Mail params using -f (has this changed?)


#1

I recently noticed some emails going missing, this was due to the params on the emails trying to assign the sender as a domain outside Dreamhost (I suspect due to SPF protected domains mainly, because forging a nonexistant domain is fine, example.com will work with softfail).

This seems perfectly acceptable, but it seems like a new issue - I’m not sure the emails are even getting outside the DH network and it is shown as a successful send.

This PHP will work. (replace youremail and yourdomain)

echo(mail('youremail@gmail.com','Your Domain params','message','Return-Path: testxyzxcyzyxzy@hotmail.com\nFrom: testxyzxcyzyxzy <testxyzxcyzyxzy@hotmail.com>\n','-oi -f test@yourdomain.com'));

This PHP will not arrive. (replace youremail)

Is this a new issue after DH changed their email policies/code ? or is it more likely just the SPF settings of the other domains causing “correct” SPF behaviour?

It looks like it is impossible to use -f unless you are 100% sure the domain is allowed to be used by you - so just don’t do it… Some CMS do use these params because they use phpmail.php, so it is possible to lose emails if you are using a badly coded addon or for example, you assume you can use any email address in some newsletter sending configurations etc…


#2

Probably a change in policy.

http://www.dreamhoststatus.com/2012/04/04/improvements-to-outgoing-spam-prevention-policy/


#3

Hrm it seems okay, using -oi -f for addresses you don’t control is bad, but DH should display an error!

But the only odd issue I face at the moment is that emails sent directly to a @gmail address have their SPF working fine, but if I send email to a dreamhost email address and then collect email via POP into gmail, the SPF says softfail. SPF is always empty in dreamhost when sending from a DH website to a DH email account, so I guess Gmail has a guess and sees the wrong sender IP.