`HELO does not publish an SPF Record`

[strarsis]

Summary

mail-tester.com lists the complaint HELO does not publish an SPF Record.

Motivation

Publishing a SFP record in the HELO banner should (slightly) improve the spam score of an email. As this requires only minimal changes (see Additional context), it would be a good idea to add this to mailcow by default.

Additional context

Just by adding a piece of config to /etc/postfix/main.cf (as mailcow override to data/conf/postfix/extra.cf) made it pass: https://serverfault.com/a/1064047/958731

Alternatively, a www TXT DNS record with the SPF value should also work: https://stackoverflow.com/questions/71786859/email-dns-setup-how-do-i-make-helo-publish-an-spf-record-spf-helo-none-spf

Using $mydomain in the HELO banner appears to introduce another complaint though: Your reverse DNS does not match with your sending domain.

Has this something do to with a SPF record being set for example.com and not mail.example.com?

[DerLinkman]

Hi there,

yeah if there is a new introduction of a new complaint with that change we´ll probably won´t implement that.

In any case this small change won´t change a spam score of a mail which is already marked as spam due to other flaws.

We´ll evaluate that but i don´t see that we´ll implement that.

[mkuron]

Just by adding a piece of config to /etc/postfix/main.cf (as mailcow override to data/conf/postfix/extra.cf) made it pass [...] Using $mydomain in the HELO banner appears to introduce another complaint though: Your reverse DNS does not match with your sending domain.

The HELO should contain the hostname, not the mail domain name. So the current configuration is correct.

Alternatively, a www TXT DNS record with the SPF value should also work

This is not about the www subdomain, but rather about $MAILCOW_HOSTNAME. I have confirmed that it makes mail-tester.com happy when I add a DNS record like

mailcow.example.com.    3600    IN  TXT "v=spf1 a -all"

You can do that too, @strarsis. There is nothing that needs to be changed on the Mailcow side. I am not aware of any requirement of having an SPF record for your sending hostname, so I don't think we need to add this record to our DNS check.

[strarsis]

@mkuron: So this adds the SPF record to the subdomain (=hostname mentioned in the HELO banner)? I have added the SFP record only to the TLD.

Spamassassin appears to be more happy with this specific SPF record, so adding a DNS check may still be worth it?

[mkuron]

Feel free to submit a pull request against https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/inc/ajax/dns_diagnostics.php. Note that we display the SPF record as optional there because we don't want people to blindly copy a default value that might block some of their other servers. So this new record should also be optional, but a check should be performed that, if it's present, it includes $MAILCOW_HOSTNAME.

[strarsis]

I added the SPF TXT record directly for the domain itself, but SpamAssassin is still not fully happy: SPF_HELO_SOFTFAIL

mailcow HELO:

220 mail.example.com ESMTP Postcow

For mail subdomain a SPF TXT record was added.

[BrettDean]

In /mailcow-dockerized/data/conf/postfix/extra.cf, I added smtp_helo_name = $mydomain. The message changed to: -0.0 SPF_HELO_PASS SPF: HELO matches SPF record,

but a new issue appeared:

---

Your reverse DNS does not match with your sending domain.

Your IP address x.x.x.x is associated with the domain mail.example.com. Nevertheless your message appears to be sent from example.com.

You may want to publish a pointer (PTR type) DNS record with a value of example.com or use mail.example.com as hostname in your mail software

Here are the tested values for this check:
IP: x.x.x.x
HELO: example.com
rDNS: mail.example.com

---

Solution:

Finally, I changed smtp_helo_name = $mydomain to smtp_helo_name = mail.example.com, and there were no errors at all.