SPF issue with different HELO FQDN

Question

I am trying to setup SPF/DKIM/DMARC on my email server on a VPS. Here is my DNS configuration (DKIM & DMARC removed for readability) :

@                       28800  A      X.X.X.X
@                       28800  MX     10 smtp.example.com.
smtp                    28800  A      X.X.X.X
www                     28800  A      X.X.X.X
@                       28800  TXT    "v=spf1 ip4:X.X.X.X -all"
smtp.example.com.       28800  TXT    "v=spf1 ip4:X.X.X.X  -all"
www.example.com.        28800  TXT    "v=spf1 -all"

Emails seem to work, and port25.com reports nothing wrong :

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
SpamAssassin check: ham

However Yahoo reports a failure on SPF :

<?xml version="1.0"?>   
<feedback>      
  <report_metadata>     
    <org_name>Yahoo! Inc.</org_name>    
    <email>postmaster@dmarc.yahoo.com</email>   
    <report_id>1484621522.715243</report_id>    
    <date_range>        
      <begin>1484524800</begin> 
      <end>1484611199 </end>    
    </date_range>       
  </report_metadata>    
  <policy_published>    
    <domain>example.com</domain>  
    <adkim>s</adkim>    
    <aspf>s</aspf>      
    <p>reject</p>       
    <pct>100</pct>      
  </policy_published>   
  <record>      
    <row>       
      <source_ip>X.X.X.X</source_ip>      
      <count>7</count>  
      <policy_evaluated>        
        <disposition>none</disposition> 
        <dkim>pass</dkim>       
        <spf>fail</spf> 
      </policy_evaluated>       
    </row>      
    <identifiers>       
      <header_from>example.com</header_from>      
    </identifiers>      
    <auth_results>      
      <dkim>    
        <domain>example.com</domain>      
        <result>pass</result>   
      </dkim>   
      <spf>     
        <domain>myVPS.provider.com</domain>      
        <result>none</result>   
      </spf>    
    </auth_results>     
  </record>     
</feedback>

It seems Yahoo is checking on the HELO name (here myVPS.provider.com), which though it has the same IP address as the sending domain, has no SPF record (and I cannot edit its DNS configuration by myself).

Would it fix the issue if my VPS provider adds the following into the DNS configuration of myVPS.provider.com ?

myVPS.provider.com.  IN TXT  "v=spf1 ip4:X.X.X.X  -all"

Are there other alternatives ?

Skippy le Grand Gourou · Accepted Answer · 2018-08-10T16:38:33.987

Hopefully this is a better approach than the previous answer : to modify the HELO/EHLO name within the MTA.

With exim4, I added the following content to /etc/exim4/conf.d/main/00_local_settings :

REMOTE_SMTP_HELO_DATA=$sender_address_domain

Then after update-exim4.conf and service exim4 restart, the HELO/EHLO name is the same as the domain name of the sender address.

Update :

It seems this approach is wrong, since the HELO data should be the FQDN. I guess there is a much better solution : according to the OpenSPF FAQ, section Common Mistakes,

Checking HELO/EHLO names is recommended by the SPF RFC. Publishing records for these hostnames is an important part of the SPF protocol.

I'll check with my VPS provider and if it can be done I'll test and update this answer accordingly.

score -1 · Answer 2 · answered Jan 17 '17 at 18:03

-1

Actually the simplest solution may be to modify the FQDN ?

I changed it with hostname example.com (and modified /etc/hostname and /etc/hosts for the next reboot), if the next Yahoo report is positive I'll accept this answer (unless someone has a better one, of course…).

answered Jan 17 '17 at 18:03

Skippy le Grand Gourou

1,265

Are you sure it's not just the way this email was sent, the envelope sender was defaulted to user@hostname rather than the address you intended (maybe not matching the From header)? Setting a weird hostname seems like a problematic approach (also won't help when you deal with a second domain). – Håkan Lindqvist Jan 17 '17 at 19:01
1

Never name your mail server with the naked domain name. Always use a subdomain. A lot of stuff will break otherwise. – Michael Hampton Jan 17 '17 at 19:38
@MichaelHampton Would it matter for other services (e.g. web) if I set the FQDN to smtp.example.com, or should I choose something else ? – Skippy le Grand Gourou Jan 17 '17 at 19:48
It doesn't matter much, as long as it's in your domain, and you also change the reverse DNS to match. – Michael Hampton Jan 17 '17 at 19:49
@HåkanLindqvist The envelope sender is correct. By "weird hostname", do you mean the same thing as Michael ? Actually there are already several domains on this server, so indeed I'm puzzled with the best choice for the FQDN… But maybe it should be another question. – Skippy le Grand Gourou Jan 17 '17 at 20:33
@SkippyleGrandGourou Yes, I mean the same thing. I would say the best choice is the proper name of the server, probably something somewhat "neutral". – Håkan Lindqvist Jan 17 '17 at 20:35

SPF issue with different HELO FQDN

2 Answers2

Update :

Linked