"Roger B.A. Klorese " <rogerk(_at_)queernet(_dot_)org> writes:
If the message is MAIL FROM:<me(_at_)here(_dot_)com>, it does not become MAIL
FROM:<you(_at_)somewhere-else(_dot_)com> just because it gets passed along.
It's
still mail from me(_at_)here(_dot_)com(_dot_) It's not MAIL
BEINGINJECTEDINANSMTPSESSIONBY:.
Even that is arguable. The purpose of MAIL FROM (in RFCs 821.2821) is
as the 'bounce' address to which DSNs are sent. So, if I send mail to
you(_at_)example(_dot_)com and example.com forwards it to
someuser(_at_)bigisp(_dot_)com and it is
undeliverable, I would want the DSN to tell me that it was not
delivered to you(_at_)example(_dot_)com, not
someuser(_at_)bigisp(_dot_)com(_dot_) bigisp.com
should send the DSN to example.com which should send a DSN from
you(_at_)example(_dot_)com back to me.
It is quite possible that you(_at_)example(_dot_)com might not want me to know
their 'real' email address, but if the forwarder keeps the original
MAIL FROM then this information can be exposed.
So forwarding without changing the MAIL FROM is broken for reasons
other than SPF.