spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] news sites: email to a friend

2006-04-06 14:06:40
from [Stuart D. Gathman] [Permanent Link] 
On Thu, 6 Apr 2006,  wrote:


Some major news sites (cnn.com, washingtonpost.com, latimes.com) have "email
this story to a friend" features.

These allow entering a "From" and "To" address.

The site's web server then sends an email "From" the entered address, "To"
the entered address... with an envelope-sender that matches the entered
"From", no "Sender", no "X-Sender", and no "Resent-*" headers.

Alas, this breaks SPF.  I have modified my SPF record to include these
specific sites via ~ip4, but I worry about other sites.


These sites are broken.  Many or most news and greeting card sites
do it right and put the entered address in the From header field,
and set Sender and MAIL FROM to their own service.


What should I do?


I avoid broken sites.  When I really *really* need to use one,
I use one of these methods (both of which require you to control your
own mail server):

a) I use SRS on my mail server.  Run SRS on each address you want the
broken site to email.  Enter the SRS encoded address as the
recipient on the broken site.  I watch the mail logs to see what
server the broken site uses to send mail.  I whitelist that server
temporarily.  The To header field will now look really strange, but the mail
will get delivered.

b) I use a special mail subdomain which has a lax SPF record as the
address I enter for the From header field.  The recipient sees
the correct To header field, and the From header field at least ends
with my domain.

For instance, for method b you might have:

example.com IN TXT "v=spf1 ip4:1.2.3.4 -all"
laxspf.example.com IN TXT "v=spf1 ip4:1.2.3.4 ?all"

And you would enter mymbox(_at_)laxspf(_dot_)example(_dot_)com as the from 
address.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] news sites: email to a friend, Matthew.van.Eerde
Next by Date:  Re: [spf-discuss] Re: Fwd: Automatic key verification / CERT in DNS / RFC4398, william(at)elan.net
Previous by Thread:  [spf-discuss] news sites: email to a friend, Matthew.van.Eerde
Next by Thread:  [spf-discuss] SPF Mail Summary Report, spf-discuss
Indexes:  [Date] [Thread] [Top] [All Lists]