On 1/9/2012 1:24 PM, Jeroen Geilman wrote: > Many people (me and most of this list included) reject impersonation > of the sender address unless it is on an encrypted submission port; > this is the norm rather than the exception nowadays.
Be aware this may reject some legit mail. Feel free to do it as a local policy, just understand it's not 100% safe. Safer to use SpamAssassin to add points to internal domains that fail SPF. And I strongly suspect the "most of this list" you claim is skewed towards smaller sites and schools, with larger businesses and ISPs tending to not do this. Examples are web sites such as news sites "send article to a friend" and external calendar/reminder services. Airlines used to do this with flight notices, but I think most of them have fixed it. Some "greeting ecard" web sites; it's debatable if you want those anyway, but your users might. While many of these have moved to (correctly) using their own envelope and the internal From: header, there's still enough that use the internal envelope sender that this is not a globally always safe rule. The mail list example given earlier is not applicable here; that's an example of a From: header with an internal address, and should not be rejected. > Spam really sucks, in case you hadn't noticed. The general admonition is don't fix mail by breaking it. -- Noel Jones