I have a web server that sends out webform type emails via Postfix 3.3.0. No inbound. No extras.
Receiving mail server is running same Postfix (but with amavis-new/spamassassin + dovecot/etc). These are both on the same domain, but different subdomains ('www.' & 'mail.').
When a test email is sent (using postfix sendmail command) from web server to mail server, everything is perfect except for the scoring on the HELO/EHLO. I keep getting a FORGED_SPF_HELO
. I've never encountered this one before and there is little documentation to be found. Seems self-explanatory, though, that it is not passing SPF lookup on HELO.
The original DNS was simply 'www.' as CNAME to apex A record.
The apex SPF includes the 'a' record: "v=spf1 a mx ~all"
The HELO from log is:
helo=www.example.net, Tests:[ALL_TRUSTED=-1,FORGED_SPF_HELO=1,MISSING_HEADERS=1.207,MISSING_SUBJECT=1.767]
I adjusted the 'www.' record so it was an A record and added an SPF TXT record for it separately.
Now I get: helo=www.example.net, Tests: [ALL_TRUSTED=-1,FORGED_SPF_HELO=1,MISSING_HEADERS=1.207,MISSING_SUBJECT=1.767,SPF_HELO_PASS=-0.001]
Forged and Passed?
Main question:
Can anyone explain why in first instance the a
in the SPF isn't allowing the CNAME 'www.' to pass? Secondarily, can anyone explain how you can have a "forged" and "pass" at same time?