Sending web form mail to Hotmail
The Situation
A simple "Contact" form on a website. The form allows people to enter their name and e-mail address, so that the message appears to come from them, and the site owner can use their Reply button to reply to the sender (and not the web server!).
The Problem
The problem is defining what the "sender" e-mail address is, which is then compared with the address's domain's SPF record to see if it is coming from an authorised mail server.
SPF seems to quite clearly specify that the sender is the envelope sender, and not the From: address. Microsoft's SenderID uses some algorithm to work out the sender based on various addresses, including the From: address - and this is what Hotmail is using for its SenderID checks.
Problem Message Headers
This message was sent with the envelope set to postmaster@fonant.com, and the From: address as the person writing the message. This appears nicely in e-mail programs, and works in most e-mail systems apart from Hotmail, which either deletes it without warning or puts it into the Spam folder.
Google Mail seems to use the envelope sender (the same as the Return-Path) for its SPF tests, so the message passes:
Delivered-To: fonant@gmail.com
Received: by 10.35.75.14 with SMTP id c14cs451409pyl;
Fri, 21 Sep 2007 04:49:16 -0700 (PDT)
Received: by 10.78.145.5 with SMTP id s5mr1930030hud.1190375355767;
Fri, 21 Sep 2007 04:49:15 -0700 (PDT)
Return-Path: <postmaster@fonant.com>
Received: from clive.fonant.com (clive.fonant.com [84.234.17.182])
by mx.google.com with ESMTP id 15si240941hui.2007.09.21.04.49.14;
Fri, 21 Sep 2007 04:49:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@fonant.com designates 84.234.17.182 as permitted sender) client-ip=84.234.17.182;
Authentication-Results: mx.google.com; spf=pass smtp.mail=postmaster@fonant.com
X-Fonant-MailScanner-Watermark: 1190980151.59299@r6iistN2VbOgpY/jmTOEbw
Received: from clive.fonant.com (localhost.localdomain [127.0.0.1])
by clive.fonant.com (8.14.1/8.13.8) with ESMTP id l8LBnBJ8006501;
Fri, 21 Sep 2007 12:49:11 +0100
Received: (from apache@localhost)
by clive.fonant.com (8.14.1/8.14.1/Submit) id l8LBnBwV006500;
Fri, 21 Sep 2007 12:49:11 +0100
Date: Fri, 21 Sep 2007 12:49:11 +0100
Message-Id: <200709211149.l8LBnBwV006500@clive.fonant.com>
X-Authentication-Warning: clive.fonant.com: apache set sender to postmaster@fonant.com using -f
To: fonant@msn.com
Subject: Website contact
From: Anthony Cartmell <ajcartmell@example.com>
Reply-To: Anthony Cartmell <ajcartmell@example.com>
Content-Type: text/plain; charset=utf-8
X-Mailer: PHP/5.2.4
This is another test message, following additional SPF tweaks recommended by Microsoft Support, and after removing the Sender: header to the sent mail.
Google works on the envelope sender, but Hotmail uses the message sender. Grrrr....
