I am trying to understand how SpamAssassin 3.0.0 is checking SPF on messages. It seems to be checking the Return-Path: address (envelope address) and not the From: address (header address). That's wrong, isn't it? Shouldn't it be checking the header address? Of course when I reply my mailer uses the header From: address to generate the response message.
No, SPF is designed to check the envelope sender, not the address in the header.
In case you're wondering why, note the From: and Return-Path addresses on this message. If SPF checked the From: address (@speed.net), it wouldn't pass (mail.apache.org is not likely to be listed in the average list member's SPF record)
-- Kelson Vibber SpeedGate Communications <www.speed.net>
