Someone has decided to use my email address for a spam source. They have even used google to relay it which, given Googles current policies seems like a winning idea.
I keep getting emails from Google’s servers with header lines like this:
X-Original-Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of [email protected] does not designate 18.104.22.168 as permitted sender)
You don’t say? You mean even though my SPF records do not include some dodgy server in California, even though Google knows I don’t include this in my SPF records… well we will let the email go through anyhow.
SPF records mean that’s where my email comes from. If the record has a -all at the end of it, like mine do, then it means don’t accept it from anywhere else. The hardfail means Google sees the -all and still does nothing about it.
- How to use an SPF Record to Prevent Spoofing & Improve E-mail Reliability (digitalocean.com)
- Spamfighting: mail server configuration (domsch.com)
- How to Create a SPF Record For Your Domain with Google Apps (digitalocean.com)