Why is it a bad idea to use a customer email as the from address

Question

I've got an application that emails users once they have filled in a form. It uses a no-reply@customerdomain.com as a from address. The customer wants it to use the email from the form as the from address which could be anything. I have been told that this is a bad idea due to spoofing/blacklisting and spam.

I feel really vague about the exact reason about why this is a bad idea particularly as i've got to try to counsel the client out of this. Can someone explain to me why this is a bad idea.

Interestingly the client has used a gmail account as the from address as a demo which not only works fine but has enabled the application to start sending emails (it wouldn't do it before with an email which was no-reply@customerdomain.com). Erm - what is going on. I'm told one thing and the opposite works.

Sorry - i know this is basic but I could find anything on a google search. Largely I think because I'm having trouble even framing the question.

EDIT

Thank you everyone - great answers. Interestingly the server sending the email and the mail box that it is going to are both behind the same firewall so the client says they are unconcerned about spam. Oh well.

"Interestingly the server sending the email and the mail box that it is going to are both behind the same firewall so the client says they are unconcerned about spam." That's fine as long as the application also behind the same firewall and not reachable by the rest of the internet. Hopefully this mail box inside the firewall is also not available from the internet -- it sounds like an open relay! — afrazier, Jun 11 '13 at 17:35
I agree with the other replies. As a user (not a website administrator), I would be puzzled, concerned and irritated if I received an email from myself when I hadn't sent it. In the past, I have sent such emails to spam without reading them and will probably continue to do so. — Paddy Landau, Jun 12 '13 at 15:09

score 49 · Answer 1 · edited May 23 '17 at 12:41

49

Actually, you're allowed to set the From address to your customer's email, as long as you correctly set the Sender field to your own address. This is what Paypal ~~does~~ used to do!

FROM:   customer@yourCustomer.com
TO:     recipient@recipient.com
SENDER: you@yourCompany.com

Most email clients will render this as "From you@yourCompany.com On Behalf Of customer@yourCustomer.com". There shouldn't be any issues with SPF or DKIM on the customer's domain.

You should also probably set the Reply-to header to your customer's address, so replies go the customer's address rather than yours.

edited May 23 '17 at 12:41

Community

1

answered Jun 11 '13 at 18:05

BlueRaja

986
1
10
17

1

+1 for mentioning Reply-to – Bobson Jun 11 '13 at 18:40
I think I have seen this outlined in a RFC - can you reference it? – Nils Jun 11 '13 at 21:10
3

@Nils: [RFC 2822](http://www.ietf.org/rfc/rfc2822.txt) §3.6.2 "Originator fields" *"The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message."* – BlueRaja Jun 11 '13 at 21:15
1

*(cont.)* So, note that if the user did not actually write the message *(OP is unclear on this point)*, this will not technically be RFC-compliant, and only `Reply-To` should be used. But even in that case, Paypal and other large companies do it anyways, so it's highly unlikely to trigger any spam filters. Whether this is *"a breach of the user's trust"* depends on the actual message/application *(eg. I don't feel that Paypal is abusing my trust when it sends a "BlueRaja has sent you a payment!" message on my behalf)* – BlueRaja Jun 11 '13 at 21:24
1

@Nils: Whoops, apparently that should be [RFC 6854](http://tools.ietf.org/html/rfc6854), which is an update to [RFC 5322](http://tools.ietf.org/html/rfc5322), which is in turn the updated version of RFC 2822. The [relevant passage](http://tools.ietf.org/html/rfc6854#section-2.1) hasn't changed, though. – BlueRaja Jun 12 '13 at 21:03
3

