SV: SV: Spoofing and SPF

Mark Sapiro mark at
Tue Sep 13 01:26:30 UTC 2016

On 09/12/2016 06:59 AM, Trond M. Markussen wrote:
> So in other words the SPF check is based on the envelope sender as seen here
> Return-Path: at and not the from: From:
> "Bob Client," <bob at> ? 
> In other words, SPF does not prevent spoofing in these cases?

That's correct. SPF was never intended to prevent spoofing of From:. It
is designed to detect whether the owner of a domain says the server
that's attempting to send the mail with envelope from that domain is
allowed to do so. It works strictly on the SMTP MAIL FROM (envelope
from), not anything in the headers or body of the message.

> I should probably explain our setup better though; we have a meta rule in
> effect that will give a score of 10 if triggered. This meta rule is applied
> if the following two rules are triggered: FROM_CUSTOMERDOMAIN and SPF_FAIL
> CUSTOMERDOMAIN is the client that only wants to allow e-mails from their own
> domain if the sender is listed in their SPF record.
> This seems to filter out 99% of spoofed emails from their domain, but some
> keep getting through - and in these cases the FROM_CUSTOMERDOMAIN rule is
> triggered, but not SPF_FAIL/SPF_SOFTFAIL. 

Because simple spoofed From: mails often also spoof the envelope sender
to match or maybe the envelope sender just doesn't publish SPF, but they
don't always as in your example.

You need to also check that the From: domain is aligned (a DMARC[1]
term) with the envelope sender domain.

Your customer may wish to publish a DMARC p=reject police for it's
domain, however I hesitate to recommend DMARC because of the havoc that
has been created by it's misuse[2].

In your case you could just create another rule ENVFROM__CUSTOMERDOMAIN
that would test the Return-Path header and then your failure meta-rule
could be something logically equivalent to FROM_CUSTOMERDOMAIN and (not

[1] <>
[2] <>

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list