I run two separate and independent Mailcow instances, one for myself and another for a small club (a german “e.V.”).
On my own instance I use regular mailboxes and everything works fine, but some mails I get via the club-address are marked as spam and sometimes are rejected from rspamd - So I started to investigate:
On the Club instance we don’t use regular mailboxes, instead we redirect the email traffic via aliases, from a public address (“firstname.lastname@example.org”) to private mailboxes (e.g: gmail, outlook, gmx, web or “myname@my-Mailcow.tld”).
This leads to the problem, that the SPF check fails (“R_SPF_FAIL (10)”, if the sender uses a spf hardfail “-all”) and gives “FORGED_RECIPIENTS (1)” - therefore the high spam score. And I can understand, why it does indeed looks shady that the IP is sending emails claiming to be from a e.g: gmail account.
Other Options I tried, with different outcomes:
- a mailbox and forward the incoming traffic in SOGo (No “R_SPF_FAIL” - great, but “FORGED_W_BAD_POLICY (3)” and very inconvenient)
- address rewriting with recipient map (“R_SPF_FAIL (10)” and “FORGED_RECIPIENTS (2)”)
- address rewriting with a BCC map (“R_SPF_FAIL (10)” and “FORGED_RECIPIENTS (2)”) + need for a mailbox
- use a Filter an redirect (“FORGED_W_BAD_POLICY (3)”) + need for a mailbox
For me it seems to be the best option, to use a filter based redirection, even if it means to add a bunch of mailboxes nobody needs, or is there another option I haven’t even thought of?
And if somebody knows, why the SPF only fails for some of the above redirections and what does “FORGED_W_BAD_POLICY” and “FORGED_RECIPIENTS” mean, I would love a short explanation?
Huge thanks in advance for anybody who can contribute! 🙂