SPF: Which IP is being looked at during evaluation?

Question

Let's say I have:

• public IP address A: sending host
• public IP address B: mail relay for A
• public IP address C: receiver MX

What IP does C look at?

Does he try to find the IP of A in the "Received" headers (e.g. by trying to find the first non-private IP)? Or does he use the source IP address of the connection established in this case from B?

I see that for example googlemail seems to do the latter. While it looks like one of our local providers seems to do the former.

https://www.rfc-editor.org/rfc/rfc7208 does not really enlighten me concerning this basic point. I did find the circumstantial phrase

Because SPF evaluation is based on the IP address of the "last" sending SMTP server

in section 10.3. but I guess there needs to be a clearer definition somewhere.

Answer 1

Received: from headers are not reliable except when placed there by servers under your control, so it would make no sense to examine them. Even if they were reliable, many come from internal movements of email inside the sender's infrastructure, about which SPF has nothing to say, so it would be inappropriate to examine those.

In fact, that sentence you quote is precise and unambiguous: when your server is performing an RFC-compliant SPF check on an inbound email, all it cares about is the address of the server that is trying to submit the email. Or, as s4.1 of the RFC you point to says:

The check_host() function takes these arguments:

- the IP address of the SMTP client that is emitting the mail, either IPv4 or IPv6

If that address is from a range permitted by the appropriate record, the email should pass; if not, its fate should fall to the all record, and it should be handled accordingly.

It is certainly possible that some providers examine the purported chain of relay addresses more deeply, but that is (a) not part of the SPF RFC, and (b) entirely their own business.