I created this BT
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7360 to implement
SPF-like checks on From: sender as well in addition to envelope sender
(if they differ). It was rejected as invalid because SPF specs are
That is probably true, but it doesn't change the fact that SPF specs as
they are make SPF completely useless. Anyone can spoof anyone's e-mail
right now simply by changing the From: in mail header, and majority, if
not all anti-spam software checks only envelope sender and nothing else.
DKIM and DMARC don't really help much here either. It's true it's
possible to set DMARC policies to require all From fields to be same,
but I don't think that spam assassin is capable of dealing with DMARC
either, plus this policy is really extremely weak.
Gmail has one of best antispams and antispoof protections, but it could
still be easily spoofed like this, only difference was that when you
open a header of email in gmail, you see that DMARC check failed, but
otherwise it's not mentioned anywhere.
Is there any way to get spam assassin to actually figure out that e-mail
is spoofed even if it's obviously easy to figure out? I mean, if you
have a domain with DKIM, DMARC and SPF record and someone is pretending
they are you just by forging "From:" in header, which 99% of mail
clients show as real sender of message, it should be able to recognize
that this is obvious forgery and not let the message pass through with
no score added at all... Isn't this like completely flawed design?