SPF with Gmail and Dreamhost php


#1

I still have SPF trouble. I use

but I get softfails sometimes with PHP scripts.

I can’t work it out.


#2

I’m guessing you are using PHP’s mail command to send email (http://php.net/manual/en/function.mail.php), correct?

An important thing about SPF is that it only performs checks on the envelope sender (Return-Path header), not on the user-visible From header (http://www.openspf.org/FAQ/Envelope_from_scope).

When you send mail with PHP’s mail command, the mail is sent via the localhost sendmail system and the envelope sender (Return-Path header) is always something like user@host.dreamhost.com. This is true even if you add From headers with your domain to the mail.

So, when SPF checking is applied, it will test using the envelope sender domain – dreamhost.com, not your domain. You’re domain’s SPF record will be ignored.

Now, dreamhost.com does not have an SPF record, so you might be wondering how Gmail is detecting a softfail. The key is to notice that the Gmail softfail message uses the phrase “best guess record”. Gmail uses a heuristic system to create best-guess SPF records for domains that don’t use SPF (described in the paper: http://www.ceas.cc/2006/19.pdf)

Since Gmail is using a best-guess for dreamhost.com’s SPF record, the guess is sometimes wrong and you will see a softfail. Possibly your mail is sometimes being routed thru a new mailhub server, and Gmail hasn’t added that server to the best-guess SPF record yet. You may see the softfail disappear after a while.

Ok, so I hope that explains the problem, now a possible solution (note, I haven’t test the solution):

One solution would be to switch from PHP’s mail to a SMTP mailer, like PHPmailer (http://wiki.dreamhost.com/PHPmailer_example). Because an SMTP mailer is directly talking to a mail server, it can set the envelope-sender to be the same as the From address (PHPmailer does this automatically, or you can set them any way you want), so you can have your domain as the envelope-sender rather then dreamhost.com.

You have various choices about how to setup an SMTP mailer. You might be able to use localhost or your assigned DreamHost SMTP server. In this case, the “ptr:dreamhost.com” rule in your SPF will cover these emails.

Alternatively, you could send the email directly thru Google (via smtp.google.com) using your Google user and password. In this case, you could simplify your SPF record to just mirror Googles: “include:_spf.google.com ~all”

There are probably other solutions – the key is the ability to set the evenlope-sender (Return-Path) to your domain.

I hope that helps - Chuck[hr]
Just a followup: It is possible to set the envelope sender using PHP’s built-in mail command. You just have to add sendmail’s -F/-f options to the 5th additional-options parameter:

[php]mail("user@example.com", “test”, “test message”, “”, “-F ‘Example Webmaster’ -f webmaster@example.com”);[/php]

This is probably the simplest solution, if you are already using PHP’s mail command.


#3

Hello,

Does SPF helped you to avoid Spam folder when sending messages ?

Thanks.


#4

SPF allows mailbox-providers to more accurately calculate the reputations of envelope-domains and mail servers. This can cut both ways.

For example, if users flag email from example.com as spam, then SPF allows the mailbox-provider to more precisely say: “example.com is a spammer”, because example.com’s SPF record can be used to rule out the possibility that the domain is the innocent victim of spoofing.

Conversely, if users flag spoofed example.com email as spam, then SPF allows the mailbox-provider to maintain example.com’s good reputation. Thus allowing true example.com email to flow normally.

Needless to say, as a netizen, I strongly encourage everyone (good guys and spammers) to use SPF (and DomainKeys) because it makes spam filtering more accurate.


#5

So it means that it is useless to add SPF to my Drupal websites that send messages directly to spam folder ?

And there is no other solution ?


#6

You should add SPF records to all your email and ask that anyone who receives it in their spam folder mark it as not being spam so that their mail provider’s system learns that email from you is okay for regular delivery.