Our spam filtering vendor recently upgraded their platform and has improved their SPF checking feature set. We can now tag on Permanent Failures, which we couldn't do before.
We also noticed that email from notificat...@facebookmail.com was having a Soft Failure. Turns out that facebook issues "mx-out.facebook.com" on the HELO/EHLO, and that FQDN's SPF record doesn't include all the items that are listed in facebookmail.com's SPF record. root@nagios:/tmp# dig TXT mx-out.facebook.com +short | grep spf "v=spf1 a ~all" root@nagios:/tmp# dig TXT facebookmail.com +short | grep spf "v=spf1 ip4:66.220.144.128/25 ip4:66.220.155.0/24 ip4:66.220.157.0/25 ip4:69.63.178.128/25 ip4:69.63.181.0/24 ip4:69.63.184.0/25" " ip4:69.171.232.0/24 ip4:69.171.244.0/23 -all" root@nagios:/tmp# Best I can understand from the IETF RFC, it is appropriate to check the HELO: https://tools.ietf.org/html/rfc7208#section-2.3 Anyone from fb on this list, or is there someone who knows the email or DNS folk at facebook and can forward this to them for consideration? Regards, Frank _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop