3

Currently, I am working on a web application and wanted to let users send emails to others through a web form. So, they just should submit their email address and my web app would then send mails to others with their email in the FROM header.

Well, now I learned that this is not a good idea because those emails will most likely be rejected. However, I do not yet fully understand it.

Basically, there're two technologies that are widely used to prevent spam and spoofing: DKIM and SPF.

What I read so far does SPF check the Envelope From header.

Now let's assume a user wants to send an email to others using my web application. So, the user wants to use bob@example.com as his sender address. Now, my web application will put this address to the FROM header and send the email using my own email server to the recipients. Because I'm using my own email server, the Envelope From header should be my own domain, i.e. mandy@thedomain.com.

As said before, SPF checks AFAIK the Envelope From (MAIL_FROM) header. So the recipient's server will ask my DNS and check if the corresponding IP addresses are allowed to send mails as bob@example.com. That's possible, so the mail should not be rejected.

Summarizing, so far everything should work (if I understand it correctly). But now let's look into DKIM.

And here's what I do not understand. I know that using DKIM on my mail server will sign the email and the recipients will check using the public key that is pointed to in the DNS.

However, what do they look for? Do they look for the Envelope From header again only? Then it should work again, no? Because the email is signed using my private key and the recipients will also look for my public key in the DNS.

Or is DKIM looking for the FROM header? Then it would not work because I cannot sign the email with a private key found on the DNS for bob@example.com.

Unfortunately, I have not yet found exactly WHEN an email is rejected using DKIM. I hope someone can help me! Thanks a lot.

Aliquis
  • 769
  • 1
  • 7
  • 12
  • 1
    Are you asking what spam filters look at, or are you asking what constitutes a DKIM pass? In the former case, your answer would need to be limited to specific spam filters (perhaps try to find what the vast majority uses, there is probably a top 3 that covers 80%) because otherwise anyone could answer the question for any hypothetical spam filter (way too broad). In the latter case, you should edit your question to actually ask that question. In its current form, I think the question is unclear and overly broad. – Luc Aug 31 '18 at 22:31
  • That said, you clearly researched the issue already! It's not a bad question, the phrasing just needs some narrowing down :) – Luc Aug 31 '18 at 22:37
  • Are you sure the emails are being rejected for DKIM reasons? Can you tell us which service providers are rejecting your emails? I could imagine that Gmail's spam filter is using a complex AI about which they don't publish the details. – Mike Ounsworth Aug 31 '18 at 22:38

2 Answers2

1

DKIM signs the From: header and optionally other headers. You can specify which headers in the DKIM header itself. The envelope From isn't signed. DKIM and SPF are both used as one means among many when evaluating if a message is spam/a joe job. Bear in mind that you are trying to do exactly what spammers do - send e-mail from an address that isn't yours so you are likely to get blocked by things designed to catch spammers.

William Hay
  • 592
  • 2
  • 10
0

Do not forget about rejections by anti-spam filters.

You may trying setting envelope-from and From: to your app email address and Reply-To: to you use email address. It may be a better solution.

AnFi
  • 223
  • 1
  • 4