On 5/3/19 9:47 AM, RW wrote: > On Fri, 3 May 2019 06:55:40 -0700 (MST) > user321 wrote: > >> Any reason why SA is checking for SPF against envelope from not the >> header from? >
See the SPF link on this page: https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ > Because that's how SPF works. > >> I am rejecting the SPF_FAIL e-mails on Postfix (-all only), but still >> spammers can forge the header from field. >> Can I change SPF plugin to work with header from? If yes how? >> What are the pros and cons of that? > > Generally you don't want to enforcing a modified standard that no one > else knows about. > > DMARC solves the problem by requiring that for a DMARC pass from SPF > the envelope address has to be aligned with the from header address. > FYI, If opendmarc is setup in your MTA with local SA rules... DMARC_PASS = SPF_PASS and From: domain aligns with envelope-domain _OR_ DKIM_VALID_AU (DKIM_SIGNED and aligns with the From: domain) I am rejecting DMARC failures of incoming domains with p=reject within opendmarc then have these rules in SA: (change the rule below to match your header in opendmarc.conf) header DMARC_PASS Authentication-Results =~ /smtp\.ena\.net; dmarc=pass/ describe DMARC_PASS DMARC check passed score DMARC_PASS 0.001 header DMARC_FAIL Authentication-Results =~ /smtp\.ena\.net; dmarc=fail/ describe DMARC_FAIL DMARC check failed score DMARC_FAIL 0.001 header DMARC_NONE Authentication-Results =~ /smtp\.ena\.net; dmarc=none/ describe DMARC_NONE DMARC check neutral score DMARC_NONE 0.001 -- David Jones
