Dave Schweisguth in a Bottle

8 Feb 2011: Caveat lector! I no longer recommend the setup I described in this post. See the followup for the reason why not. The details in this post may still be useful to some, however.

I run my own domain name service (DNS) and mail service (sendmail) on my home Linux server. Until recently I filtered spam with spamassassin, but the spam that it let through grew until it was time to find another way. I could lower spamassassin’s bar for considering something spam, but it would then not be easy to rescue good mail that was wrongly considered spam. GMail allows you to forward mail from elsewhere to it and retrieve mail via POP or IMAP and it has severe but easy-to-tune spam filtering, so that’s what I used.

In my first setup, I aliased my home account to my GMail account in /etc/aliases and used fetchmail to pull mail back from GMail to home. Initially, that appeared to work great: I got all of my mail just as before and no spam at all (in fact, I had to spend some time rescuing bulk mail that wasn’t spam from my spam folder, but GMail knows about that now).

However, I had a residual problem: some of my filtered emails had an Authentication-Results header indicating that, according to the SPF record for the sender’s domain, my home server was not allowed to send mail from the sender’s domain. Forwarding through sendmail results in email that says it’s from one domain (the original sender’s) coming from another (that of the forwarder), which is exactly what SPF is supposed to prevent. All of my mail was getting through, either because it came from domains without SPF, because it came from domains with SPF configured to ‘softfail’ (that is, to be considered as only advisory), or because GMail wasn’t acting on SPF advice. (I have no evidence that the latter was happening; I just never ruled it out.) Although I was getting my mail for now, I might lose mail if any of several things changed.

Read the rest of this entry »