Paul Smith wrote:
Spammers are welcome to use their own domains: that puts the spam
problem at the relevant ISPs.
Not sure I understand that.
It is totally valid to do:
I assume that the EHLO parameter corresponds to the IP address of
the sending host.
The EHLO name bears no resemblance to the sender's email address.
Doing an SPF on the EHLO name is pointless, as all that tells you
is that the sending host is 'mail.spammer.com'.
Yes, and spammer.com is where recipients should complain or claim any
damage that the transmission might have caused. More likely, the IP of
that transmitter will be blacklisted soon. I guess that's why spammers
use zombies or bots.
You have to do the SPF check on the MAIL FROM address, and test it
against the IP address of the sending host.
If the MAIL FROM is given and mycompany took care of setting SPF
properly, the receiver can reject the message. More often, the MAIL
FROM address consists of an invalid user at a valid domain without SPF