I'm using AmazonSES to send transactional mails to my web app users and I've configured DNS SPF records to allow SES and my mail service provider (hostgator) to send mails in the domain's behalf.
v=spf1 a include:my.serviceprovider.spf.domain.com include:amazonses.com ~all
When sending mails from SES directly to a final user everything goes ok (I got a SPF=pass). Ex: SES send to john@gmail.com.
But when sending mails to a mail group then to a gmail account (Ex: SES to sales@mycompany.com to alex@gmail.com) I got a spf fail as presented bellow. The 11.11.11.11 fake IP was originally one of the IPs of my e-mail provider service (where I've created the sales@ mail group). I've checked this IP and it is covered by the service provider SPF rules.
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@mycompany.com header.s=hqqwewqed4rjbjkvcakncrfw4jzkxxxxx header.b=30W9XA9ix;
dkim=pass header.i=@amazonses.com header.s=224sdqrqv7c2xzdsgdsgdswotestdasteono header.b=jz+4Da2dsaW;
spf=fail (google.com: domain of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@amazonses.com does not designate 11.11.11.11 as permitted sender) smtp.mailfrom=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@amazonses.com;
When the destiny address is a mail group I guess SES send the mail to my provider and it forward to final users. But the error says that amazon does not designate my mail service provider IP as a valid sender, and I'm confused: why is SES supposed to designate anything considering the domain already did it?
What additional steps should I do to avoid this SPF fail?
SES is not sending on behalf of your domain in the Return-Path or smtp.mailfrom header. Instead it is using its own. That means, when sending to GMAIL, Google's servers will see that the Amazon servers are allowed to send on behalf of AmazonSES.com. However, when sending through your Mailbox Server Provider, via Group, it will fail, because AmazonSES does not list your MSP in their SPF.
So, while the FROM header will show your domain as the sending domain, SES implements a different domain to collect bounces. This domain, used in the Return-Path is the domain on which SPF is checked. This is also the reason why DMARC exists.
You can setup custom domains in AmazonSES to use a subdomain of your sending domain to catch the bounces, by setting up an MX and SPF TXT record that point to AmazonSES.