SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check
either has not been performed or has not reached a definitive policy
result by applying the check_host() function to the "MAIL FROM"
identity as the .
[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
[RFC5321]). In this case, there is no explicit sender mailbox, and
such a message can be assumed to be a notification message from the
mail system itself. When the reverse-path is null, this document
defines the "MAIL FROM" identity to be the mailbox composed of the
local-part "postmaster" and the "HELO" identity (which might or might
not have been checked separately before).
RFC 7208 has this requirement for this case, in case of empty MAIL FROM it seems like it should be assumed to be equal to "postmaster@HELO-hostname-here". That is, "postmaster@" + s.msgMeta.Conn.Hostname.
RFC 7208 has this requirement for this case, in case of empty MAIL FROM it seems like it should be assumed to be equal to "postmaster@HELO-hostname-here". That is, "postmaster@" + s.msgMeta.Conn.Hostname.