I’m running into an issue where a message I send via script is rejected by rspamd. This is mainly because of
R_DKIM_REJECT (8) [smtpcorp.com:s=a1-4]
The message is sent by a script as “email@example.com” via a smarthost (smtp2go/smtpcorp.com) and To: is e.g. “firstname.lastname@example.org”.
SPF records for myserver.tld are
"v=spf1 mx include:spf.smtp2go.com -all"
and DKIM is setup in DNS according to smtp2go policy (via subdomain and return-path / VERP at dkim.myserver.tld as well as return.myserver.tld). See also smtp2go: verp.
In addition, mail sent from mailcow for all senders @myserver.tld is routed to smtp2go as configured per sender_dependant_transport in the UI. This has worked flawlessly so far.
However, external triggering of emails via smtp2go smarthost TO the mailcow domain result in rspamd rejecting the message as per above. This seems to have happened with one of the last updates since it worked fine before. Not sure what has changed.
Messages by the same script to other domains external to mailcow pass (even google/outlook).
A test message to email@example.com by the same script results in
Summary of Results
SPF check: pass
“iprev” check: pass
DKIM check: fail
DKIM check: pass
where the first DKIM check is failing because of “wrong body hash”. The second one is
Result: pass (matches From: firstname.lastname@example.org)
ID(s) verified: email@example.com
What I’d like to do is tell Mailcow that any mails sent for @myserver.tld addresses that are sent by firstname.lastname@example.org with a return-path matching the smtp2go relay-host should be accepted. Or better yet, let Mailcow figure out that any messages received by relayhosts defined as sender_dependant_relayhosts in mailcow that match /From: *@myserver.tld/ to the mailcow domain should be accepted.
Adding all sender IPs from the smarthost (cf. spf.smtp2go.com) to the “Forwarding Hosts” of Mailcow UI does the trick but also doesn’t seem to be the best way to do this. Adding them as CIDRs to postscreen config (data/conf/postfix/custom_postscreen_whitelist.cidr) seems similarly misguided.
How would one do this? I might be missing something here…