Anthony
but Hotmail uses the message sender, which probably won't be authorised to send mail from the web server, according to SPF:
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w X-Message-Status: n:0 X-SID-PRA: Anthony Cartmell <ajcartmell@example.com> X-Message-Info: 0Lct38uk7fNF9GYJGXUIeSlzxoO5/CbJHsgrSlMa24MhLxzFiGBuNn0O3n6yW0aQDt2kSWO+4FrefOGgBCYNzg== Received: from clive.fonant.com ([84.234.17.182]) by bay0-mc3-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Fri, 21 Sep 2007 04:49:16 -0700 X-Fonant-MailScanner-Watermark: 1190980151.59299@r6iistN2VbOgpY/jmTOEbw Received: from clive.fonant.com (localhost.localdomain [127.0.0.1]) by clive.fonant.com (8.14.1/8.13.8) with ESMTP id l8LBnBJ8006501; Fri, 21 Sep 2007 12:49:11 +0100 Received: (from apache@localhost) by clive.fonant.com (8.14.1/8.14.1/Submit) id l8LBnBwV006500; Fri, 21 Sep 2007 12:49:11 +0100 Date: Fri, 21 Sep 2007 12:49:11 +0100 Message-Id: <200709211149.l8LBnBwV006500@clive.fonant.com> X-Authentication-Warning: clive.fonant.com: apache set sender to postmaster@fonant.com using -f To: fonant@hotmail.co.uk Subject: Website contact From: Anthony Cartmell <ajcartmell@example.com> Reply-To: Anthony Cartmell <ajcartmell@example.com> Content-Type: text/plain; charset=utf-8 X-Mailer: PHP/5.2.4 Return-Path: postmaster@fonant.com X-OriginalArrivalTime: 21 Sep 2007 11:49:17.0209 (UTC) FILETIME=[70670090:01C7FC45] This is another test message, following additional SPF tweaks recommended by Microsoft Support, and after removing the Sender: header to the sent mail. Google works on the envelope sender, but Hotmail uses the message sender. Grrrr.... Anthony
Meanwhile, MailScanner and SpamAssassin find:
X-Fonant-MailScanner-Watermark: 1190980158.83958@L38s3UtKTursxABr9WqBbQ Return-Path: <postmaster@fonant.com> Received: from clive.fonant.com (clive.fonant.com [84.234.17.182]) by nick.fonant.com (8.13.8/8.13.8) with ESMTP id l8LBnBhp000983 for; Fri, 21 Sep 2007 12:49:14 +0100 X-Fonant-MailScanner-Watermark: 1190980151.59299@r6iistN2VbOgpY/jmTOEbw Received: from clive.fonant.com (localhost.localdomain [127.0.0.1]) by clive.fonant.com (8.14.1/8.13.8) with ESMTP id l8LBnBJ8006501; Fri, 21 Sep 2007 12:49:11 +0100 Received: (from apache@localhost) by clive.fonant.com (8.14.1/8.14.1/Submit) id l8LBnBwV006500; Fri, 21 Sep 2007 12:49:11 +0100 Date: Fri, 21 Sep 2007 12:49:11 +0100 Message-Id: <200709211149.l8LBnBwV006500@clive.fonant.com> X-Authentication-Warning: clive.fonant.com: apache set sender to postmaster@fonant.com using -f To: fonant@hotmail.co.uk Subject: Website contact From: Anthony Cartmell <ajcartmell@example.com> Reply-To: Anthony Cartmell <ajcartmell@example.com> Content-Type: text/plain; charset=utf-8 X-Mailer: PHP/5.2.4 X-Fonant-MailScanner-Information: Please contact Fonant for more information X-Fonant-MailScanner: Found to be clean X-Fonant-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-5.002, required 4, autolearn=not spam, BAYES_00 -5.00, SPF_HELO_PASS -0.00, SPF_PASS -0.00) X-Fonant-MailScanner-From: postmaster@fonant.com X-Spam-Status: No This is another test message, following additional SPF tweaks recommended by Microsoft Support, and after removing the Sender: header to the sent mail. Google works on the envelope sender, but Hotmail uses the message sender. Grrrr.... Anthony
Adding the Sender: Header
http://www.openspf.org/Best_Practices/Webgenerated [website no longer available] suggests various ways to deal with web forms, one of which is adding a Sender: header with an address related to the web server.
Adding a Sender: header seems to mess up the From: address, so the message doesn't appear so nicely in e-mail programs. This might be a sendmail set-up thing?
