On Wed, 11 Nov 2020 17:01:21 +0100 > On 11.11.20 15:41, RW wrote: > >Note that without a DKIM pass, SPF is easily spoofed in TxRep. > > is it? how does that work then?
It's implicit in the next bit. > >DKIM reputations are identified by a combination of header from > >address and signing domain. SPF pass reputations are just identified > >by header address, without incorporating the envelope domain or > >requiring alignment. These two cases share the same "authenticated" primary reputation: Return-path: c...@example.com From: c...@example.com Return-path: some...@somewhereelse.com From: c...@example.com The benefit of this could be substantial, particularly with txrep_learn_bonus set. All you have to do is make sure the envelope sender passes SPF. To be honest I haven't verified this, but the code looks straightforward. $signedby gets set to the tag DKIMDOMAIN or falls back to the fixed string 'spf' for an SPF pass.