My wife and I expected to find each other’s e-cards in our inboxes this morning, it being Valentine’s Day. (Yes, I know they’re not very romantic but they are inexpensive and environmentally sound. Besides, we’ve been married for quite some time!) However, we found personalised Non-Delivery Reports instead. It is a problem that I have come across with quite a few websites attempting to send e-mail on behalf of a customer. The sites fail to take account of something called Sender Policy Framework (SPF). This is an extension of domain name information to include a list of computers that are allowed to send e-mail for a domain (see Wikipedia and the SPF web site.) So, for our fairly small domain, we list our two servers plus the system that hosts our website. If you receive an e-mail from us and have some form of SPF checking, your e-mail server can look up our domain to check that the computer that sent the message is actually allowed to. And therein lies the rub.
The Hallmark.com website, amongst others, pretends that the customer is the sender of the message. However, a check of the SPF data for that customer will alert the receiving e-mail server that Hallmark is not actually a valid source of e-mail for that address. I raised this problem with Hallmark last year and they appeared very eager to fix it, but regrettably have not managed it as yet. So, instead of confirmations that our e-cards had been read, we each received a report that Hallmark.com is not a valid source of e-mail for our domain.
SPF is quite a useful tool for reducing spam, but only if it works. Unfortunately, it will not work if organisations sending e-mail on behalf of others completely ignore it. Certainly Hallmark and other e-cards vendors need to be sensitive to this since non-delivery can be a serious embarrassment. (I am hoping to still be married by the time you read this!) But, news, social networking and similar sites need to deal with SPF intelligently.