Mail params using -f (has this changed?)


I recently noticed some emails going missing, this was due to the params on the emails trying to assign the sender as a domain outside Dreamhost (I suspect due to SPF protected domains mainly, because forging a nonexistant domain is fine, will work with softfail).

This seems perfectly acceptable, but it seems like a new issue - I’m not sure the emails are even getting outside the DH network and it is shown as a successful send.

This PHP will work. (replace youremail and yourdomain)

echo(mail('','Your Domain params','message','Return-Path:\nFrom: testxyzxcyzyxzy <>\n','-oi -f'));

This PHP will not arrive. (replace youremail)

Is this a new issue after DH changed their email policies/code ? or is it more likely just the SPF settings of the other domains causing “correct” SPF behaviour?

It looks like it is impossible to use -f unless you are 100% sure the domain is allowed to be used by you - so just don’t do it… Some CMS do use these params because they use phpmail.php, so it is possible to lose emails if you are using a badly coded addon or for example, you assume you can use any email address in some newsletter sending configurations etc…


Probably a change in policy.


Hrm it seems okay, using -oi -f for addresses you don’t control is bad, but DH should display an error!

But the only odd issue I face at the moment is that emails sent directly to a @gmail address have their SPF working fine, but if I send email to a dreamhost email address and then collect email via POP into gmail, the SPF says softfail. SPF is always empty in dreamhost when sending from a DH website to a DH email account, so I guess Gmail has a guess and sees the wrong sender IP.