Le 20/06/2024 à 21:13, Wietse Venema via Postfix-users a écrit :
Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argument).
This helo-argument is by default the value of the Postfix myhostname
parameter, which depending on myorigin setting may appear in the
header.from address mailer-daemon@whatever.
DMARC wants that the dmain in envelope.from address (or its surrogate
in the case of <>) in some way align with the domain in the header.from
address (in this case mailer-daemon@whatever).
If someone can come up with a simple checklist for how to do this
then that would be great.
The HELO identity is used too in the general case to enforce HELO fqdn
value matching the DNS published A record of the outbound server IP.
You generally want "v=spf1 a: -all" for your sending server.
In the general case (not null sender), HELO SPF validation does not
interfere with DMARC as DMARC only use the MAIL FROM identity.
There was historically a bug in some DMARC implementation witch evaluate
whatever SPF identity check that pass.
Emmanuel.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
