Musings from a small IPP

Today I had a designer expressing the view that  mail rejection was the recipient’s “fault” not their web form.

They were using the user supplied e-mail address as the sender of the message generated by their web form.

The difference between Sender and From is that From is part of the headers, and is used as a reply address in the absence of a Reply-to header, whereas Sender is used in the SMTP transaction as the Mail From part.

Mail From/Sender is often different from From — eg when a secretary sends on behalf of their boss, and this is reflected in SMTP email with that distinction.

It is an issue these days as there is an anti-SPAM mechanism called SPF (Sender Policy Framework) [q.v. for details], but in summary it allows the owners of a domain to say ‘Legitimate mail from our domain only comes from these places” (usually their mail server, and web server), and add, “if it comes from elsewhere discard it as SPAM’ — now the thing to notice here is it is a tag that applies to the sender address (Mail From in SMTP), and may have nothing whatsoever to do with the recipient who is being protected from SPAM, and the owners of a domain are not going to authorise any and all random websites to use their domain to send mail as their company, just so that it can reply to them.

Gmail and hotmail for instance use the SPF mechanism to protect their customers of being accused of spamming, so the constituency your form will fail for is fairly large

This is why any web form you create has to use a legitimate sending address for that server, even if you put the address of the form-filler into the From field where it will be displayed to the recipient. It also means you are taking responsibility for any abuse of forms on your server.