Ram wrote on 28/06/16 7:19 PM: > > > On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: >> Hai! >> >> I dont understand why they would match your spf record either. Are they >> sended out by a IP adres you 'approved' ?? > SPF does not fail , because they use a different envelope address.. > which may pass SPF > The end recipient does not check the envelope anyway
You should have local SpamAssassin rules that do check the envelope sender. This is about official company mail from the company domain. You can require that all employees use mail clients that are properly configured by the company IT to send all official company mail. SpamAssassin can be configured with local rules that stop anything that has a company domain header sender address that does not also have a matching envelope sender address and passes SPF. There is no reason to allow the CEO to send company mail without using a proper mail server that appears on the SPF record. The end recipient can't be expected to check all the headers, but SpamAssassin can do that before the end recipient receives the mail. Sidney
