[Feature] Emails where the Sender is a subdomain of the From field should not be marked as FORGED_SENDER.

[mxswd]

Summary

Emails where the sender: is a direct subdomain of the From field domain should not be marked as FORGED_SENDER. Instead they should be marked as SENT_FROM_SUBDOMAIN or similarly so they can be weighted lower risk.

Motivation

Today the following email is marked as FORGED_SENDER:

From: Vsevolod Stakhov <[email protected]>
Sender: [email protected]

However, if an email is sent from a direct subdomain of the sender's domain (in this example mail.freebsd.org) you can assume it is lower risk than an unrelated domain because the some level of DNS configuration was needed if the DMARC policy is relaxed. Such as this example:

From: [email protected]
Sender: [email protected]

Describe alternatives you've considered

None.

Additional context

This is common for senders who configure AWS SES to send from a subdomain instead of region.amazonses.com. To configure AWS SES to use a subdomain sender you must add the following SPF record:

"v=spf1 include:amazonses.com ~all"

EDIT: I added the DMARC requirement because strict DMARC should fail the SPF check.

[vstakhov]

This rule is quite simple and it just compares two strings. Apparently, it might have somehow a more complicated logic, but for now it is quite dumb indeed.