My question has been misunderstood as commentary on SPF, etc. It is not about SPF, I'm just trying to steer the question towards a spamassassin tag that can be triggered.
I found a solution with my own rule. I wasn't sure whether the SA rules referring to 'from' header were actually meaning sender or exactly what. I've confirmed they work on the From: header in the email headers. This is on MX gateway systems which do not handle outbound email. In local.cf I added: # Spoofed email from example.com header MYDOMAIN_FROM From =~ /\@example\.com\>$/i score MYDOMAIN_FROM 0.1 I can see that some emails from things like mailchimp.com or gmail addresses configured with a from address of my domain are being tagged by this. It is unlikely we could incorporate the rule with any real weighted score without getting very restrictive on what people do with outside services.
