On 21/06/24 07:13, Wietse Venema via Postfix-users wrote:
Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argument).
This helo-argument is by default the value of the Postfix myhostname
parameter, which depending on myorigin setting may appear in the
header.from address mailer-daemon@whatever.
DMARC wants that the dmain in envelope.from address (or its surrogate
in the case of <>) in some way align with the domain in the header.from
address (in this case mailer-daemon@whatever).
If someone can come up with a simple checklist for how to do this
then that would be great.
SPF/DKIM/DMARC Checklist for (IMO) the best chance of getting your mail
to be accepted:
1. HELO banner should pass SPF.
2. Envelope Sender should pass SPF.
3. Envelope Sender domain should align with the From: header domain.
4. Message should be DKIM signed.
5. Domain for the DKIM signature should align with the From: header domain.
Not all of the able are necessary (e.g. you can get away with SPF
alignment only or DKIM alignment only) but the more of those boxes that
you can successfully tick off the better chance you have for you message
to be accepted when things go wrong, or when a destination doesn't
implement one of the above checks properly.
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
