Am 18.09.2015 schrieb Sebastian Nielsen:
If the domain has strict identity alignment set up, then From: body must match MAIL FROM, which must match the SPF record.
sorry, this is simply not correct. No wide spread "strict identity alignment" bind RFC5322.From (From: body) to RFC5321.MailFrom (MAIL FROM) first poster mentioned yahoo.com. I suspect he fail to forward a message "from" a yahoo user back "to" an other yahoo user. But he did not present logs to be sure... most probably reason is DMARC. And yahoo.com uses a DMARC policy which could be named "strict" DMARC authorize the visible RFC5322.From by using SPF or DKIM and announce a policy how to handle unauthorized messages. This give anybody in the world exact two possibilities to send a message /to/ a MX server enforcing DMARC policies claiming to be /From:/ yahoo: 1) send from an IP included in `dig yahoo.com txt +short` 2) send content that was DKIM-signed by the DKIM-domain yahoo.com The first option isn't realistic option for most people outside yahoo. The second option is only possible for yahoo itself. So it includes all messages /send out/ by yahoo. And that's the point. If someone receive a message /From:/ yahoo, reroute the message totally unchanged back to an other yahoo user, this message has still the valid DKIM signature and will be accepted even by yahoo MX server. Because DKIM signature validates and that prove the message is not forged. That's DMARC. An for that reason it's so important to NOT MODIFY ANY (DKIM SIGNED) MESSAGE on transit. back to the initial poster: compare the message you receive with the message you later send. If they differ ( apart from some Received: lines ) then yahoo will reject your forward. Andreas
