On Tue, 7 Mar 2017 00:04:59 +0000 David Jones <djo...@ena.com> wrote:
> >Er... well. The envelope-from is not any more trustworthy than > >the header From:. But it *is* the thing the SPF spec say to check, > >and *not* the header From:. > It should be way more trustworthy since it is where bounces go. You assume that someone who is willing to forge a sender address (whether envelope or header) is going to be fastidious about receiving bounces? :) > Many MTAs can do DNS checks (make sure it exists in DNS) plus > DBL checks against the envelope domain. Regular user mailboxes > where compromised accounts come from usually don't/can't spoof > the envelope-from. It's definitely more reliable which is why the > SPF spec chose to use it. No, that's not true. It's no more "reliable" than anything else. In fact, in the entire SMTP transaction, there's only one set of email addresses that are reliable, and those are the RCPT To: addresses. SPF chose to use envelope sender not because it's more reliable, but (I suspect) so as not to break mailing lists. Anyway: We see millions of spams per day. Tons of them have spoofed envelope sender addresses and tons have spoofed From: header addresses. Regards, Dianne.
