SPF has many optional fields in the headers it adds that are usually there but not required by the spec.
See issue #49 for more discussion.
If we are relying on previously-received headers for SPF and not doing our own lookups.
If checking received-spf:
- Check for pass
- Add a check for identifier=mailfrom (unless sender is <>)
- Add a check for mailfrom= AND confirm it matches the domain
- Else ignore the header (and log the result)
If we are checking Authentication-results:
- Check for pass
- Check for mailfrom=
- Confirm it matches the domain
- Else ignore the header (and log the result)
Some SPF's will note both the helo and the mailfrom but the pass will be based on the HELO, so we need to evaluate this separately.
SPF has many optional fields in the headers it adds that are usually there but not required by the spec.
See issue #49 for more discussion.
If we are relying on previously-received headers for SPF and not doing our own lookups.
If checking received-spf:
If we are checking Authentication-results:
Some SPF's will note both the helo and the mailfrom but the pass will be based on the HELO, so we need to evaluate this separately.