Rapidweaver Contact Form Forging the FROM address?

No, that’s not it. Gmail looks for an SPF record on the server, and if there is none, or the ip address the form came from isn’t in that record, then the mail is treated as untrusted.

Regards SPF.this one one of the first replies “The SPF Dns record for the account was not turned on. I’ve turned this on for you”…so???
But, no worries I have just purchased your Mailto stack…I cant put any more emotional effort into this (I do this for fun!! it is not a job - just helping out friends!!)
Thanks for all your input…
W

It certainly looked like that, as we were spoofing the from header. But now that’s has been addressed, rule this out.

Well, if that’s now present and correct, rule that out also.
But, the error message you described, is the exact error message Gmail presents when it is a lack of a trusted SPF record.

So, who knows what is going on???

There were a few issues at the time:

  1. Lack of SPF record (this has been enabled)
  2. The FROM address set in the email was set to the email address that the user/visitor entered into the form

The issue with #2 was that the form would never pass the SPF validation as the server would never be listed as authorized to send on behalf of the Visitor’s email. In this case, ntlworld.com.

So what if the new “Compatibility Mode” option is unchecked?
Now unchecking the new option will use the form fillers email address as the from header in the email, so it will not be seen as spam by some email hosts because of a cheated from address. With the obvious civet that if you have one of the hosts that blocks emails being sent from an address other than one tied to the domain then it won’t work either.

This is not a PHP issue with the server. The email headers indicate that the FROM field is being set. It is, however, being set to an email address that is not associated with the server and, frankly, will never be. For instance, if a user filled in the form saying that their email was @gmail.com, then FROM field would be set to @gmail.com which will certainly fail SPF.

I would recommend any of the following:

  1. Don’t set the FROM field and let the system do it. This will end up being accountName@server.name.com.
  2. Allow the owner of the Stack to set the FROM field and allow them to specify an email address associated with the server
  3. Allow SMTP authentication and send from a local email address

In any case, the REPLY-TO is always set to the Visitor’s email address.

I hope that helps. If you have questions, let me know.

-Greg

It wasn’t. Until today’s option added setting It has always been set to the owners email address (which we have always recommended be set to an email address associated with the server).

With todays added optional setting the from header is filled with the form fillers email address, which works fine in almost all email clients (clearly not Gmail anymore since they implemented the SPF check among other security measures), and presents much better in the received email, actually showing the from address being the person that submitted the form.

:man_shrugging: Maybe the code I sent was from a different Addon. It was set in the code I saw from a POST value

Maybe. But looking into the new security Gmail implemented lately, there’s a swathe of different measures they implemented, and much confusion about them. There may well / probably will be other things at play that’s causing mail to be marked as spam at Gmail. I’v definitely seen a marked rise in reports of it here.

Yes I’m getting a lot of users emailing me and the failure in the headers are the Spf failure.

I’m no authority on the finer details of this, but my gut says:

Unless the email envelope is specifically set to the owners email address with the 5th parameter of the mail function, then is seen as a conflicting address and fails the SPF. But it seems impossible to set this parameter in an Addon used on shared servers, and windows servers.