PayPal no longer does this, precisely because it was such bad practice. Their current emails come from `member@paypal.com`, with the user's email address in the `Reply-To` header. – Michael Hampton Jun 26 '13 at 21:04
This seems contentious, as this answer has just 3 more upvotes than another with the opposite response, the accepted one. Are there any updates on what is good practice in the year 2016? – Brian Peterson May 19 '16 at 18:26
@BlueRaja. There are a lot of clarifications and links in the comments on this answer. Would it be possible to [edit] them into the text of the answer itself, to make it all a self-contained thing, easier to read? – TRiG Jun 17 '16 at 09:03

Stephane · Accepted Answer · 2013-06-11T15:58:42.850

47

It is bad practice for several reasons:

You are NOT allowed to send a mail from a domain you do not own. As such, it could be conceived as an attempt at impersonation.
It's a common enough practice used by spammers and, as such, is frequently tagged by spam filters.
It is pretty common for well-maintained domains to use SPF or DKIM to protect their reputation and help other systems identify impersonation and spam. You obviously will not be able to add the DKIM mail header or add your SMTP server into the domain's SPF DNS record and so you mail will be (rightly) considered as forged and rejected.

The proper practice is to use your local domain as sender, possibly using a non-existing address as user name.

edited Jun 11 '13 at 15:58

answered Jun 11 '13 at 12:35

Stephane

6,382
3
25
47

3

Great answer. Shamelessly copied some of your text for the client email. Thank you – Crab Bucket Jun 11 '13 at 15:56
No problem. Feel free to copy as much as you like. this is public domain :) – Stephane Jun 11 '13 at 15:58
Great answer. Some Hosting service providers prevent sending emails from a hosted php site or app if the From adress is not from an owned domain. – Yves Jun 11 '13 at 16:12
3

Wouldn't using a `Sender:` address get around these problems? That's what Gmail does when it's configured to send e-mail from another account. – TRiG Jun 11 '13 at 17:45
@TRiG is correct, this answer is incorrect; it's not "bad practice" to set the `From` address to the customer's address, it's actually very common. [See my answer](http://serverfault.com/a/515054/41533). – BlueRaja Jun 11 '13 at 18:22
1

It's not an attempt; it's impersonation, period. The customer revealed their e-mail address in good faith, and it was immediately used to perpetrate a forgery. – Kaz Jun 11 '13 at 18:34
3

Why is that not allowed? Do you have any reference to a RFC or international law? – Nils Jun 11 '13 at 21:09
2

@Kaz: I disagree. It's e-mailing the user, using the user's own address as the "From" address. There is no risk of misunderstanding, hence no "impersonation" or "forgery". – ruakh Jun 11 '13 at 22:28
@ruakh It is quite misleading. The user gets an e-mail out of the blue, apparently from himself or herself. That site has no right to be generating e-mails using your user@domain, period. Not to yourself, or anyone else. – Kaz Jun 11 '13 at 23:19
3

@Nils Here is one. RFC 1855 (Netiquette). "Forgeries and spoofing are not approved behavior." Although, that is in a section about mailing lists and news. – Kaz Jun 11 '13 at 23:20
3

@Kaz see RFC 2822 from BlueRaja - that is the correct reference. It is allowed, if you set the SENDER to the real originating domain. – Nils Jun 12 '13 at 11:09

score 12 · Answer 3 · edited Jun 11 '20 at 10:02

TL;DR:

It's a bad practice to use the email address from the form. Instead, use an email address that is specifically used for this mailinglist only.

Long version:

First, there are actually two email addresses used. One is the envelope sender, the other one is the one shown on the From:-line in the email.

The envelope sender is the one used by email servers to issue non-delivery notices. If you're running a mailing list, that address will usually be to a script that can clear out non-working addresses from the mailinglist.

The From: address is the one that will be used when the recipient of the mail clicks on Reply. In this case it should point to someone that can actually answer any question the recipient may reply with (or at least forward to someone who can).

If you use the recipient's own email address as the envelope sender, you may expect that some/many mail servers will reject the mail or tag it as likely being spam - because people don't often send mails to themselves from their own address via an outside server.

