[pfx] Re: Capture Bounced Email Headers & Content

Tue, 04 Jun 2024 09:24:40 -0700 

Greg Sims via Postfix-users:

We had another DMARC Failure last night.  The email ended up at the gmail level.

  X-Original-Authentication-Results: mx.google.com;

       spf=none (google.com: mail01-t122.raystedman.org does not
designate permitted sender hosts)
smtp.helo=mail01-t122.raystedman.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=raystedman.org

It appears that Google is looking for SPF information for one of the
transports we use in randmap.  Do we need to have SPF records in place
for all of our transports?


Greg:
what kind of mail was this?
I encountered DSNs from microsoft (exchange, outlook.com) addresses which had empty envelope from:<> but header From: was set e.g. postmas...@outlook.com, but those mails did NOT have DKIM signatures. 

These did fail DMARC.
I just searched log for this and this behaviour still persists.

Do you send bounces? If so, you'll need to sign them.

On 04.06.24 11:02, Wietse Venema via Postfix-users wrote:

Google wants your smtp_helo_name (default: $myhostname) to have an SPF
policy.
This is expecially necessary when bounces are sent (yes, you chould generally not send bounces) because then, envelope from: does not exist and HELO name is checked for SPF. 
Options:

- Create an SPF policy for the SMTP helo name that permits the
corresponding SMTP client IP address.


+1


- Create a wild-card SPF policy for *.raystedman.org that permits
all your SMTP client IP addresses.
Sorry: wildcard in DNS only applied for non-existing names and since the hostname already exists: 

mail01-t122.raystedman.org. 172800 IN   A       209.73.152.122

it needs its own explicit SPF record:

mail01-t122.raystedman.org. 172800 IN   TXT     "v=spf1 a -all"


- Change the smtp_helo_name to a name that already has an SPF policy.
This is messy because the name should match the PTR record for the
SMTP client IP address.
I think this only applies for SPF records that have "ptr" option which is discouraged in SPF. Otherwise, the IP must be listed in SPF record which is a bit easier to achieve. 

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to