- Environment has a primary mail delivery location which is EFA - let's call that mail1.contoso.com.
- I also have a secondary mail delivery location which is a FreeBSD host on a different ISP - let's call that mail2.contoso.com
- Users receive email from a sender whose domain is "secured" by SPF (with a hardfail for IPs not in the SPF record)
- The email is directed to the secondary MX because the primary MX was unavailable (e.g. reboot, link failure, overload, routing issues etc).
http://www.openspf.org/Why?s=mfrom;id=u ... ontoso.com
Suggestions welcome - whether that be:
- A way to configure semi-trusted MXs (ignore SPF for this connecting server, but process all other rules e.g. SA, Clam)
- A way for the secondary MX to tag the email as "Via trusted secondary" - never seen this in my years of doing mail servers, but you never know!
- A way to configure the SPF check to evaluate other headers - i.e. IF from secondary-mx, check previous header for SPF compliance
- Something else