>From: Bowie Bailey <bowie_bai...@buc.com> >On 7/15/2015 4:04 PM, Kevin A. McGrail wrote: >>> Why is it looking for an SPF record for rrdesp.com? That is the >>> sending server, shouldn't it be using the domain from the From or >>> Envelope-From instead? This SPF check looks backwards to me. Am I >>> missing something? >> No, you are on the right path. SPF checks the envelope not the From: >> Header. Without something like DKIM, the whitelist_auth likely isn't >> applicable for your situation.
I haven't seen all the headers exactly to prove this will work but it should: whitelist_from_rcvd *@staplesbilling.com rrdesp.com >staplesbilling.com actually uses DKIM, but it always comes up as invalid >by the time SA sees it, so that isn't particularly useful. I managed to >get my MTA to add a Received-SPF header, but SA ignores it - presumably >because the MTA puts it at the bottom of the headers rather than inline >with the Received headers. >Why doesn't SA check SPF for the From header? Isn't the whole point of >SPF to be able to link the From address to a list of servers allowed to >send mail from that address? I have seen Microsoft Exchange servers use the header From: domain instead of the envelope-from but this does not follow RFC 4408 spec. Then header From: can be any value (spoofed). The envelope from is more reliable since it can have some validation performed on it.
