Как настроить SPF и DMARC для satellite хостов?

Question

[Falseclock]

Если отправляю непосредственно почту с релея, то все прекрасно работает. Все проверки проходят, в спам не улетает.

Delivered-To: 102@host.me
Received: by 10.100.182.171 with SMTP id t40csp2626933pjb;
        Thu, 26 Apr 2018 10:46:48 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/9tRGhIYiEqgkaJpGdNZz2kdBMwayri8Jw1FpQbkXwwi7FVsResUJWGCGUJo1ldjN0B58F
X-Received: by 10.46.151.151 with SMTP id y23mr16275963lji.52.1524764808385;
        Thu, 26 Apr 2018 10:46:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524764808; cv=none;
        d=google.com; s=arc-20160816;
        b=cyB04HBw9TTTJAWwuEhT/qR6+lMFpIDYunmeNywATk5Ty2a3bmS9lSlIT8xYA1wvwA
         ouDJ2zRi8z4RuVurYoZqQGO+btm0R9dHvAUfV6w/WPBofgI8Kl1RaUvHZ/lONaOE3Bze
         epnp6+EXzmflmdMjsrhUb3c8Rmx+i91a+hZcZeGM5/qTuaeyzxbDM7TGnyWKkIMTrJ0i
         VD/HHYS3hhQkFKpEZpzlcI/+Z0zVRNT0pW7RLufAP8vTPWcncUiYaw2Nl7MjcorTf3vB
         qyy8EdQreIt8bnzBZASwKR2gjTyRtrN94HpYXetE2f3BKh6rO7AXkG8o2Rbxhaq3Cxip
         qYlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=date:from:message-id:to:subject:dkim-signature
         :arc-authentication-results;
        bh=8RMrWM7Bx0xwYLRGJR8xwS45EuxVliASeW9XWrVcUwk=;
        b=NvKM7lcKjS2xzOCgY3qqBp6s2tTTlqof7pK71kYab+EJeztH3H8ZODJw9OkV4qmnv+
         lyiUK7imMxEyrfERNNqcx9ocXV62emtQZac6ef9AlwXLFX/jf49w0tsp9ylvJAZO/4LS
         nPZZ1pGZoaIZ9CmuRHwE5GHfmXLxHx1LmPhqzCZD3ThHFwOxkuS7nJSmVseOuikV6ZWh
         HLjCVyPYIPoX/nF3g3kN/hSZtvKLJ28pQ8joxBofX/IBAuklSX4UGLez2Ibrb+bhrvib
         p8z/3/AOntN5HJ/KmHJU5KvX+fm8H/gB5KyZa2ii8oP8ItyArsaU6Rtyg9bUp31K+jCY
         5+mg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@git.host.me header.s=mail header.b=FNRfL+sE;
       spf=pass (google.com: domain of root@git.host.me designates 119.176.231.226 as permitted sender) smtp.mailfrom=root@git.host.me;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=git.host.me
Return-Path: <root@git.host.me>
Received: from git.host.me ([119.176.231.226])
        by mx.google.com with ESMTPS id e8si3825617ljg.267.2018.04.26.10.46.47
        for <102@host.me>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 26 Apr 2018 10:46:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of root@git.host.me designates 119.176.231.226 as permitted sender) client-ip=119.176.231.226;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@git.host.me header.s=mail header.b=FNRfL+sE;
       spf=pass (google.com: domain of root@git.host.me designates 119.176.231.226 as permitted sender) smtp.mailfrom=root@git.host.me;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=git.host.me
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=git.host.me;
	 s=mail; h=Date:From:Message-Id:To:Subject:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8RMrWM7Bx0xwYLRGJR8xwS45EuxVliASeW9XWrVcUwk=; b=FNRfL+sEpXPFi8PuUR2fyt9Bkw 18AfHsXg6xsKQaMj5m3qXoe8vrvbf18HpwzH8MYImBKXdRiSIGyXOrg4XMxFYIJ7wyFCnUpiFLYDF 3kaIcIDTC0pBkbPCfyidhxxk1BwQ2jMcazTdcT8AE4giSXTGG3Hy7O3Ww8KNBTaU9vRk=;
Received: from root by git.host.me with local (Exim 4.89) (envelope-from <root@git.host.me>) id 1fBkyj-0007hW-Hr for 102@host.me; Thu, 26 Apr 2018 23:46:45 +0600
Subject: Test Subject4
To: <102@host.me>
X-Mailer: mail (GNU Mailutils 3.1.1)
Message-Id: <E1fBkyj-0007hW-Hr@git.host.me>
From: GitLab <root@git.host.me>
Date: Thu, 26 Apr 2018 23:46:45 +0600

А вот если отправляю почту с саттелита, который отправляет через этот релей, то SPF и DMARC не работают.

