SV: Spoofing and SPF

Trond M. Markussen markussen at
Mon Sep 12 08:50:29 UTC 2016

Yes, FROM_CUSTOMERDOMAIN is based on from: but in these cases that rule was
triggered. However, the emails seem to have passed  the SPF check even
though the senders were not listed in the SPF record for that domain.

Not sure about how, but this part could be a clue perhaps? "(skip=loggedin
(res=PASS)) "

X-Default-Received-SPF: pass (skip=loggedin (res=PASS))


Trond M.

-----Opprinnelig melding-----
Fra: MailScanner
[ at] På
vegne av Mark Sapiro
Sendt: 9. september 2016 21:35
Til: mailscanner at
Emne: Re: Spoofing and SPF

On 09/09/2016 05:15 AM, Trond M. Markussen wrote:
> We have set up rules where the combination of FROM_CUSTOMERDOMAIN
> ( and SPF_FAIL (or softfail) gives a hich score to 
> filter out spoofed spam emails.

How are you defining FROM_CUSTOMERDOMAIN? if you are basing it on the
From: header, you won't necessarily detect an SPF failure on spoofed
From: domains. SPF is based in the sending server (envelope from), not the
From: domain.

If you control outgoing mail from the domain, you could DKIM sign it and
then base your test on a valid DKIM signature from the domain, but this
depends on no mail passing through an email list or other process that will
make a transformation that breaks the signature on its way from the
originating server to you.

In other words, you can do things such as are done in DMARC
<> without necessarily publishing a DMARC policy, but
see <> for some of the negatives of DMARC.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

MailScanner mailing list
mailscanner at

More information about the MailScanner mailing list