SPF skipped for whitelisted relay domain

Thu, 05 May 2022 15:02:01 -0700 

Hi,

I'm trying to understand why some domains are not whitelisted even
though they pass SPF and are in my local welcomelist_auth entries. I'm
using policyd-spf with postfix, and it appears to be adding the
following header:

X-Comment: SPF skipped for whitelisted relay domain -
client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
envelope-from=re...@support.meridianlink.com; receiver=<UNKNOWN>

I realize this may not necessarily be directly related to SA, but it's
apparently affecting my ability to process SPF headers with
amavisd/SA, and I hoped someone could help.

What's happening where the mail passes SPF but still bypasses my
welcomelist entries? My skip_addresses list doesn't include this
particular IP:
skip_addresses =
139.138.56.0/24,127.0.0.0/8,::ffff:127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24,12.15.90.10


My welcomelist entry in SA for this specific email is as:
welcomelist_auth re...@support.meridianlink.com

The amavisd headers show it passed SPF:

Return-Path: <re...@support.meridianlink.com>
X-Spam-Status: No, score=-2.491 tagged_above=-200 required=5
    tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
    DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, EXTRACTTEXT=0.001,
    FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01,
    HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
    LOC_IMGSPAM=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
    RCVD_IN_SENDERSCORE_90_100=-0.6, RELAYCOUNTRY_US=0.01,
    SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TXREP=0.016] autolearn=disabled

This one didn't need to be added to the welcomelist, but others do.
The last header received before reaching our server is as:

Received: from smtp14-ph2-sp4.mta.salesforce.com
(smtp14-ph2-sp4.mta.salesforce.com [13.110.6.221])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail01.example.com (Postfix) with ESMTPS id 5FC7010024E93
    for <ade...@example.com>; Thu,  5 May 2022 12:01:59 -0400 (EDT)

salesforce is also listed in their SPF record:
$ dig +short txt support.meridianlink.com
"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"

Thanks,
Alex

Reply via email to