With aiosmtpd, how to detect spoofed "From:" addresses without relying on SPF, DMARC. or DKIM?
17:00 02 May 2026

I'm using the latest aiosmtpd module under Python 3.12 in LinuxMint to run a limited, special-purpose email server that only performs an extremely small number of very specialized functions.

There are only a couple dozen or so specific email addresses that I accept incoming messages from, and my specialized server rejects all incoming messages from other senders.

I want to make sure that the "From:" address that is being supplied in each of these incoming emails is genuine, and not being spoofed.

The emails I want to accept originate from a number of servers that I have no control over, and in most (maybe all) cases, the owners of the email addresses that I accept don't know this information. These senders consist of some individuals, some organizations, and some businesses, and few, if any of the people sending these emails have knowledge of SMTP, network issues, etc. And I cannot rely on these senders to always include any kind of authentication information inside of each message that they send.

Any of these email servers may or may not be correctly using SPF, DMARC, or DKIM. Also, even if I track the connection IP addresses of all of the legitimate emails when they arrive, I have no guarantee that these IP addresses will never change due to MX changes or other changes on the server side.

Given these limitations and restrictions, what procedures can I use to validate whether or not any given "From:" header is being spoofed, when emails purporting to be from these valid senders arrive at my server?

Will I have to investigate each and every sending address to find out whether or not SPF, DMARC, and/or DKIM are in use by the servers they currently utilize? Will I have to investigate each server associated with each sending address to determine what value each server gives in the "Mail From" item in the sending envelope?

Will I have to repeatedly determine this and other related information pertaining to each and every email address and its server, to make sure that I always am up to date with whatever changes might take place to this information over time?

Or are there other more straightforward ways that I might be able to utilize in order to validate whether the given "From:" addresses are spoofed or genuine?

spoofing smtpd aiosmtpd