Authorizing 3rd Party Envelope Sender to Impersonate Header Sender
Rewriting for clarity:
This is regarding emails send from a 3rd party marketer spoofing one of our email addresses in the message header from field. In these emails the envelope sender would come from "noreply@marketingfirm.example", but the message header from field would show "marketing@mycompany.example". Normally, this would be spoofing and blocked, but this is valid emails that we pay that marketing firm to send.
As I understand it:
- SPF only validates that emails from the Envelope Sender come from specific mail hosts. It does not care what the Header Sender is (Spoofing).
- DKIM does not care who sent the email. Just that the DKIM signature on the receiving end is the same as the one acquired on the sending side.
- DMARC ONLY cares that the Envelope Domain (sometimes subdomain) and Header Domain (somtimes subdomain) align (Meaning they are the same).
So, as long as the Marketing Firm sends the emails from one of the sources in their SPF record, it's going to PASS SPF. I see a lot of this traffic from many of our clients and customers. We are looking for a way to validate (allow) authorized spoofing vs a legit spoofing attack (block).
Question: Is there any method for validating that while spoofed, these emails are authorized spoofing.
