spf-discuss
[Top] [All Lists]

Re: spf with online forms

2005-05-02 12:54:14
"Andrew Gutkowski"
asked;


Could someone please explain to me how spf deals with websites which use
online forms to send emails?  For example, if I am on eBay and use their
online form to send an email to another eBay user, eBay sends the email
from my account through their smtp server and on to the other eBay user.
Upon receipt of that email, the recipient's email system would do an
spf lookup on my domain and find that eBay.com's smtp server is not a
valid sender for my domain and therefore reject the email.

It's not just eBay by the way, there are thousands of websites which do
this very same thing.

Any thoughts?



Interesting question....

I've just had a look at one such message I received from a vendor via eBay.

The message starts with words from eBay telling me what the message is about, then has some advice on safe purchases. It next embeds the actual, brief words entered into their web page by the vendor, and finally has many more lines of advice and advertising from eBay.

The message was send with a MAIL FROM of the vendor's eMail address, not eBay, even though only 20% or so of the words were written by the vendor, and she knew nothing about the rest of the message.

Ask yourself : Who was the message (as a whole) really from: The vendor or eBay?

My answer and conclusions are:

1) The message as a whole was from eBay. They should have used their own address in the MAIL FROM.

2) If, today, they send a message on behalf of a vendor who has an SPF policy then either:

2a) The vendor can 'include' eBay in the list of servers permitted to send messages from her domain or,
2b) SPF systems will declare the message a forgery.

So, it will be interesting to see what eBay does about SPF. Their current practice is SPF-hostile and, arguably, against the spirit of SMTP. They are not a 'simple' forwarder; they are injecting a brand new message into the SMTP world with content which is mostly their own.

I suppose their argument would be that, if the message bounces, they want nothing to do with it; it is for the originator of the embedded message to know that something went wrong.

If they wanted to be SPF-friendly they could:

a) Change to using their own domain in MAIL FROM - which is what the SPF purists would say they should do. They could use something like SRS to help handle any bounces and send an alert back to the original person.

or

b) Publish their own SPF policy and advise clients to 'include' it in their own policy. Clients would first want to be assured that eBay did not allow their members to use each others' addresses, and that they generally trusted eBay with their own domain's reputation.

Chris Haynes



<Prev in Thread] Current Thread [Next in Thread>