Sent from my iPhone
> On Feb 7, 2021, at 11:44 AM, Benny Pedersen <m...@junc.eu> wrote:
>
> On 2021-02-07 17:33, Marek Kozlowski wrote:
>> :-)
>
> +1
>
>> Presumably it's my fault but I cannot find such an option. If so -
>> thank you for directing me to it. I'm wondering if it possible to
>> limit incoming mail with '...@somedomain.tld' specified as a sender
>> address*) to IPs belonging from some CIDR ranges:
>
> sure
>
>> - if addresses from the ranges belong to 'somedomain.tld'?
>> - if addresses from the ranges and 'somedomain.tld' A records don;t
>> cover the same sets of hosts?
>
> you should not accept local envelope sender on port 25, its not you :-)
>
>> *) For both envelope and internal 'from:' would be perfect; if not -
>> for only one of them.
>
> From: can only be protected with dkim
I would suggest giving higher preference to SPF. You can even reject if SPF
fails.
I just went through this with a client because we bounced a message back
because they were set up on outlook.com but, for whatever reason, they were
trying to send via google. SPF said nay, nay the policy says all incoming mail
from x.tld should come from spf.protection.outlook.com not the ip address that
google owns from which the message originated.
Cheers,
Curtis
