<div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 14 July 2017 at 16:10, Juri Haberland <span dir="ltr"><<a href="mailto:juri@sapienti-sat.org" target="_blank">juri@sapienti-sat.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-m_6451145961137409542gmail-">On 14.07.2017 15:08, Dominic Raferd wrote:<br>
<br>
> My understanding is that for the latter behaviour you must have policyd-spf<br>
> set to provide an 'Authentication-Results' header (opendmarc doesn't<br>
> understand the 'Received-SPF' header), and furthermore - if you are using<br>
<br>
</span>This understanding is wrong. OpenDMARC does understand the Received-SPF header.<br>
<span class="gmail-m_6451145961137409542gmail-"><br>
> postfix - you must add an initial 'dummy' header line before the<br>
> 'check_policy_service unix:private/policy-spf' because this gets stripped<br>
> out in the information passed to the opendmarc milter and otherwise it<br>
> therefore loses sight of the SPF header.<br>
<br>
</span>I think this was true for older Postfix versions, but there where some<br>
changes around version 2.10.2 & 2.10.3 that fixed that. At least I don't<br>
have to do anything special to get the SPF outcome of policy-spf into<br>
OpenDMARC.</blockquote><div><br></div><div class="gmail_default" style="font-size:small">Thanks Juri for the confirmation.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Regarding acceptability of 'Received-SPF' headers: it would be good if man opendmarc was explicit about this. Presently (v1.3.2) it says: 'TrustedAuthservIDs (string) Provides a list of authserv-ids that are to be used to identify Authentication-Results header fields whose contents are to be assumed as valid input for the DMARC assessment.' This implies (to me) that trusted headers must start with 'Authentication-Results' as well as including the specified string as id. I've always used 'Header_Type = AR' in policyd-spf.conf.</div></div></div></div>