Why is SPF being validated against my mail server's IP instead of sender's IP?

I have a mail server "example.com" which forwards all emails with recipient "[email protected]" to "[email protected]". My mail server runs Postfix and it uses the virtual_alias_maps mechanism to perform the forwarding. I also have SPF records installed for "example.com":

v=spf1 a include:aspmx.googlemail.com ~all

The problem is, whenever someone delivers mail to "[email protected]", Gmail validates the example.com SPF records against example.com's IP address! I thought it's supposed to validate against the original sender's IP address.

For example, I'm on my laptop on my home Internet connection. I connect to example.com's mail server as follows:

$ telnet example.com 25
20 example.com ESMTP Postfix (Debian/GNU)
HELO my-laptop.local
250 example.com
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: [email protected]
To: [email protected]
Subject: test

test
.
250 2.0.0 Ok: queued as CE5F42200F9

Now when I open that mail in Gmail and view its source, I see the following headers:

Delivered-To: [email protected]
Received: by 10.231.219.195 with SMTP id hv3csp61494ibb;
        Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Received: by 10.229.135.5 with SMTP id l5mr2360326qct.5.1342257358291;
        Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Return-Path: <[email protected]>
Received: from example.com [EXAMPLE.COM's IP ADDRESS HERE]
        by mx.google.com with ESMTP id u9si4262071qcv.89.2012.07.14.02.15.58;
        Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Received-SPF: neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of [email protected]) client-ip=[EXAMPLE.COM's IP ADDRESS HERE];
Authentication-Results: mx.google.com; spf=neutral (google.com: [EXAMPLE.COM's IP ADDRESS HERE] is neither permitted nor denied by domain of [email protected]) [email protected]
Date: Sat, 14 Jul 2012 02:15:58 -0700 (PDT)
Message-Id: <[email protected]>
Received: from my-laptop.local ([LAPTOP's IP ADDRESS HERE])
    by example.com (Postfix) with SMTP id CE5F42200F9
    for <[email protected]>; Sat, 14 Jul 2012 09:15:44 +0000 (UTC)
From: [email protected]
To: [email protected]
Subject: test

As you can see in Received-SPF and Authentication-Results, the SPF records are being validated against [EXAMPLE.COM's IP ADDRESS] instead of [LAPTOP's IP ADDRESS].

Why does this happen, and how do I fix this problem?


google [or anyone else] will validate spf agains the ip address they see connecting to them. in that case it'll be ip address of your postfix server; you cannot fix it - it's by design....

by design spf has an 'issue' with forwarding unless message is 'repackaged' and sender address rewritten to the one of forwarder.