Hello,
I have a setup where outbound mail is routed through Proxmox Mail Gateway:
Backend mail server -> PMG -> Internet
PMG is also configured to DKIM-sign outgoing messages.
The problem is that PMG spam analysis for outgoing mail reports:
* SPF_FAIL
* KAM_DMARC_QUARANTINE
* KAM_DMARC_STATUS
* DMARC_QUAR
Example score:
Spam detection results: 5
DMARC_QUAR 0.1
KAM_DMARC_QUARANTINE 4
KAM_DMARC_STATUS 0.01
SPF_FAIL 0.919
SPF_HELO_NONE 0.001
However, the final delivered message is completely valid:
* SPF_PASS
* DKIM_VALID
* DMARC PASS
* Spam score 0.00
Authentication results on the recipient side are correct.
It looks like PMG performs SpamAssassin/SPF/DMARC checks on outbound mail before the final DKIM signing or before the message reaches its final sending context.
So my questions are:
1. Is this expected behavior for outbound filtering in PMG?
2. Is there a recommended way to suppress SPF/DMARC checks for outgoing mail only?
3. Should outbound mail generally bypass SpamAssassin authentication checks?
4. Is there a best practice for PMG setups where PMG itself performs DKIM signing?
I found several similar forum threads mentioning SPF failures on internal relays/outbound scanning, but I would like to understand what the recommended configuration is today.
Thank you.
I have a setup where outbound mail is routed through Proxmox Mail Gateway:
Backend mail server -> PMG -> Internet
PMG is also configured to DKIM-sign outgoing messages.
The problem is that PMG spam analysis for outgoing mail reports:
* SPF_FAIL
* KAM_DMARC_QUARANTINE
* KAM_DMARC_STATUS
* DMARC_QUAR
Example score:
Spam detection results: 5
DMARC_QUAR 0.1
KAM_DMARC_QUARANTINE 4
KAM_DMARC_STATUS 0.01
SPF_FAIL 0.919
SPF_HELO_NONE 0.001
However, the final delivered message is completely valid:
* SPF_PASS
* DKIM_VALID
* DMARC PASS
* Spam score 0.00
Authentication results on the recipient side are correct.
It looks like PMG performs SpamAssassin/SPF/DMARC checks on outbound mail before the final DKIM signing or before the message reaches its final sending context.
So my questions are:
1. Is this expected behavior for outbound filtering in PMG?
2. Is there a recommended way to suppress SPF/DMARC checks for outgoing mail only?
3. Should outbound mail generally bypass SpamAssassin authentication checks?
4. Is there a best practice for PMG setups where PMG itself performs DKIM signing?
I found several similar forum threads mentioning SPF failures on internal relays/outbound scanning, but I would like to understand what the recommended configuration is today.
Thank you.
