Sender Policy Framework

Does it protect the "From:" header field?

SPF was designed to protect the envelope sender. That means the return-path that shows up in "MAIL FROM", and to a lesser extent the HELO argument that is supposed to be an FQDN.

The vast majority of SPF implementations today use the return-path as the subject of authentication and do not get involved with the header "From:".

Protecting authorship information is an important goal. However, the technical issues associated with protecting the "From:" header are much more numerous and challenging. The best way to protect the header "From:" is by using a cryptographic signature such as S/MIME, PGP, or (when it is released) Yahoo DomainKeys. Sender-ID, proposed by Microsoft, is a failed attempt at this.

If you want to use the "From:" header as the subject of authentication with SPF, you need to be familiar with the following:

• mailing lists
• /etc/aliases-style forwarding
• MUA "resend this message to"
• web-generated email
• the Sender header
• the Resent-Sender and Resent-From headers