You can see that the mail was received from a Gandi server:
Received: from relay10.mail.gandi.net (relay10.mail.gandi.net. [2001:4b98:dc4:8::230])
You can see that the Gandi servers are not authorized in the SPF record:
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 2001:4b98:dc4:8::230 as permitted sender)
SPF checks against the return-path
header. Not the mailfrom
header. The return-path
is [email protected]
. Therefore, gmail.com SPF records do not permit Gandi servers to send email using a return-path
with gmail.com email addresses.
SPF is functioning normally. What you are seeing is an inherent weakness in the SPF protocol regarding mail forwarding. When mail is forwarded at the MTA (mail server) level, the mailfrom
and return-path
headers are not rewritten (nor should they be), but when the forwarded mail reaches the recipient's email server it is coming from the forwarding server, and not from the sender's original e-mail server. Therefore, the recipient's email server checks SPF and sees that the return-path
domain does not authorize the forwarding email server to send mail.
Forwarding breaks SPF. Because you do not control the SPF records for the gmail.com
domain, you can not authorize Gandi servers to forward mail on gmail's behalf. This is why SPF cannot be used, alone, to determine if mail is authorized or not.
You have four solutions (Options 1 and 2 require a paid Google workspace account I believe):
- Make sure that when you send email from gmail using an alias email address, that it also uses the email alias in the
return-path
header. Also add the gmail servers to the SPF record for mydomain.com
. For more information about sending email as an alias with gmail see here: https://support.google.com/mail/answer/22370?hl=en
- Configure your MX records and gmail so that email destined to your alias is sent directly to gmail's servers and in to your inbox, rather than forwarding them through a third party.
- Receive email destined to your alias email address at the third party, instead of forwarding the message. Then configure Gmail to collect that email from the third party using the Import emails from my other account (POP3) option in gmail.
- If you have control over the behavior of the forwarding email server, you could create a rule that re-writes the
return-path
header to match the mailfrom
header when it forwards email that is received from and destined to one of your email aliases.