Delivered-To: 102@host.me
Received: by 10.100.182.171 with SMTP id t40csp2596843pjb;
        Thu, 26 Apr 2018 10:18:00 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqHS5rxP0CP+5cReVbLQ0eSEuquzFPakXwEixRr2iKnnAxqj1129rFCrQ+AVU4/mAtaffWW
X-Received: by 10.46.150.137 with SMTP id q9mr8330222lji.35.1524763080357;
        Thu, 26 Apr 2018 10:18:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524763080; cv=none;
        d=google.com; s=arc-20160816;
        b=lrfP7Il7GdHHm/lCC6pOtDfbB/tzSi2miDZYJs5NS9OmBhw2NXx6+Fn2SwpQmXTtYA
         ahLZn6Y46Uy1LxslbXevD7VVIhh89O8oR/P5etNOlVHdNPr5SZdi0JsWT785sfuXciHU
         m1zJhZ0le6llShfYniO3GaDE30gZgP/l97i7u8xM+15wQpU3h1JCpvgTBrzDz/Nde0Nc
         8DCqpPgb1x0e17ezzG/+oNEhsHyZ6DkwSfSJaTXUs9thMnbgQFA2XwYfzDV0lHahVbiE
         g2mk/LEHgzFjAXICLwCcXYOnc0lT07lfHqY41xPIInQQcknV6WSR7V0WOH5GWUR0yqJS
         8aQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=date:from:message-id:to:subject:dkim-signature
         :arc-authentication-results;
        bh=yH/vUyKuWBPNLRqqzCex1QTHbG30THc7TAL6MFazZhc=;
        b=F+VqDKrcESEUQT4Xg9mhU0sm88mezc4ZRqFBl9yOQa/2Bbyfm4Nv17jSGVsQST/kDI
         XZXhX7bUkR/Qz2B771K7oQNl2rMrL6LNnr6W3jfR7mNl5q2O33N4kp/c6n/Nyy4vcVa3
         d0PY6WbCpAjeSG2eZhBanTWP6x9bnu8NAmpB2HeCjIWQWijSLTmGB8zR6WmsSZuyJZTY
         75bfPNPn1uxvs8/eCtgx0kcn93u/ESty+98HEl2Jk4Kph9bODahOTk+AGfdGnM9XKx/a
         KJ8s10K8oK+ENuewofwxQSrO954yhIQd1q2oFcKuIYz7RVCQIayQVNWlscvlVJ9jLXK5
         eL5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@git.host.me header.s=mail header.b=nMYm74MJ;
       spf=neutral (google.com: 119.176.231.226 is neither permitted nor denied by best guess record for domain of root@postgres.inf) smtp.mailfrom=root@postgres.inf
Return-Path: <root@postgres.inf>
Received: from git.host.me ([119.176.231.226])
        by mx.google.com with ESMTPS id 7-v6si7910546lft.38.2018.04.26.10.18.00
        for <102@host.me>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 26 Apr 2018 10:18:00 -0700 (PDT)
Received-SPF: neutral (google.com: 119.176.231.226 is neither permitted nor denied by best guess record for domain of root@postgres.inf) client-ip=119.176.231.226;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@git.host.me header.s=mail header.b=nMYm74MJ;
       spf=neutral (google.com: 119.176.231.226 is neither permitted nor denied by best guess record for domain of root@postgres.inf) smtp.mailfrom=root@postgres.inf
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=git.host.me;
	 s=mail; h=Date:From:Message-Id:To:Subject:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yH/vUyKuWBPNLRqqzCex1QTHbG30THc7TAL6MFazZhc=; b=nMYm74MJpGXuswasjPd9bBZ9jf CEuuqQEj6LLLUUUMVwsGFHz4htEILACtC2My2P4EUvc0rEGJoykL5qSETL33fbttlHj3z0z0GjbCN WlGTnol6YR6IgHwnh2Fh8IidTLAAayiq44uCw0ditde0MUSm22ioI1XlV8cJNuIB8wDs=;
Received: from postgres.inf.host.me ([192.168.1.204] helo=postgres.inf) by git.host.me with esmtp (Exim 4.89) (envelope-from <root@postgres.inf>) id 1fBkWs-0006W6-1i for 102@host.me; Thu, 26 Apr 2018 23:17:58 +0600
Received: from root by postgres.inf with local (Exim 4.89) (envelope-from <root@postgres.inf>) id 1fBkWs-00023Q-00 for 102@host.me; Thu, 26 Apr 2018 23:17:58 +0600
Subject: Test Subject3
To: <102@host.me>
X-Mailer: mail (GNU Mailutils 3.1.1)
Message-Id: <E1fBkWs-00023Q-00@postgres.inf>
From: root@postgres.inf
Date: Thu, 26 Apr 2018 23:17:57 +0600

что в exim подкрутить или какие заголовки подменить, чтобы провекра SPF и DMARC проверялась по тому хосту, который непосредственно почту отправляет, а не саттелит?

Answer 1

[Владимир Дубровин]

У вас для домена postgres.inf вообще SPF не настроен, вы SPF-запись то опубликуйте.

SPF проверяется по домену envelope-from, это адрес который в полученному письме видно в заголовке Return-Path

Answer 2

[Dimonchik]

https://blogs.msdn.microsoft.com/tzink/2015/03/13/...