We are receiving a lot of fake e-mails from banks, and we are facing this SPF problem:
Most of banks are using SPF, so e-mails should be rejected, but they are accepted because senders are using a forged "From" address, and a real "Return-Path".
So, it looks like SPF is checking about the "Return-Path" domain, and not for the "From" domain.
Should the check be changed, or enforced on both domains? Tonino
