Tiny SPF logo, depicts checking of envelope from
Advice for Web Generated Emailers
You'll need to change one or two things.
Evite and Egreetings show you how.
FAQDownloadsSitemapContact Us
How it WorksNews What it Does ServicesForums

SPF is an extension to SMTP that help prevent email forgery. Systems which send mail on behalf of other people may need to make a few small changes to their mail systems to comply.

These instructions are intended for services like eBay, Amazon, greeting card sites, and any other "third-party" systems that generate email on behalf of other people.

Evite and Egreetings.com send web-generated email: when users interact with the web site, email goes out on their behalf. This is fine and good. But under SPF, mail from those services can look like a forgery --- unless certain precautions are taken. Evite and Egreetings have already made the necessary changes. They set a good example for others to follow.

This can look like a forgery. 
Return-Path: <user@example.com>
From: End User <user@example.com>
Subject: End User has sent you a greeting card!

This is better. 
Return-Path: <service@egreetings.com>
Sender: <service@egreetings.com>
From: End User <user@example.com>
Subject: End User has sent you a greeting card!

This works too. 
Return-Path: <info@evite.com>
From: End User <info@evite.com>
Reply-to: End User <user@example.com>
Subject: End User has sent you an invite!

Messages that only show the end-user's address in the headers, but do not come from the end-user's home systems, are considered suspicious by SPF. To solve this problem, just change the headers.

Egreetings.com does it this way:

  • Choose a generic address. (service@egreetings.com)
  • Change the return-path to that address.
  • Add a "Sender" header that shows that address.

Evite does it this way:

  • Choose a generic address. (info@evite.com)
  • Change the return-path to that address.
  • Change the "From" header to that address.
  • Add a "Reply-To" header that contains the actual email address.

Either way is fine. They both work just as well.

Note that the generic address will receive bounce messages for mail that didn't go through. This is the desired behaviour. You can just discard mail to that address, or you can set up more complex bounce processing to tell the user their mail didn't go through.

The important thing is this. What's to stop a user from going to your website and claiming his email address is president@whitehouse.gov? Very little. If that user uses your service to send mail to a hundred recipients, and if ten of those addresses bounce, the least you can do is to keep the bounces from actually going to president@whitehouse.gov. The above instructions solve that problem.
Home Services Media Contributors Sitemap Contact Us
Copyright © 2004-2006, licensed under the GFDL.