>From: Dianne Skoll <d...@roaringpenguin.com> >Sent: Monday, March 6, 2017 5:40 PM >To: users@spamassassin.apache.org >Subject: Re: New whitelisting trick using from and spf >On Mon, 6 Mar 2017 23:22:00 +0000 >David Jones <djo...@ena.com> wrote:
>> Not good. SPF should be checked against the envelope-from >> address which is more trustworthy. >Er... well. The envelope-from is not any more trustworthy than >the header From:. But it *is* the thing the SPF spec say to check, >and *not* the header From:. It should be way more trustworthy since it is where bounces go. Many MTAs can do DNS checks (make sure it exists in DNS) plus DBL checks against the envelope domain. Regular user mailboxes where compromised accounts come from usually don't/can't spoof the envelope-from. It's definitely more reliable which is why the SPF spec chose to use it. Later the DMARC standard came along to help protect the From: header from being spoofed but that is a much harder problem to solve.
