From: "Dave Crocker" <dcrocker(_at_)brandenburg(_dot_)com>
It is a simple fact of the real world that a handling return address is
not in any way required to specify the author or sender of the message.
--Hector Santos <winserver(_dot_)support(_at_)winserver(_dot_)com> wrote:
Dave,
Does it really matter?
In the real world, it does originate as the sender of the message
beginning at the first-hop, otherwise the system would break down. Of
course, there are exceptions such as a mailing list, but that still a
presumed verifiable address to the owner/moderator of the list.
I would agree with Hector, especially with the "does it really matter?" If
MAIL FROM doesn't identify the sender, it does at least provide the "return
address". (This is similar to postal mail sent from one location that
might be returned to another -- sometimes this is legal, sometimes it is
not.) I need SPF or something like it to make sure that mail that bears my
return address is accepted only on my terms.
I have voiced a similar opinion to "Mail From only defines the return
address, not necessarily the sender" here and on on SPAM-L and got
objections all around, as well. So, I suggest to put semantics aside and
concentrate on the pragmatics. If mail might potentially be returned to me
as undeliverable, then I am already involved, and I would like to be in
control :)
Now, the point can be made that some other header line more correctly
points to the "author" or "sender". That's possibly true, but SPF was
designed to limit itself to MAIL FROM so that it can reject the message
ASAP, and there are still reasons why this is considered worthwhile. I
think it is useful to examine From: Sender: etc but I still think SPF is
correct to focus in on the MAIL FROM...
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>