----- Original Message -----
From: "Lyndon Eaton" <lyndon(_dot_)eaton(_at_)premierpc(_dot_)co(_dot_)uk>
I think I'm correct saying that in a normal and legit email the MAIL
FROM: and From: addresses are likely to be the same. The only genuine
reason I can think of off the top of my head for them being different
would be in the case of a mailing list like this one. In this email, the
From: would be me, but the MAIL FROM: would be listbox.com. As it's the
listbox IP sending the email to your server, the check should be done on
the MAIL FROM address against that IP.
--<snip>--
No tomatoes...
When you think about it, everything in the header can be spoofed.
the harder of them appears to be the IP address of the sender server
at initial negotiation, and that can be spoofed as well but from what I
understand is a lot more work, so it tends to be more valid than the rest.
If you have ever received email from you, by you, to you, return path you
message id yourserver, you would see where I am coming from. God
knows I've deleted enough of them.
I think the least likely to be forged would be the best to use, and I'm not
sure which is the least likely to be forged, envelope-from or from.
Maybe (programatically) dig the ip for an a, ptr, mx to arrive at the name
of the server, extract the domain and do the SPF check on every address
in the header sans To: addresses.
Score accordingly
Just a thought
Regards
Greg