Home / server / Questions / 826795
Accepted
Skippy le Grand Gourou
Asked: 2017-01-18 08:15:25 +0800 CST

SPF issue with different HELO FQDN

  • 772

I am trying to setup SPF/DKIM/DMARC on my email server on a VPS. Here is my DNS configuration (DKIM & DMARC removed for readability) :

@                       28800  A      X.X.X.X
@                       28800  MX     10 smtp.example.com.
smtp                    28800  A      X.X.X.X
www                     28800  A      X.X.X.X
@                       28800  TXT    "v=spf1 ip4:X.X.X.X -all"
smtp.example.com.       28800  TXT    "v=spf1 ip4:X.X.X.X  -all"
www.example.com.        28800  TXT    "v=spf1 -all"

Emails seem to work, and port25.com reports nothing wrong :

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
SpamAssassin check: ham

However Yahoo reports a failure on SPF :

<?xml version="1.0"?>   
<feedback>      
  <report_metadata>     
    <org_name>Yahoo! Inc.</org_name>    
    <email>[email protected]</email>   
    <report_id>1484621522.715243</report_id>    
    <date_range>        
      <begin>1484524800</begin> 
      <end>1484611199 </end>    
    </date_range>       
  </report_metadata>    
  <policy_published>    
    <domain>example.com</domain>  
    <adkim>s</adkim>    
    <aspf>s</aspf>      
    <p>reject</p>       
    <pct>100</pct>      
  </policy_published>   
  <record>      
    <row>       
      <source_ip>X.X.X.X</source_ip>      
      <count>7</count>  
      <policy_evaluated>        
        <disposition>none</disposition> 
        <dkim>pass</dkim>       
        <spf>fail</spf> 
      </policy_evaluated>       
    </row>      
    <identifiers>       
      <header_from>example.com</header_from>      
    </identifiers>      
    <auth_results>      
      <dkim>    
        <domain>example.com</domain>      
        <result>pass</result>   
      </dkim>   
      <spf>     
        <domain>myVPS.provider.com</domain>      
        <result>none</result>   
      </spf>    
    </auth_results>     
  </record>     
</feedback>

It seems Yahoo is checking on the HELO name (here myVPS.provider.com), which though it has the same IP address as the sending domain, has no SPF record (and I cannot edit its DNS configuration by myself).

Would it fix the issue if my VPS provider adds the following into the DNS configuration of myVPS.provider.com ?

myVPS.provider.com.  IN TXT  "v=spf1 ip4:X.X.X.X  -all"

Are there other alternatives ?

spf spam-filter

2 Answers

  1. Best Answer

    Hopefully this is a better approach than the previous answer : to modify the HELO/EHLO name within the MTA.

    With exim4, I added the following content to /etc/exim4/conf.d/main/00_local_settings :

    REMOTE_SMTP_HELO_DATA=$sender_address_domain

    Then after update-exim4.conf and service exim4 restart, the HELO/EHLO name is the same as the domain name of the sender address.

    Update :

    It seems this approach is wrong, since the HELO data should be the FQDN. I guess there is a much better solution : according to the OpenSPF FAQ, section Common Mistakes,

    Checking HELO/EHLO names is recommended by the SPF RFC. Publishing records for these hostnames is an important part of the SPF protocol.

    I'll check with my VPS provider and if it can be done I'll test and update this answer accordingly.

    • 0

  2. Actually the simplest solution may be to modify the FQDN ?

    I changed it with hostname example.com (and modified /etc/hostname and /etc/hosts for the next reboot), if the next Yahoo report is positive I'll accept this answer (unless someone has a better one, of course…).

    • -1