A BCC copy of the message sent to Google Mail now has:
Delivered-To: fonant@gmail.com
Received: by 10.35.75.14 with SMTP id c14cs452782pyl;
Fri, 21 Sep 2007 05:14:40 -0700 (PDT)
Received: by 10.78.162.4 with SMTP id k4mr297461hue.1190376876636;
Fri, 21 Sep 2007 05:14:36 -0700 (PDT)
Return-Path: <postmaster@fonant.com>
Received: from clive.fonant.com (clive.fonant.com [84.234.17.182])
by mx.google.com with ESMTP id 18si484350hue.2007.09.21.05.14.35;
Fri, 21 Sep 2007 05:14:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@fonant.com designates 84.234.17.182 as permitted sender) client-ip=84.234.17.182;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of postmaster@fonant.com designates 84.234.17.182 as permitted sender) smtp.mail=postmaster@fonant.com
X-Fonant-MailScanner-Watermark: 1190981648.83644@cMQJnvuyjZvlwSJ/uobmrg
Received: from clive.fonant.com (localhost.localdomain [127.0.0.1])
by clive.fonant.com (8.14.1/8.13.8) with ESMTP id l8LCE7Ku009647;
Fri, 21 Sep 2007 13:14:07 +0100
Received: (from apache@localhost)
by clive.fonant.com (8.14.1/8.14.1/Submit) id l8LCE7Sk009646;
Fri, 21 Sep 2007 13:14:07 +0100
Date: Fri, 21 Sep 2007 13:14:07 +0100
From: postmaster@fonant.com
Message-Id: <200709211214.l8LCE7Sk009646@clive.fonant.com>
X-Authentication-Warning: clive.fonant.com: apache set sender to postmaster@fonant.com using -f
To: fonant@hotmail.co.uk
Subject: Website contact
Sender: Website <postmaster@fonant.com>
Reply-To: Anthony Cartmell <ajcartmell@example.com>
Content-Type: text/plain; charset=utf-8
X-Mailer: PHP/5.2.4
This message has the Sender: set to postmaster@fonant.com
Anthony
and the BCC copy sent to MailScanner/SpamAssassin has:
X-Fonant-MailScanner-Watermark: 1190981675.87418@Y0WGzr/ManCsAxmWgwaahw Return-Path: <postmaster@fonant.com> Received: from clive.fonant.com (clive.fonant.com [84.234.17.182]) by nick.fonant.com (8.13.8/8.13.8) with ESMTP id l8LCEWs4002986 for; Fri, 21 Sep 2007 13:14:35 +0100 X-Fonant-MailScanner-Watermark: 1190981648.83644@cMQJnvuyjZvlwSJ/uobmrg Received: from clive.fonant.com (localhost.localdomain [127.0.0.1]) by clive.fonant.com (8.14.1/8.13.8) with ESMTP id l8LCE7Ku009647; Fri, 21 Sep 2007 13:14:07 +0100 Received: (from apache@localhost) by clive.fonant.com (8.14.1/8.14.1/Submit) id l8LCE7Sk009646; Fri, 21 Sep 2007 13:14:07 +0100 Date: Fri, 21 Sep 2007 13:14:07 +0100 From: postmaster@fonant.com Message-Id: <200709211214.l8LCE7Sk009646@clive.fonant.com> X-Authentication-Warning: clive.fonant.com: apache set sender to postmaster@fonant.com using -f To: fonant@hotmail.co.uk Subject: Website contact Sender: Website <postmaster@fonant.com> Reply-To: Anthony Cartmell <ajcartmell@example.com> Content-Type: text/plain; charset=utf-8 X-Mailer: PHP/5.2.4 X-Fonant-MailScanner-Information: Please contact Fonant for more information X-Fonant-MailScanner: Found to be clean X-Fonant-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-5.002, required 4, autolearn=not spam, BAYES_00 -5.00, SPF_HELO_PASS -0.00, SPF_PASS -0.00) X-Fonant-MailScanner-From: postmaster@fonant.com X-Spam-Status: No This message has the Sender: set to postmaster@fonant.com Anthony
Sadly the copy of this message sent to the Hotmail account completely failed to appear, so messing up the From: address to keep Microsoft's SenderID happy made things worse!!...
