I have a web server that sends out webform type emails via Postfix 3.3.0. No inbound. No extras.
Receiving mail server is running same Postfix (but with amavis-new/spamassassin + dovecot/etc). These are both on the same domain, but different subdomains ('www.' & 'mail.').
When a test email is sent (using postfix sendmail command) from web server to mail server, everything is perfect except for the scoring on the HELO/EHLO. I keep getting a FORGED_SPF_HELO. I've never encountered this one before and there is little documentation to be found. Seems self-explanatory, though, that it is not passing SPF lookup on HELO.
The original DNS was simply 'www.' as CNAME to apex A record.
The apex SPF includes the 'a' record: "v=spf1 a mx ~all"
The HELO from log is:
helo=www.example.net, Tests:[ALL_TRUSTED=-1,FORGED_SPF_HELO=1,MISSING_HEADERS=1.207,MISSING_SUBJECT=1.767]
I adjusted the 'www.' record so it was an A record and added an SPF TXT record for it separately.
Now I get: helo=www.example.net, Tests: [ALL_TRUSTED=-1,FORGED_SPF_HELO=1,MISSING_HEADERS=1.207,MISSING_SUBJECT=1.767,SPF_HELO_PASS=-0.001]
Forged and Passed?
Main question:
Can anyone explain why in first instance the a in the SPF isn't allowing the CNAME 'www.' to pass? Secondarily, can anyone explain how you can have a "forged" and "pass" at same time?
Best Answer
The rule
FORGED_SPF_HELOcame from Spamassassin updates. By grepping your configuration folder (/var/lib/spamassassinat least on Debianoids) you'll see the definition:You fail rule
__HELO_NOT_RDNS(the reverse DNS lookup for the hostwww.example.netis notwww.example.net) and you don't haveSPF_PASS(the host is not authorized to send e-mail on behalf of your domain).Since you certainly don't want to add
www.example.netto the list of your official mail server, configure it to send e-mails with senders of the formuser@www.example.net.