Hi,
I'm trying to understand why some domains are not whitelisted even
though they pass SPF and are in my local welcomelist_auth entries. I'm
using policyd-spf with postfix, and it appears to be adding the
following header:
X-Comment: SPF skipped for whitelisted relay domain -
client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
I realize this may not necessarily be directly related to SA, but it's
apparently affecting my ability to process SPF headers with
amavisd/SA, and I hoped someone could help.
What's happening where the mail passes SPF but still bypasses my
welcomelist entries? My skip_addresses list doesn't include this
particular IP:
skip_addresses =
139.138.56.0/24,127.0.0.0/8,::ffff:127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24,12.15.90.10
My welcomelist entry in SA for this specific email is as:
welcomelist_auth reply@support.meridianlink.com
The amavisd headers show it passed SPF:
Return-Path: <reply@support.meridianlink.com>
X-Spam-Status: No, score=-2.491 tagged_above=-200 required=5
tests=[.BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, EXTRACTTEXT=0.001,
FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
LOC_IMGSPAM=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_SENDERSCORE_90_100=-0.6, RELAYCOUNTRY_US=0.01,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TXREP=0.016] autolearn=disabled
This one didn't need to be added to the welcomelist, but others do.
The last header received before reaching our server is as:
Received: from smtp14-ph2-sp4.mta.salesforce.com
(smtp14-ph2-sp4.mta.salesforce.com [13.110.6.221])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail01.example.com (Postfix) with ESMTPS id 5FC7010024E93
for <adesus@example.com>; Thu, 5 May 2022 12:01:59 -0400 (EDT)
salesforce is also listed in their SPF record:
$ dig +short txt support.meridianlink.com
"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"
Thanks,
Alex
I'm trying to understand why some domains are not whitelisted even
though they pass SPF and are in my local welcomelist_auth entries. I'm
using policyd-spf with postfix, and it appears to be adding the
following header:
X-Comment: SPF skipped for whitelisted relay domain -
client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com;
envelope-from=reply@support.meridianlink.com; receiver=<UNKNOWN>
I realize this may not necessarily be directly related to SA, but it's
apparently affecting my ability to process SPF headers with
amavisd/SA, and I hoped someone could help.
What's happening where the mail passes SPF but still bypasses my
welcomelist entries? My skip_addresses list doesn't include this
particular IP:
skip_addresses =
139.138.56.0/24,127.0.0.0/8,::ffff:127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24,12.15.90.10
My welcomelist entry in SA for this specific email is as:
welcomelist_auth reply@support.meridianlink.com
The amavisd headers show it passed SPF:
Return-Path: <reply@support.meridianlink.com>
X-Spam-Status: No, score=-2.491 tagged_above=-200 required=5
tests=[.BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, EXTRACTTEXT=0.001,
FMBLA_HELO_OUTMX=-0.01, FMBLA_RDNS_OUTMX=-0.01,
HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, LOC_CDIS_INLINE=0.1,
LOC_IMGSPAM=0.1, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_SENDERSCORE_90_100=-0.6, RELAYCOUNTRY_US=0.01,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TXREP=0.016] autolearn=disabled
This one didn't need to be added to the welcomelist, but others do.
The last header received before reaching our server is as:
Received: from smtp14-ph2-sp4.mta.salesforce.com
(smtp14-ph2-sp4.mta.salesforce.com [13.110.6.221])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail01.example.com (Postfix) with ESMTPS id 5FC7010024E93
for <adesus@example.com>; Thu, 5 May 2022 12:01:59 -0400 (EDT)
salesforce is also listed in their SPF record:
$ dig +short txt support.meridianlink.com
"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com -all"
Thanks,
Alex