4

I have written a website that uses the PHP Pear Mail function to send a few email messages. Mainly to people who have lost their password and to me when somebody submits the "contact us" form.

My question is this: since I am sending the email from my own server's IP address to myself, do I use the client's email address in the From or Reply-To headers?

It would make sense to place it in the Reply-To header, because that is most definitely what I want to do.

However, many email clients seem to work best with the client's name and email info located in the "From:" headers.

Is it safe to "falsify" the From: headers in an email? Or am I even falsifying the sender?

I mean... technically... the client is sending the message, it's just originating from my server.

Sincerely, -somebody_who_knows_nothing_about_email_deployment_and_is_worried_about_having_his_IP_blacklisted

darkAsPitch
  • 1,861
  • 4
  • 25
  • 42
  • Where are these messages going? Who are the intended recipients of the initial message that goes out? – Mike B Jun 15 '12 at 00:13
  • I am the intended recipient. The messages are going to my main email inbox. I will then reply to customers from there. – darkAsPitch Jun 15 '12 at 13:37

2 Answers2

5

In this case, you should be able to use either From or Reply-to. It may be best put the client's address in Reply-to and use a no-reply address for your domain in the From header. If your web-server is not trusted by your email server, this may be required.

If you were allowing the client to send a message, as some sites do, put the client's address in Reply-to and use a no-reply address for your domain in the From header.

It is possible to use an address different from that in the From header as the envelope sender. This should be listed in a Sender header. However, I don't recommend it for this case. It is more applicable to personal business mail where someone is sending on behalf of someone else (and where the sender and from addresses are in the same domain).

There are cases which can cause problems if you put the client's email address in the From address.

  • The client's domain may have an SPF record which does not allow you to send email for their domain;
  • The clients' domain may specify all email from that domain is DKIM signed (currently not very likely to cause problems); and
  • If the email is sent to the client, the client;s domain may not accept mail sent with address in its domain(s) from untrusted (Internet) servers.

On my server the first and last cases apply. I am working on DKIM, but many DKIM signers don't publish their policy. All three rules are very effective against SPAM. Unfortunatly, automated systems (including web servers) are often configured poorly and their email gets blocked or assigned to the spam folder.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Ok well as for your concerns... I sent an email to myself as being from asdgagsdwteyrsgsagsa@gmail.com and it made it to my inbox with no problems. That email doesn't even exist, and I did not spoof any SPF or DKIM records.. so how did that email make it through? – darkAsPitch Jun 15 '12 at 13:37
  • Reply-to addresses are usually not checked. Normal checks are on the envelope addresses. If you use a Reply-to address, it is your responsibility to ensure it is good. – BillThor Jun 17 '12 at 18:04
1

It's perfectly safe to just use the From header. It wouldn't be considered falsification.

bahamat
  • 6,193
  • 23
  • 28
  • How do spam filters deal with this, especially with regards to reverse lookups? – Hyppy Jun 14 '12 at 23:49
  • It really depends on the filter. The only way to know for sure is to send messages through exactly as you expect that they will appear and see how they score it. If it scores too high try adjusting it. – bahamat Jun 15 '12 at 00:08
  • the question is more regarding a server other than, say, hotmail.com sending mail and claiming that it's coming from hotmail.com. – Hyppy Jun 15 '12 at 00:36
  • @Hyppy: I am only sending it to myself, so obviously I will not mark my own messages as spam. – darkAsPitch Jun 15 '12 at 13:34
  • 1
    This answer is not correct anymore. Major companies are switching to a DMARC "reject" policy, which means email sent on behalf of their users (not originating at their servers) is rejected by email providers that follow DMARC rules. Fox example Yahoo did this in April 2014. Here's a quick example of companies that rely on DMARC rules: Amazon, AOL, Apple, Comcast, Facebook, Fidelity, Google, Groupon, JPMorgan Chase, Microsoft, PayPal, Twitter, Yahoo... – Wick Feb 18 '15 at 15:37