Rand Wacker <rand(_at_)sendmail(_dot_)com> writes:
As I said before, there is a large majority of mail that goes from large
commercial sites (or consumer ISPs) merely one hop to another large
commercial ISP, so the From: header will be successfully authenticated.
In the case of sending from a large ISP (and that includes commercial
sites who outsource email) that is not true. Unless the ISP does
additional checking then Sender-ID (and SPF) still allows a customer
of the ISP to forge the mail as coming from any other customer of that
ISP.