blog

The “Sender Rewriting Scheme” is designed to handle the problem that SPF by itself breaks mail forwarding. When Server A sends a mail to machine B, which in turn forwards it to system C, server C's SPF check will fail since it concludes that machine B isn't allow to send from a server A's mail address. This might result in authentication results like this:

Received-SPF: softfail (spf.example.com: domain of transitioning
  some.name@example.org does not designate 192.0.2.18 as permitted
  sender) receiver=spf.example.com; client-ip=192.0.2.18;
  helo=mx02.example.com; envelope-from=some.name@gmail.com

With SRS, the server which is forwarding mail will rewrite the envelope-from, which is the address that will be verified by SPF. For example, an envelope-from <some.name@originaldomain.com> might be rewritten to:

<SRS0=OnZr=OR=originaldomain.com=some.name@relaying-server.com>

The data SRS0=OnZr=OR= prefixing the converted address indicates that this is SRS version 0, followed by a hash value for security purposes. Newer SRS version may also contain timestamps which allow rewritten addresses to expire. In particular, the domain part of the rewritten address is the one which the relaying mail server has a valid SPF record for, so that the final SPF check will succeed.