Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another

Solution 1:

Disclaimer: This answer was speculation one until GMail person confirmed it.

Looks like it's GMail mishandle your fetched email here. Some peoples also report similar case with yours in here, here or here

The problem is: GMail also deploying SPF measure when scanning email after fetching it via POP3.

Normally SPF-checking take place in SMTP transaction by checking the domain parts of sender address and client IP address. But in POP3, GMail has to parsing header and find the last Received header.

Received: from nat10.net08-g2.* ([*.160.100.10] helo=[])
    by with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128)
    (Exim 4.83)
    (envelope-from <[email protected]>)
    id 1YOOXn-0005j5-Tm
    for [email protected]; Thu, 19 Feb 2015 11:41:20 +0100

This is original email that fetched from your server. It states that your email accepts email from *.160.100.10 with sender [email protected]. In this stage Gmail pretends as your server and checks domain parts of sender address ( and client IP address (*.160.100.10). The result was expected:

SPF softfail because domain of [email protected] does not designate *.160.100.10 as permitted sender

For workaround, you can set Gmail filters to never mark your email as Spam.

Solution 2:

It seems to be a bug that Gmail does not respect the ESMTPA in the Received header to show the MUA is a trusted host. Some possible workarounds come to mind:

  1. use split MX, that is, one Exim instance to receive and forward from authenticated clients, and a second to receive into mailboxes. That simulates the ISP-to-ISP mail that Gmail may be expecting, and there will be an IP address in the headers that matches the SPF record.
  2. add a Received header at the top that simulates the above transfer, by adding add_header = Received: by with ESMTP ....
  3. for the users checking their mail in Gmail via POP, forward a copy to their Gmail account instead.