We have a web application that is sort of like a CRM app. People can log in and manage their business with other folks. As part of that management, our application may send emails to the people being managed. The wrinkle here is that our customers like the "from" address of those emails to be their own. That way the recipient gets email from someone they know, not from a "do not reply" address at our own domain.

With many mail servers this isn't an issue, however there are a few that are bouncing those emails. Out of curiosity I had a test email sent to me and checked the headers. Here's what google apps added:

Received-SPF: softfail (google.com: best guess record for domain of transitioning client@clientdomain.com does not designate as permitted sender) client-ip=;
Authentication-Results: mx.google.com; spf=softfail (google.com: best guess record for domain of transitioning client@clientdomain.com does not designate as permitted sender) smtp.mail=client@clientdomain.com

(I replaced the real "from" address with client@clientdomain.com)

So, while the email was delivered to me, I can certainly see why other servers might reject it. Our app isn't ever going to resolve to clientdomain.com.

What are my options here?

1) I could suggest that all "from" addresses be set to the friendly name of the client but user our own "no reply" email address. Then I could get spf and all that wired up.

2) I could suggest that the client configures spf / reverse dns to match my server's IP (this seems like a horrible option...)

What else. What are the best practices for this sort of thing?

  • 3,434
  • 6
  • 41
  • 45

6 Answers6


The SPF/Domain keys all work on Envelope From addresses and not the From address in the email seen by recipient.

Therefore, you can simply use Envelope From as a valid email ID in your domain and leave the From as your client email ID.

That way SPF/Domain Keys will still pass.

As far as other best practices go check out this Email Server test.

  • The Email Server test link has been helpful so far. Do you have any suggested resources to learn more about "Envelope From" addresses? Is that a header value? – Chris_K Jan 08 '10 at 18:24
  • 1
    I don't think this is completely correct. Apparently "Unlike Sender Policy Framework (SPF) which authenticates a message at the **envelope level** using the Return-Path header, DKIM validates a message using the **From header**." ([Source here](http://greatmail.com/blog/email-hosting/sender-authentication-with-dkim-and-spf/)) – Simon East Aug 27 '14 at 05:32

One thing you could do, is set the sender's "name" as your client's name, and then set a Reply-To header to go to their e-mail address.

That way it looks like they are receiving an email from "Bob Johnson" they know, and when they click Reply, it will be addressed to bjohnson@clientcompany.com

Though I know companies like Paypal can have emails come from your actual e-mail address, I'm not sure if this is trickery with the headers, or that all e-mail providers "trust" paypal's email servers.

Brett Allen
  • 368
  • 3
  • 6
  • 20
  • That may be my temporary work-around until I get the rest of this sorted out. Thanks. – Chris_K Jan 08 '10 at 18:28
  • The more I experiment with things, the more I like this approach. I'll go with "Client Name" with the reply-to header. That seems to solve my main issues. – Chris_K Jan 11 '10 at 17:09

See http://www.openspf.org/Best_Practices/Webgenerated

egreetings.com does it this way:
Choose a general address in your domain (service@egreetings.com).
Change the "MAIL FROM" to that address.
Add a "Sender" header to show to recipient who sent the message. "Sender" is a standard field; see RFC 5322.

evite.com does it this way:
Choose a general address in your domain (info@evite.com).
Change the "MAIL FROM" to that address.
Change the "From" header to that address.
Add a "Reply-To" header that contains your user's e-mail address.

  • 121
  • 1

SPF and DomainKeys are intended to prevent just what you are doing -- sending mail using a from address you do not own.

I don't believe there is much you can do to get around it, as it is intended to not be gotten around.

You could give each user a local email address that just forwards to the appropriate gmail or other account, so replies work, and use that as the from address. It's more work on your part.

Also, you might be able to use a "resent from" header.

Michael Graff
  • 6,588
  • 1
  • 23
  • 36

As I understand it at least for SPF they need to add your mail server to the list of permitted servers.

Thats the whole point in that the owner of foo.com is saying you are an authorised email server for foo.com

You don't need to have a reverse DNS to their mail server but your mail server should HELO correctly and that reverse DNS should be correct. So it is acceptable to HELO as bar.com, have a reverse of bar.com and send mail for foo.com, so long as the SPF of foo.com permits bar.com as a relay.

  • 1,709
  • 3
  • 23
  • 37
  • my IIS SMTP server is HELO'ing as his "internal" name, not the external domain name. That appears to be causing some of the issue. – Chris_K Jan 08 '10 at 18:25
  • most sane anti-spam uses multiple checks and balances with certain factors attributed weights, if you fix enough anomalies you might be able to slip in but if the sending domain has an SPF record, you definitely want get your IP listed in it. – Antitribu Jan 08 '10 at 19:34

See http://blogs.crsw.com/mark/archive/2006/07/06/2032.aspx.

The content of "MAIL FROM" is Envelope From and this is used for SPF Checking. What the recipient sees is what is given AFTER DATA command.

They do not need to be the same.