On 31 January 2018 at 09:48, li...@lazygranch.com <li...@lazygranch.com> wrote: > > I'm at a loss on the HELO_reject = False. Why wouldn't you use the > default "fail".
I use opendmarc to pass or fail emails, I never fail an email based only on SPF. That can lead to lots of false positives IMO. All I want the spf test for is as input to the dmarc test. If using policyd-spf, all that is wanted is the header that will then be read by opendmarc. > > Reading some chatter on the opendmarc forum, they suggested > HEADER_Type = AR as you have done, but I don't understand the > Authserv_Id field. > > I don't think opendmarc has an issue reading the spf format. You may be right, in which case the header type shouldn't matter. However the Authserv_Id field is critical - opendmarc should only trust spf (and dkim) headers (as added by policyd.spf and opendkim) which have an authserv_id field matching the TrustedAuthServIDs field in /etc/opendmarc.conf (which defaults to opendmarc's AuthservID field) - this is so that they can't be faked by incoming mails. (Even if they are faked, the headers added by your opendkim and policyd-spf should be more recent and therefore take priority.) There is no default for this in policyd-spf, and I'm not sure whether/how it shows it in the added header if you don't specify AR (Authentication-Results) type-header. The default in opendkim and opendmarc is the hostname. > > I did re-read the policyd-spf.conf and decided to do whitelisting here > rather than in opendmarc. I get email from pobox.com, which always > fails. I don't know whether policyd-spf adds a header if it whitelists an incoming mail. If not, and the email is not whitelisted by opendmarc, opendmarc can only validate the email with 'SPFSelfValidate true' in /etc/opendmarc.conf (when it will do its own SPF analysis). But once you are relying on opendmarc's internal SPF analysis for some emails you have made policyd-spf redundant and complicated your life; if you want to use policyd-spf I think you should leave SPFSelfValidate and SPFIgnoreResults unset (i.e. default false).