Alvaro Marín wrote: > Hello, > > I'm having problems using whitelist_from_spf to whitelist a domain. > > > So, which is the purpose of this whitelist feature? If the SPF check fails, > it can't do whitelist? > Yep, and that's the purpose. whitelist_from_spf should be read as "Whitelist based on from AND spf passing for that from domain"
Otherwise it would be functionally the same as whitelist_from, which whitelists based on from address alone, and is readily subject to forgery by spammers. All the "whitelist_from_(something)" configurations are designed to strengthen the basic whitelist_from and make it more resistant to forgery by checking SPF records, parts of the hostname of the reverse-dns lookup of the IP address, etc. They exist to be stronger than the whitelist_from, so they will not devolve to it. In this case, orange.es has explicitly declared that this message is invalid, and a forgery. There was no DNS failure, the message was conclusively "proven" to be a fraud by SPF. Here's the SPF record for orange.es: "v=spf1 mx a:spf.orange.es ip4:213.143.52.0/24 -all" However, relay09.dns-servicios.com is the host (as best SA can tell) that dropped the message off, but it is not an authorized relay under their SPF record. If that's part of your mail system, then you need to work on a manual internal_networks configuration so SA knows where "your" network ends, otherwise all SPF checks will likely fail. If it is part of the sender's network, they need to fix their SPF records, which are broken.
