SPF Engine

Understanding SPF skipped for whitelisted relay domain

Asked by Gossamer

I'm trying to understand the reasoning behind how domains get skipped:

May 5 21:17:58 xavier policyd-spf[2883049]: prepend X-Comment: SPF skipped for whitelisted relay domain - client-ip=40.107.100.123; helo=nam04-bn8-obe.outbound.protection.outlook.com; <email address hidden>; receiver=<UNKNOWN>

Nothing in the above log entry appears on anything in my policyd-spf.conf file:

HELO_reject = Fail
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 139.138.56.0/24,127.0.0.0/8,::ffff:127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24,12.15.90.10
Domain_Whitelist = harrimanre.com,ventusnetworks.com,digi.com,magicwrighter.com
Reject_Not_Pass_Domains = harrimanre.com

Where does policyd-spf get this information?

The problem I'm having is with amavisd and SA - when SPF is bypassed, my welcomelist_auth entries fail, even though SPF_PASS is triggered.

Question information

Language:
English Edit question
Status:
Answered
For:
SPF Engine Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said : 		#1

he key to figuring this out is "whitelisted relay domain". In your Domain_Whitelist you have harrimanre.com. It's SPF record is:

harrimanre.com. 300 IN TXT "v=spf1 include:spf.protection.outlook.com -all"

40.107.100.123 is listed in the spf.protection.outlook.com SPF record.

Since that address passes SPF for a whitelisted domain, it is skipped.

Revision history for this message
Gossamer (gossamer) said : 		#2

Thanks so much. I thought the whitelist was relative to emails originating from those domains, not that it would somehow inherit the SPF record of whatever domain we were whitelisting for all emails, regardless of originating domain.

I've disabled all whitelist entries and will monitor it over the coming days.

Can you help with this problem?

Provide an answer of your own, or ask Gossamer for more information if necessary.

To post a message you must log in.