Skip to main content

Gmail SPF Softfail 0.0.0.0 when sending between accounts on the same server.

Comments

20 comments

  • cPRex Jurassic Moderator
    Hey there!
    When a user sends by their webmail to a recipient account on the same server, and the recipient receives the message in Gmail

    Can you clarify this part a bit for me? If they are sending the message to an account on the same server, what mechanism gets the message to Gmail? Is there a forwarder or mailing list in place?
    0
  • DigitalComunic
    Hello cPrex. Yes sure, sorry for any misconception in explaining. No forwardings or lists, but pop3. I notice the issue with users who host their domains and emails on my server but download (from my server) and read their emails in gmail.com via pop3 (Gmail settings > Accounts & Import > Check emails from other accounts).
    0
  • cPRex Jurassic Moderator
    If you do a search on Google for their own "SPF: PASS with IP 0.0.0.0" message, you only get two results, both of which aren't helpful. Since the SPF record checks out everywhere else, you may want to contact Google directly to see if they can offer more specific details on that behavior as I'm not finding anything on my end.
    0
  • vikins
    This issue is the same as this issue.
    0
  • cPRex Jurassic Moderator
    I'm not able to merge a thread that's five years old, but I'm happy to talk about the issues here.
    0
  • vikins
    Thanks. Did you remove my reply on the other thread?
    0
  • cPRex Jurassic Moderator
    I did remove that reply as the thread was five years old.
    0
  • cPRex Jurassic Moderator
    @vikins - I thought I actually merged it into this thread but apparently that didn't work! Can you post that again?
    0
  • vikins
    It was the appropriate place to post because the issue is still happening and that cPanel thread was the most informative and well documented. The most well documented thread anywhere I can find about the issues is this one: 77473 This happens when people make use of gmail feature "Check mail from other accounts". You can config a gmail account to POP mail from any legit POP mail account and it will pull it into your gmail and process the mail. It will not pull in emails with suspicious attachments though and I've never seen it have a false positive. But unlike when you simply forward mail to gmail, it rewrites the headers in a very strange way and ends up doing an spf check on the client IP address of the original email sender. As in, their home IP address of their wifi router, which makes no sense whatsoever for spf. The key thing here is that this doesn't happen with all mail. This only happens with mail that is delivered locally on the server. For example, when a customer sends an email to another customer on the same shared server. That email will process internally and not go through SMTP. It is in these cases that the gmail feature "Check mail from other accounts" will rewrite the header and then it will fail spf and produce this warning. It is a very specific kind of case, but nonetheless it does happen more than you'd think. Since google isn't going to fix this anytime soon, there are suggestions out there that adding a header using exim can resolve the issue. I'd like to discuss how this can be accomplished.
    0
  • cPRex Jurassic Moderator
    Thanks for that - I spoke with our email team and they thought it would be best to submit a ticket to our support team so we can see this in action on the server-side to see if there is anything we can do on our end.
    0
  • vikins
    Ticket # 94440007 has been created.
    0
  • cPRex Jurassic Moderator
    Thanks - I'm following along with that on my end as well.
    0
  • Metro2
    @vikins - the same thing you talk about in your post above
    0
  • vikins
    @Metro2 It sounds like you resolved a part of the issue, possibly by getting your spf / dkim / dmarc properly aligned, which can resolve the gmail warning message for most situations. But I think the 10% of messages that you mention that are still having an issue is due to the same issue I'm seeing. These are messages are ones produced by the server and/or messages between users on the same server, meaning messages that are handled internally on the server. Those that go though normal SMTP channels are not affected by this issue. Happy to keep working together to solve this last 10% of the issue.
    0
  • Metro2
    @vikins - I actually didn't solve anything. I know my message had a lot of words to skip through, but I mentioned that even before the problems started, SPF/DKIM/DMARC were ALREADY correct. The Workspace technicians I chatted with (and their supervisors) were baffled. But yes, that is in regard to normal mailing situations. Indeed some of the ones that are automated through server notifications (and things like help desk scripts) that may identify as either 0.0.0.0 or no obvious actual sender verify, even if they pass DKIM in some cases, are getting tagged as spam or dangerous by Gmail still. For example - 1 out of every 8 "high 5 minute load alert" messages I receive to an actual POP3 domain account that I have set up in a Gmail account as "Check mail from other accounts" is still getting marked as spam and even some standard server alerts & messages between users on their own domain send email directly to each other (but using Gmail as their POP3 client) are getting marked with the "Caution" banner and suspect as phishing. For no identifiable reason whatsoever. It's going to take a lot of people reporting this situation directly to Google for anything to get done, and even then... expect a long wait.
    0
  • vikins
    @Merto2 sorry if I missed that. Have you read the ServerFault post?
    0
  • Metro2
    Yes indeed, and it is a conundrum to me that Gmail bases it's algorithm on only the IP of the sender even if they're authenticated when the server sends local messages directly to a domain account. It would be wonderful if Google had a support division that was dedicated to working with other providers, but apparently that's only possible if you're already too wealthy to have to work this crap every day like a slave.
    0
  • Volt55
    This has been happening to me too over the last few months, with communication between my clients and myself on the same server being flagged as Softfail too (using Gmail POP3/SMTP). Very annoying as there seems to be no solution. Could a possible fix be for cPanel to include an option to never send email locally across accounts on the same server? What are the repercussions of setting all accounts to 'Remote mail server' in the existing setup? I have SPF, DKIM and DMARC set up on all accounts.
    0
  • DigitalComunic
    I appreciate the way people in this thread can contribute to solving the problem. Based on @vikins' answer, I did tests today by changing the SPF. First I add the sender's local IP address in the domain's SPF record (domain.com). Didn't work, softfail happens in Gmail. Second, I add the sender's local IP address to the hostname's SPF record (server.domain.com). It worked, the softfail did not happen. So for my clients who have fixed IP address at their location, I am putting their IPs in the hostname SPF records. This works as a partial server-side solution to bypass Gmail's SPF checker. Of course, this doesn't solve it for all my clients, as some of them use dynamic IPs, but it minimizes the problem for me at this point until a complete solution appears.
    0
  • DigitalComunic
    Hello guys. I have a workaround when the customer's email account is being sent over a local broadband dynamic IP. I will share it here. It's simple, just use some dynamic IP hostname service like "noip.com" in the SPF record. " In my house I have internet with dynamic IP. " I registered an account at noip.com (free or paid, it doesn't matter). " I create a hostname for my home in noip.com, eg. digitalcomunicshouse.ddns.net " I downloaded the DUC (noip client) and installed it on my home computer. " Then I add the hostname in the SPF record for my domain, in cpanel, like this: "v=spf1 ip4:xxx.xxx.xxx.xxx a:digitalcomunicshouse.ddns.net +a +mx ~all" Now gmail no longer gives SOFTFAIL 0.0.0.0, but PASS 0.0.0.0. And the message is no longer marked as spam. I will be sending out a newsletter to my complaining customers to get them to do this too. Best regards!
    0

Please sign in to leave a comment.