OVH email redirect causes SPF check failure
February 26, 2023
February 26, 2023
Note: I put OVH in the title but it could happen with any provider that offers email redirects.
Letās say you have an email address foo@foo.com, and you set up a
redirect with your provider so that it forwards all emails to
foo@gmail.com, which would be a common scenario to use Gmail with a
custom domain without paying for Google Workspace (using this as an
example but the problem is not directly related to Gmail).
In my case with OVH, this is configured in foo@foo.com's MX plan,
under manage redirections.
It works well most of the time, except when a sender tells me they failed to send me an email.
It could be someone sending me an email from, for example,
bar@gmx.com, who tells me (obviously via another mean) that their
email was returned, with a message similar to this:
Subject: Undelivered Mail Returned to Sender
From:MAILER-DAEMON@mo557.mail-out.ovh.netThis is the mail system at host
mo557.mail-out.ovh.net.Iām sorry to have to inform you that your message could not be delivered to one or more recipients. Itās attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system
foo@gmail.com: host gmail-smtp-in.l.google.com[66.102.1.27] said: 550-5.7.26 The MAIL FROM domain [gmx.com] has an SPF record with a hard fail 550-5.7.26 policy (-all) but it fails to pass SPF checks with the ip: 550-5.7.26 [46.105.33.1]. To best protect our users from spam and phishing, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. h21-20020a05600c351500b003eb3caa4d08si2037016wmq.38 - gsmtp (in reply to end of DATA command)
Note: I use GMX as an example here because itās a sender domain that I was consistently getting SPF issues with because of my redirect setup.
This doesnāt seem to be a very widely encountered problem, yet I could find a few occurrences of it in the wild like on this Reddit post as well as those Google support threads (in French, and sadly locked so I couldnāt post the solution there).
Whatās going wrong here? It turns out that the sender domain (in this
example, gmx.com) had configured a strict SPF policy
that only allowed their own servers to deliver emails from @gmx.com
addresses.
We can check this running the following command:
$ host -t TXT gmx.com | grep spf
gmx.com descriptive text "v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:74.208.122.0/26 ip4:212.227.126.128/25 ip4:212.227.15.0/24 ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 ip4:217.72.207.0/27 -all"
Note: to be clear, this is not a bad thing. Itās totally legitimate
from GMX to only allow their own servers to deliver emails from
@gmx.com addresses!
The reason it doesnāt happen with most sender domains is that itās
common to configure SPF with a āsoft failā (~all) instead of a āhard
failā (-all) like GMX does. See the difference here.
A soft fail would result in the email being delivered but potentially being flagged as spam, whereas a hard fail gets downright rejected.
Since Gmail do check the origin sender SPF policy and enforces it, it
rejected the @gmx.com email being forwarded by my OVH relay.
If you want to learn more about this issue, this post from Tiger Technologies is a very good read.
Sadly thereās no trivial fix for this. The post linked just above mentions a few solutions in the last section but notes that theyāre not widely available and might cause other issues. Their conclusion is: for now, weād recommend simply not forwarding important mail to other ISPs.
What can we do from there? Well in my case, I had to reverse the relationship between my OVH address and Gmail: instead of my OVH address forwarding emails to Gmail, I removed the redirect and configured Gmail to fetch emails from my OVH address via POP3.
Note: this alternative method is not specific to OVH and Gmail. It will work as long as:
In order to do this with Gmail, their guide on checking emails from other accounts.
And if your intermediary (redirect) address is on OVH, you can find the proper POP3 settings to use on their configuration guide, either for OVH France or OVH Canada. In short, itās:
| Region | Host | Port |
|---|---|---|
| France | ssl0.ovh.net |
995 |
| Canada | pop.mail.ovh.ca |
995 |
The main downside of this solution is that instead of OVH pushing mails to Gmail, Gmail has to pull them from OVH periodically. Concretely, this means increased latency. Instead of receiving emails right away, youāll have to wait until Gmail decides to fetch emails from your external accounts.
Thereās no clear rule on how often Gmail checks external accounts. It seems to be proportional to how often you receive new emails: if you often receive new emails, itāll check quite often, but if you receive just a few messages per day, it can wait 10, 20 or even 30 minutes between refreshes.
Looking into this I found quite a few smart tricks to get Gmail to check your external accounts more often.
The first one is described in this post, and consists in configuring a server of yours to send you an email (on the address you check via POP3) every minute or so. This way, Gmail will notice youāre getting a lot of messages and will check more often.
To avoid your inbox getting flooded by those messages, you can simply add a filter that puts them directly to the trash!
What if you donāt have a server handy to run this script? As described in this Lifehacker post, you can run the code as Google Apps Script on Google Sheets. Thatās pretty rad if you ask me. š
But what if you donāt want to write code at all? This Stack Exchange comment got you covered: just create a dummy Google Calendar event repeated every X minutes, and set up an email reminder for this event. š¤Æ
With OVH, thereās another option that allows you have the speed of the redirect when it works, but still receive the messages even when thereās an SPF rejection. The problem of this approach is that it will still result in the āUndelivered Mail Returned to Senderā message being sent to the sender in case SPF fails (even if you do get the email), which is not ideal.
This solution consists in the OVH email redirect settings to ākeep a copy of the email at OVHcloudā. This option is only available during the initial redirect creation and canāt be modified later on, so if you initially configured it as ādo not store a copy of the emailā, youāll need to delete your redirect and recreate it.
Note: creating a redirect that keeps a copy of the email on OVH materializes as two redirect entries: one from source to source, and one from source to destination.
For example, itāll show:
foo@foo.com to foo@gmail.comfoo@foo.com to foo@foo.comJust noting that here because it can be confusing.
On top of that, you also configure Gmail to check your OVH emails via POP3 as explained earlier.
The result is that when the redirect works, youāll get your emails instantly. When case the redirect fails, the message will still end up in your OVH inbox, which Gmail will fetch eventually, so youāll still get it that way.
But as I said, because the redirect failed, the sender will still receive back an error email and believe that you didnāt receive their email. I donāt know of a way to avoid that with this solution.
As for the messages that were successfully redirected, be assured that they wonāt be duplicated! Even though they will be fetched again when Gmail refreshes the POP3 inbox, Gmail is able to tell that itās the same message that it already saw and will not show it to you twice. Neat.
In this post we explored the technical details of a common error that happens when an email redirect conflicts with the origin SPF rules.
We saw that we can mitigate it under certain conditions, by reversing the redirect relationship: instead of one email redirecting to another, you need to have the second email checks the inbox of the former.
With Gmail, this can introduce unwanted latency, but thereās a few hacks to work around that.
Finally we saw an hybrid approach that gets āthe best of both worldsā, except for the error message still being sent backā¦
What was your favorite option? Let me know on Twitter!
And if you know of other solutions I didnāt mention, please send me an email! Even if you do strict SPF checks, donāt worry, Iāll receive it. š