Really, the HELO fallback is for bounces where the MAIL FROM argument is
empty, so it falls back to the HELO argument domain. If your bounces have
a 5322.From that's dmarc'd, you need to either DKIM sign it, or have an SPF
record for your HELO and they match.
Brandon
On Wed, Jun 3, 2020 at 6:48 AM Ken O'Driscoll via mailop <mailop@mailop.org>
wrote:
> On Wed, 2020-06-03 at 14:15 +0200, Benoit Panizzon via mailop wrote:
>
> and I guess the domain in the HELO too?
>
>
> the HELO contains the FQDN of the sending machine which is
>
> not the same as the domain of the envelope sender or From: Header.
>
>
> The HELO needing to match anything for DMARC or SPF would be quite new
>
> to me.
>
>
> The FQDN used in the HELO being part of SPF tests is nothing new at all.
>
> If you are using sub-domains of the 5322.From domain in the 5321.From or
> SMTP HELO then those sub-domains need to have their own individual SPF
> records too. For example, if they are single servers then "v=spf1 +a -all"
> is a simple option.
>
> So in the absence of DKIM, even when using an enforcing DMARC policy with
> relaxed SPF alignment ("aspf=r"), a message will fail the DMARC test if
> sub-domains of the 5322.From are used in the 5321.From and/or SMTP HELO and
> they do not have any (compliant) SPF records.
>
> If you could share the specific FQDN values you are using it would greatly
> help in helping you.
>
> Ken.
> _______________________________________________
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
