Hello, I created this BT https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7360 to implement SPF-like checks on From: sender as well in addition to envelope sender (if they differ). It was rejected as invalid because SPF specs are different.
That is probably true, but it doesn't change the fact that SPF specs as they are make SPF completely useless. Anyone can spoof anyone's e-mail right now simply by changing the From: in mail header, and majority, if not all anti-spam software checks only envelope sender and nothing else. DKIM and DMARC don't really help much here either. It's true it's possible to set DMARC policies to require all From fields to be same, but I don't think that spam assassin is capable of dealing with DMARC either, plus this policy is really extremely weak. Gmail has one of best antispams and antispoof protections, but it could still be easily spoofed like this, only difference was that when you open a header of email in gmail, you see that DMARC check failed, but otherwise it's not mentioned anywhere. Is there any way to get spam assassin to actually figure out that e-mail is spoofed even if it's obviously easy to figure out? I mean, if you have a domain with DKIM, DMARC and SPF record and someone is pretending they are you just by forging "From:" in header, which 99% of mail clients show as real sender of message, it should be able to recognize that this is obvious forgery and not let the message pass through with no score added at all... Isn't this like completely flawed design?
