SPF and trusted forwarder

Dominic Raferd dominic at timedicer.co.uk
Tue Jun 6 10:46:05 CEST 2017

On 5 June 2017 at 18:55, Phil Susi <psusi at ubuntu.com> wrote:

> I prefer to use my @ubuntu.com alias, which forwards mail to my real
> server.  Amavis then tries to check SPF against the forwarder, which
> fails.  Is there a way to configure it to trust this forwarding server
> and check SPF against the Recieved: header rather than the forwarder?

​I don't know whether it is possible to change Amavis's behaviour but it is
doing the right thing in terms of SPF because it is only the latest ip that
it can have any confidence in - earlier headers (reporting a previous ip)
could be fake.

The reality is that SPF is broken if you forward emails, you need to use a
different technology to verify identity such as DKIM (e.g. opendkim), or
combine the two with DMARC (e.g. opendmarc + opendkim +
python-policyd-spf).​ If amavis can't do this (I'm not sure), your MTA
should be able to.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20170606/3396ccaf/attachment.html>

More information about the amavis-users mailing list