[kilburn]

> pre-delivery forwarding servers just need to be added to spf. If you use random third party smtp relays, then this is precisely what spf is trying to avoid.

The huge problem here is "forward all e-mail I receive to my gmail account" or similar. If you do that pre-delivery, you break SPF. If you do it post-delivery, gmail makes you responsible for any junk that gets through. If you make your filters harsher, the user complaints some e-mails are lost. What is your solution to this problem?

> the way internal servers implement aliases is their problem, there is not necessarily a need to go through an smtp relay (my mail server doesn't)

Now you send an e-mail to contact@yourbank.tld and the message is rejected because of your SPF policy and their usage of internal relays. You can (a) fight the corporate shitshow to get someone to fix the bank's relay; or (b) relax your SPF policy. You may be willing to pursue (a), but a company that sells e-mail services to thousands of clients just cannot enter those fights and still be economically viable.

Don't get me wrong. I use SPF (DMARC actually) on my personal server and it actually helps (as a low volume sender), but the moderate volume senders' problems are different from those of personal e-mail servers, and SPF works much worse there.

[cm2187]

> gmail makes you responsible for any junk that gets through

I'd argue this is the fair and correct behavior. Effectively you created a kind of open relay server. Since you accept external traffic, you should be filtering for spam there.

> the message is rejected because of your SPF policy and their usage of internal relays

I'd assume that if it is an internal relay server, then it shouldn't be checking for spf internally. Only the server receiving incoming external traffic should check spf. Sounds like a misconfiguration.

[kilburn]

> I'd argue this is the fair and correct behavior.

A behavior that breaks how the mail system has been working since forever, and that people expect and use all the time.

It may not be right, but it is used and not even the big players (such as gmail) are willing to break it (hence why gmail actually tells other admins to use pre-delivery forwards disregarding SPF, but respecting DKIM wich is broken if you use post-delivery aliases) [1].

[1] https://support.google.com/mail/answer/175365?hl=en

> Sounds like a misconfiguration.

A misconfiguration you cannot fix (because it is on the receiver end, not on your end). But the client pays you for the service, and understandably asks you for a solution. What would you tell them?

I understand your points, and mostly agree with them. However, this approach only works in an ideal world where users understand that e-mail should have some limitations it hasn't had for the last 30 years, and all administrators are "good citizens" (they know their stuff, acknowledge their issues and work to quickly fix them).

The real world is different: clients will demand solutions, and other admins will oftentimes be either ignorant, powerless or even adversarial.

[detaro]

I don't think it makes sense to classify an individually set-up, per-account redirect an "open relay server". It can't be used to do anything the user didn't intend.

Maybe it would help to allow users to whitelist such cases.