Category Archives: SPF

Feedback forms on the web and stupid web programming

I filled out a feedback form on the web only to realise what a terrible job the web programmers had done. After I clicked on the submit button, the webserver was kind enough to send a copy of my complaint to my email address.

The sad thing is that the email address I’d entered in the feedback form was used both as the sender’s address and as the recipient’s address. With strict SPF records enforced for my DNS domain, my MTA refused to deliver me the emailed copy. However, I did in a way receive the emailed copy, but only because I run my own SMTP service and thus receive any diagnostically generated messages.

The moral of this story is simply to use an email address based on your own valid DNS domain as the sender’s address, e.g. noreply@example.net. Never ever impersonate the complainer. How hard can this be?