Hi, >> Hi, this message seems suspicious to me (appears to be some type of >> survey), but I don't understand how it was whitelisted when google.com >> is not listed among def_whitelist_from_dkim (or at least shouldn't be) > > Note that google.com has historically been reserved for Google corporate > mail, NOT GMail. Hence these rules exist in the default rules: > > 60_whitelist_auth.cf:def_whitelist_auth *@*.google.com > 60_whitelist_dkim.cf:def_whitelist_from_dkim > googlealerts-nore...@google.com > 60_whitelist_dkim.cf:# def_whitelist_from_dkim *@google.com
I inadvertently wrote dkim in my previous email, but meant SPF of course. I also somehow missed the first whitelist entry above when I searched before posting. Perhaps I saw the third and stopped. Thanks David for your offer to review. > The envelope sender is > 3ue3owhmjamkzhabyuuhahsbe.qpzhvnthps.jvtytilzadlzalyu....@trix.bounces.google.com > and the SPF-relevant relay IP is 209.85.223.199, so SPF passes. That's good > enough for def_whitelist_auth. > > Messages of this sort make an irrefutable argument for removing the general > pass given to Google in the default ruleset, as it is clearly based on a use > model of the domain which no longer is true. Yes, I agree. That concerned me. If it's intended for only Google corporate, how did this message get sent?
