Stuart D. Gathman wrote:
I need a web page to give out to "greeting-card" sites (in our case,
tracking notification email) as to how to handle MAIL FROM.
[...]
I can tell them to use their own domain for MAIL FROM and chuck
any DSNs, or to use SRS so that DSNs can be reflected to the user
that initiated the email without using a database.
Doing SRS on unverified sender addresses, and thereby declaring trust in,
and taking responsibility for, their authenticity, is unwise.
Similarly to Brian W. Antoine's suggestion, I think the best solution for
greeting-card services is as follows:
MAIL FROM: <greeting-card-master(_at_)greeting-card(_dot_)com>
From: user's-purported-address(_at_)domain(_dot_)net
Sender: greeting-card-master(_at_)greeting-card(_dot_)com
No "Reply-To:" necessary, replies will go to the "From:" address.
I can't send them to http://spf.pobox.com/webgenerated.html any more,
because that only tells them how to be senderID compliant (which is much
more complicated than SPF compliance).
Point taken.