On 9 Feb 2017 12:53, <li...@lazygranch.com> wrote: That is the mailchimp server. (Technically rocketsciencegroup.com) So has the email originator figured out some sort of unintended use of mailchimp?
*From: *Sebastian Nielsen *Sent: *Thursday, February 9, 2017 2:24 AM *To: *postfix-users@postfix.org *Subject: *Re: The "from" header looks like paypal but it is coming from somewhere else. [signed] The problem here is that DKIM isn't aligned to paypal.com Enforce strict DKIM alignment on sensitive domains like paypal I don't think this is a DKIM issue. A bespoke regex as check_header should be able to trap this specific faking attempt - if it relates as I think to the internal From header not the envelope sender (client). More generally, are there legitimate cases where a sender shows a different but apparently valid email address as the (whole) to text of the From compared with the actual address which follows it? If not, can a pcre regex match such situations or is something more sophisticated needed?
