In particular look at this line:
Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-IP=172.21.30.5;
Look at that IP. RFC 1918 states the “20-bit block” (172.16/12) is for private internets. Google is softfailing emails because it’s sent through it’s own mail servers. Google’s own SPF record looks like this:
;; QUESTION SECTION: ;_spf.google.com. IN TXT ;; ANSWER SECTION: _spf.google.com. 292 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
I really don’t understand why Google is doing this. They should have their SPF checker whitelisting mail sent from their own servers. SPF is intended to verify the sender. When sent locally it’s pointless and can only be harmful. They can still do other spam checks.
From what I can tell, this seems to happening about 50% of the time, meaning this is something deployed on some but not all Google clusters.
4 replies on “Google Mail Fail”
My inbound emails are bouncing too (I use GoogleApps for my email). I really hope they fix this soon.
TJK
I just ran into this problem today and oh god I am stumped. Is there anything that can be done? Or do I have to move client to a shared server just to prevent this.
I also ran into this problem earlier this week…
It looks like Google has made some changes to it’s SPF validation or to the way it uses the SPF information.
Well anyway, it’s very annoying that suddenly a group of people have problems with either receiving or sending mail from/to Google Apps email addresses. Another group doesn’t encounter any problems related to this…
I just started receiving this error tonight. Quite frustrating indeed. Thanks for posting this up though and letting me know that I’m not alone with this. Hopefully they’ll fix this soon. *grumble *grumble