-2

Currently, I am working on a web application and wanted to create a web form to let users write emails through it. So, they would have to set their email address and the message and after clicking "Submit" my web application would send the email to recipients using their email address in the FROM header. The sending process is, of course, done using my own SMTP service because I do not have access to the email servers from my website visitors.

Now, I heard that this is probably a bad idea because those emails will most likely be rejected by the servers of the recipients. However, I do not yet fully understand why that is and how this process works. I've learned that the two most used anti-spam and -spoofing technologies used today for email is DKIM and SPF.

So, I'd like to understand why exactly the emails will be rejected and how DKIM/SPF will help here.

So, let's start with SPF:

As far as I understand, the server of the recipient will check the IP addresses that are allowed to send mails using the domain in the MAIL_FROM header and the DNS system. Now, with my example above, when I send emails in the web application with the FROM header set to e.g. bob@example.com (that's the address my website visitor set) this should (?) not affect the MAIL_FROM header. Because the email will be sent through my email service, the MAIL_FROM header will contain my domain and as far as I understand, it should be possible to send the mail and passing SPF.

The other anti-spam technology is DKIM:

It will sign the email and the recipient server will look in the DNS to find the right public key to verify the signature. Here, I am not sure how that's done exactly. I know that the FROM header will be part of the signature, but how does the recipient server check DKIM? Is it looking again at the DNS from the MAIL_FROM header? If yes, I could also pass DKIM with my example above, is that right? Or do have the domain in MAIL_FROM and FROM be identical? I'm kind of lost.

So after all I understand now, both DKIM and SPF should not be a problem for my web application. Why, though, is it sill said to be a bad idea and emails will most likely be rejected? Or did not I understand DKIM properly?

My overall question: How exactly will the recipient server determine if the email is rejected?

Aliquis
  • 97
  • 1
  • 2
    In fact no one is obliged to receive incoming messages from you. Your message can be legally rejected/blackholed without any reason at all. Receiving side can implement any rejecting policy they want. There is no solutions or technics that guarantee acceptance of the message. – Kondybas Sep 01 '18 at 08:18

1 Answers1

1

There's no way you can be sure. You can only guess unless the MX admin tells you what's wrong.

Message rejection can be based on any information found inside the message, from the transmission or from anywhere on the Internet, including:

  • MTA IP address/subnet
  • MTA rDNS and FCrDNS
  • MTA FQDN from rDNS or HELO
  • DNSBL listing of the MTA
  • other information on the MTA FQDN or sender domain available on the Internet
  • history of previous connections and failures
  • MAIL FROM address or domain
  • header FROM address or domain
  • authorization methods like SPF, DKIM, DMARC
  • key words or sequences in the mail subject or body
  • heuristic scoring of the mail body and headers

Setting up an active MX/MTA should not be done light-hearted. Due to substantial and continuous spamming there are many practices that you need to obey or you'll earn rejections or end up on the spam heap. The easiest way is to use your ISP's server as smarthost - you'll need to check their policies first.

Additionally, you can't use "alien" sender domains from your system unless you've been authorized to do so. Forging sender addresses puts you in the malicious spammer corner right away. Also, you cannot simply trust anything your users submit on registration or at any other time. If you don't verify the email address your service will be getting abused after only a few hours.

Zac67
  • 8,639
  • 2
  • 10
  • 28