The reason ebay does that is to PROTECT against spamming. As an end
user I can't contact the user directly... I also can't see their
e-mail address. Their practice is very good, and they are also a
business. You can't argue with them about putting some advertising
in there!
On 5/2/05, Chris Haynes <chris(_at_)harvington(_dot_)org(_dot_)uk> wrote:
"Andrew Gutkowski"
asked;
Could someone please explain to me how spf deals with websites which use
online forms to send emails? For example, if I am on eBay and use their
online form to send an email to another eBay user, eBay sends the email
from my account through their smtp server and on to the other eBay user.
Upon receipt of that email, the recipient's email system would do an
spf lookup on my domain and find that eBay.com's smtp server is not a
valid sender for my domain and therefore reject the email.
It's not just eBay by the way, there are thousands of websites which do
this very same thing.
Any thoughts?
Interesting question....
I've just had a look at one such message I received from a vendor via eBay.
The message starts with words from eBay telling me what the message is about,
then has some advice on safe purchases. It next embeds the actual, brief
words
entered into their web page by the vendor, and finally has many more lines of
advice and advertising from eBay.
The message was send with a MAIL FROM of the vendor's eMail address, not eBay,
even though only 20% or so of the words were written by the vendor, and she
knew
nothing about the rest of the message.
Ask yourself : Who was the message (as a whole) really from: The vendor or
eBay?
My answer and conclusions are:
1) The message as a whole was from eBay. They should have used their own
address
in the MAIL FROM.
2) If, today, they send a message on behalf of a vendor who has an SPF policy
then either:
2a) The vendor can 'include' eBay in the list of servers permitted to send
messages from her domain or,
2b) SPF systems will declare the message a forgery.
So, it will be interesting to see what eBay does about SPF. Their current
practice is SPF-hostile and, arguably, against the spirit of SMTP. They are
not
a 'simple' forwarder; they are injecting a brand new message into the SMTP
world
with content which is mostly their own.
I suppose their argument would be that, if the message bounces, they want
nothing to do with it; it is for the originator of the embedded message to
know
that something went wrong.
If they wanted to be SPF-friendly they could:
a) Change to using their own domain in MAIL FROM - which is what the SPF
purists
would say they should do. They could use something like SRS to help handle any
bounces and send an alert back to the original person.
or
b) Publish their own SPF policy and advise clients to 'include' it in their
own
policy.
Clients would first want to be assured that eBay did not allow their members
to
use each others' addresses, and that they generally trusted eBay with their
own
domain's reputation.
Chris Haynes
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com