Is there anyway I can implement user authentication, such as Sender-ID in php mail function? I like to have email send out from my mail server (from me to clients) as well as email send by users through my online form (to me) to be authenticated.
Hi zippee,
I just did some reading on Sender-ID so Im by far no expert, but heres what I've gathered so far.
Sender-ID is implemented through Sender Policy Framework (SPF). See:
http://new.openspf.org/Introduction. Its implemented on the Mail Transfer Agent (MTA) level. Where an MTA can check the SPF (DNS etries) for a domain to validate the senders domain in an email. If the domain is one of the allowed domains in the sending domains SPF then its authenticated.
This basically means your php script is out of reach of Sender-ID, since its implemented on the DNS level.
The only way PHP would play in is if you wrote your own email client, and wanted your client to authenticate sender domains by checking the SPF of the sender IP through the sender IPs DNS.
I believe the implementation of SPF would cause a few problems for some PHP (and other) scripts out there that send email on behalf of a user. (since the email is being sent by a domain not allowed by the SPF records).
The worst part is that your own mailserver could regect emails you generate for your clients if your MTA supports SPF, since you are not allowed to send the email for your client as far as the SPF entries on the clients DNS state.
Anyways.. to your question:
sending out your emails to your client, can only be authenticated with Sender-ID if your client's MTA implements SPF.
The only thing you can do is set the appropriate DNS entries for your SPF settings and hope your client's MTA supports SPF.
The emails sent from your client to you through your online form, what you could do is use an email address on your domain as the sender. Like:
online-form@mydomain.com
So if you have the correct SPF settings set up for your domain, your MTA should authenticate the email for you as originating from your domain.
The other thing you could do not relating to SPF is to tag each email sent from your domain with a unique ID and the users email and save that in a database or txt file. Then when retrieving your emails you could check to see if the email has the unique ID. This ID could be in the body of the email (say a confirmation link) or a custom mail header.. etc.
Kind of like when you confirm an email registering on your site by generating a unique id for the users email registered on your website.
Unsolved 
