How to reject/detect emails claiming to be from my own domain?

Mark Sapiro mark at
Tue Dec 27 22:38:21 UTC 2016

On 12/27/2016 02:21 PM, Dave Jones wrote:
> Which From address are you trying to protect from spoofing?  Emails have
> an envelope-from and a From: header.  The From: header is what is
> visible in most mail clients.  From my experience (someone please
> correct me if I am wrong), the "header From" rule does not examine the
> envelope-from.  This needs to be done at the MTA level before SA.

You are correct that SA doesn't see the envelope sender directly, but
RFC's say that upon final delivery the MTA/MDA MUST put the envelope
sender in a Return-Path: header. Quoting from RFC 5321

   When the delivery SMTP server makes the "final delivery" of a
   message, it inserts a return-path line at the beginning of the mail
   data.  This use of return-path is required; mail systems MUST support
   it.  The return-path line preserves the information in the <reverse-
   path> from the MAIL command.

Of course, not all MTAs are compliant, but the major ones including
Courier, Exchange, Exim, Postfix, Qmail and Sendmail are. See
<> (several
years old at this point).

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list