>> Not really. SPF applies to envelope senders; people's mail clients >> show the header senders. So you can have MAIL FROM:<spam...@throwaway.net> >> and From: <ser...@intl.paypal.com> with an SPF pass. :-(
> However, it is possible to notify end-users about this case. Once I placed > the MAIL FROM into the subject, if the addresses differ, but this caused > lots of grief with mailing lists. > I wonder why so few MUAs show a notice, when Return-Path and From differs. > - - Actually I remember this only on Webmail. Exactly - if I could verify that the claimed sender was indeed the actual sender, many of my problems would be removed instantly. Similarly, if you are not already doing some scoring based on whether the envelope sender, message From: and Reply To: headers bear some resemblance to each other (same domain is normal, cross-domain is suspicious), then you'll be seeing a lot of leakage. I add to the SA score manually if the domains are different between the envelope sender and the From, and add a smaller amount if the From: and Reply-To headers give different domains - there are legitimate messages which have this, but they're rare in my experience. Worst case is envelope sender of <spam...@gmail.com>, which has a valid SPF record, then the From: says <secur...@yourbank.com>, while the Reply-to: is <throwa...@hotmail.com> Paul. _______________________________________________________________________ Argenta Discovery Ltd, 8-9 Spire Green Centre, Harlow, Essex, CM19 5TR Registered in England No. 3671653 _______________________________________________________________________ _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang