Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Google now checking client-ip (jira server) against SPF records rather than configured MTA

Robert Jorgenson
Robert Jorgenson
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 20, 2018

As of today our Google Apps account is reporting that emails coming from our JIRA Server instance are unable to be verified as coming from our domain. The setup is as follows (HOSTNAME:IP) ...

MTA.TLD: 1.1.1.1

JIRA.TLD: 2.2.2.2

1.1.1.1 is in our SPF record and email from other clients using 1.1.1.1 as SMTP get delivered with no issues. When sending through JIRA with 1.1.1.1 configured as SMTP the SPF fails with the following

Received: from MTA.TLD (MTA.TLD. [1.1.1.1])
        by mx.google.com with ESMTPS id SOME_ID
        for <user@domain.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Jun 2018 07:30:14 -0700 (PDT)
Received-SPF: fail (google.com: domain of jira@domain.com does not designate 2.2.2.2 as permitted sender) client-ip=2.2.2.2;
Authentication-Results: mx.google.com;
       spf=fail (google.com: domain of jira@domain.com does not designate 2.2.2.2 as permitted sender) smtp.mailfrom=jira@domain.com
Received: from JIRA.TLD (JIRA.TLD [2.2.2.2]) by MTA.TLD (Postfix) with ESMTP id SOME_ID for <user@domain.com>; Wed, 20 Jun 2018 07:30:13 -0700 (MST)

The only thing I could find about what might cause this is if the client is using it's own mail relay to send email to MTA.TLD, best I can tell from the SMTP logs when sending test emails this is not the case with JIRA but I'm not entirely sure. Does anyone know if this is the case or of something else that might be causing this validation error or for SPF validation to use the client-ip rather than the MTA ip?

Answer
Watch
Like Be the first to like this
701 views

1 answer

0 votes
Mike Rathwell
Mike Rathwell
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 20, 2018

Hi @Robert Jorgenson,

I ran into a variety of issues when we migrated from an in-house Exchange server to G-Suite. While what you're running into may be a PITA, it's probably a Good Thing from a security standpoint.

You may need to speak to your G-Suite admins about adding your host if it hasn't been already. I grepped Google and turned up this article: https://support.google.com/a/answer/33786

The other thing you may well run into, if your instance is of any size and activity, is G-Suite's hard limit of 2k messages per day through its SMTP server. If your MTA is sending out via G-Suite SMTP, this will eventually be a problem. We eventually just used another SMTP service (in our case, since I'm running in AWS, I just used AWS SES and configured that directly as the SMTP server.

Hope this gives at least some pointers to a solution. Good luck.

mike

View More Comments
Robert Jorgenson
Robert Jorgenson
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 20, 2018

Thanks for the response Mike. We are indeed using our own SMTP mail server and not google SMTP servers. Our initial quick fix is to add JIRA to our SPF record, but the JIRA server shouldn't be in our SPF record if it's a client and not actually delivering mail to our domain, which it's not. Worth noting that when sending mail from JIRA to non company domains like gmail.com the SPF uses the MTA address rather than the JIRA server IP and passes fine.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.