Mailscanner, forwarding and SPF

Mark Sapiro mark at
Tue Feb 21 16:40:56 UTC 2017

On 02/21/2017 04:57 AM, Nerk Nerk wrote:
> Same thing happens with DKIM/DMARC by the way, not just SPF.

These are separate issues. For SPF, the issue is PayPal doesn't list
your server as authorized to send mail with envelope from PayPal, so you
can't just relay the mail, you also have to rewrite the envelope sender
which means "resending" the message rather than relaying it so that the
next hop sees the envelope as from say mailscanner at your.domain rather
than sender at This is a problem with the design of SPF and
occurs with any situation where there is a .forward or other type of

The problem with rewriting the envelope sender is it will cause
downstream bounces to be returned to you rather than the original
sender. Also see
but note that this doesn't rewrite the envelope sender. It just records
the original envelope sender in an Envelope-From: header in the message.

DKIM signatures are a different issue. If you make no transformation to
the message which affects the body or DKIM signed headers, DKIM will
still validate downstream. If the issue breaking DKIM is added
MailScanner headers, see

DMARC is yet another issue, but if the message is DKIM signed by the
From: domain and you don't break the DKIM sig, the message should pass

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list