If you use the recipient's own email address as the From:-sender, the user will not be able to respond to the messages if they should need to. Putting a link somewhere in the body of the mail message isn't enough; people will still use the Reply-button in their email client and be upset when it doesn't work.

Thank you for that particularly the point about the user replying to themselves. I wish I could give two answers — Crab Bucket, Jun 11 '13 at 15:58
Not exactly true about user clicking Reply... the Reply-to header (if it exists) will be used for that — JoelFan, Jun 11 '13 at 18:58

Rob Moir · Answer 4 · 2013-06-11T15:45:00.643

You've got some great answers talking about the technical issues here. In terms of selling this to your customer it may be helpful to rephrase the question slightly. The customer is probably asking you a variation of "will it work", to which the answer is "yes, you can send email like that".

A better question for them to be considering is "will it "arrive", will our customers see it if it's sent that way". The answer with most modern spam filters, is "no, probably not".

score 4 · Answer 5 · answered Jun 11 '13 at 12:25

There are two issues that I can think of, the largest issue is that you will be sending out email which could very possibly be undeliverable, and obviously the return address will also be so which will mean a lot of emails sitting and waiting to time out. The smaller issue might be that some of those emails end up in spam, as the servers are looking for email from certain domains to come from certain machines (per DKIM rules).

I would create the no-reply@customerdomain.com address, and decide what to do with the email later.

Kaz · Answer 6 · 2016-02-13T04:44:04.877

Spoofing the user's own address as the From: is a poor idea. It is a good way to ensure that the mail never reaches the user, since anti-spam filters may regard it as a forgery (which it de facto is!)

It's quite reasonable and common for the SMTP server for "thisdomain" to reject a "MAIL From: user@thisdomain" request which comes from a TCP connection which is outside of "thisdomain". (Allowing such a request from local hosts allows the user within the "thisdomain" network to mail each other.)

Actually, the noreply@customerdomain.com is a poor idea also:

Here is a configuration snippet from my SMTP server (Exim software), which configures it to bounce messages from noreply senders:

deny
  message = Sorry, we do not accept SMTP traffic from "noreply" senders. \
            We believe that it is less than polite to send messages from \
            nonexistent e-mail addresses \
            which cannot be replied to! E-mail is a "two-way street". \
            If you want us to accept \
            your mail, then please accept replies.
  senders = ^noreply@.*

E-mails should only be sent by real senders that can accept replies.

Why should I listen to anything you say if your ears are plugged against anything I say?

Some people will reply to these e-mails anyway and they should be routed to the appropriate customer support account.

Thanks for the answer. Very interesting about the no reply. If the noreply email did actually exist though and it just when into a mailbox that was periodically emptied would that be better? The noreply mail makes sense to me as a user since when I see them I know that no one is listening. But then when an email doesn't want a reply then it is direct marketing at best and spam at worst. I think I've talked myself out of the no reply there — Crab Bucket, Jun 12 '13 at 08:07
Old thread but... I can't stop myself from thinking: Blocking email from senders named "noreply" seems pointless at best. Anyone who wants to send abusive email will just use another non-existing sender email. If the email in question really IS "read only", what could be wrong with making that as obvious as possible? "Here is the weather forecast you ordered: It will be sunny tomorrow. Do not reply to this email, we send six million of them every day and there is no way we could process the various types of replies that they inevitably generate." — Culme, Feb 11 '16 at 13:33

score -1 · Answer 7 · answered Jun 11 '13 at 17:10

-1

The client may be unconcerned about spam, but the overriding issue here is that it is ethically wrong to use the customer's domain, as cited by all the other answers here.

answered Jun 11 '13 at 17:10

Tim Sabin

1

This isn't really an ethical issue of any sort. You're the only one to mention ethics rather than realistic issues. – ceejayoz Jun 12 '13 at 18:43

Why is it a bad idea to use a customer email as the from address

7 Answers7

TL;DR:

Long version:

Linked