On Tue, 31 Jul 2018 at 16:52, Sonic <sonicsm...@gmail.com> wrote:
> > Apparently, mail.example.org and ASPMX.L.GOOGLE.com enforce DMARC
> > in different ways.
> >
> > Regardless, if the DMARC policy does not authorize host Y to send
> > mail on behalf of domain $myorigin, then you need to fix the DMARC
> > policy so that those bounces sent by host Y aren't violating DMARC,
> > or you need to somehow route those bounces from host Y through a
> > host that is DMARC-authorized.
>
> All normal mail gets delivered just fine. The domain in question
> (example.com) has an SPF record including the server's (outside) IP
> address (and proper A and PTR records), and OpenDKIM signs all regular
> email.
> Examining the headers of all normal (non-NDR) post receipts show they
> pass both SPF, and DKIM tests and therefore DMARC as well. Plus the
> majority of sent posts are to the Google servers (with no issues).
> It's only the bounces/NDR's that have an issue.
>
Maybe this piece of magic (suggested by Wietse a while ago) might help - it's
a way to overcome double_bounce_sender having @$myhostname auto-added:
canonical_maps =
inline:{$double_bounce_sender@$myhostname=double-bounce@$mydomain}
[...]
