Spoofing and SPF

Mark Sapiro mark at msapiro.net
Fri Sep 9 19:35:04 UTC 2016

On 09/09/2016 05:15 AM, Trond M. Markussen wrote:
> We have set up rules where the combination of FROM_CUSTOMERDOMAIN
> (customerdomain.no) and SPF_FAIL (or softfail) gives a hich score to
> filter out spoofed spam emails.

How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the
From: header, you won't necessarily detect an SPF failure on spoofed
From: domains. SPF is based in the sending server (envelope from), not
the From: domain.

If you control outgoing mail from the domain, you could DKIM sign it and
then base your test on a valid DKIM signature from the domain, but this
depends on no mail passing through an email list or other process that
will make a transformation that breaks the signature on its way from the
originating server to you.

In other words, you can do things such as are done in DMARC
<http://www.dmarc.org/> without necessarily publishing a DMARC policy,
but see <https://wiki.list.org/DEV/DMARC> for some of the negatives of

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list