OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
NOTE: the validity of this issue is disputed. According to the OpenDMARC developers: "It is the job of OpenDMARC to trust information provided to it by upstream filters. OpenDMARC itself can be configured to validate SPF, but there are use cases where OpenDMARC may be running further inside a network and not have access to the connection strings as logged. No standard exists for relaying the IP address of the client to inward systems when relaying occurs. It is the view of the OpenDMARC developers that this is working as designed, but if this behavior is undesirable, then any filter that adds a Received-SPF header field should not set a spf=pass result based solely on the HELO/EHLO string. It is not the job of OpenDMARC to second-guess other filters in the chain, but simply to compare their stated values and make a weight-based judgement."