Home | Sitemap | Recent Changes | Login

SPF Logo

Sender Policy Framework

FAQ/Envelope from scope

Does it protect the "From:" header field?

SPF was designed to protect the envelope sender. That means the return-path that shows up in "MAIL FROM", and to a lesser extent the HELO argument that is supposed to be an FQDN.

The vast majority of SPF implementations today use the return-path as the subject of authentication and do not get involved with the header "From:".

Protecting authorship information is an important goal. However, the technical issues associated with protecting the "From:" header are much more numerous and challenging. The best way to protect the header "From:" is by using a cryptographic signature such as S/MIME, PGP, or (when it is released) Yahoo DomainKeys. Sender-ID, proposed by Microsoft, is a failed attempt at this.

If you want to use the "From:" header as the subject of authentication with SPF, you need to be familiar with the following:

  • mailing lists
  • /etc/aliases-style forwarding
  • MUA "resend this message to"
  • web-generated email
  • the Sender header
  • the Resent-Sender and Resent-From headers

Edit text of this page | View other revisions
Last edited 2009-04-29 18:28 (UTC) by Rob MacGregor (diff)