On Tue, 31 Jul 2018 at 16:52, Sonic <sonicsm...@gmail.com> wrote: > > Apparently, mail.example.org and ASPMX.L.GOOGLE.com enforce DMARC > > in different ways. > > > > Regardless, if the DMARC policy does not authorize host Y to send > > mail on behalf of domain $myorigin, then you need to fix the DMARC > > policy so that those bounces sent by host Y aren't violating DMARC, > > or you need to somehow route those bounces from host Y through a > > host that is DMARC-authorized. > > All normal mail gets delivered just fine. The domain in question > (example.com) has an SPF record including the server's (outside) IP > address (and proper A and PTR records), and OpenDKIM signs all regular > email. > Examining the headers of all normal (non-NDR) post receipts show they > pass both SPF, and DKIM tests and therefore DMARC as well. Plus the > majority of sent posts are to the Google servers (with no issues). > It's only the bounces/NDR's that have an issue. >
Maybe this piece of magic (suggested by Wietse a while ago) might help - it's a way to overcome double_bounce_sender having @$myhostname auto-added: canonical_maps = inline:{$double_bounce_sender@$myhostname=double-bounce@$mydomain} [...]