Currently, I am working on a web application and wanted to create a web form to let users write emails through it. So, they would have to set their email address and the message and after clicking "Submit" my web application would send the email to recipients using their email address in the FROM
header. The sending process is, of course, done using my own SMTP service because I do not have access to the email servers from my website visitors.
Now, I heard that this is probably a bad idea because those emails will most likely be rejected by the servers of the recipients. However, I do not yet fully understand why that is and how this process works. I've learned that the two most used anti-spam and -spoofing technologies used today for email is DKIM and SPF.
So, I'd like to understand why exactly the emails will be rejected and how DKIM/SPF will help here.
So, let's start with SPF:
As far as I understand, the server of the recipient will check the IP addresses that are allowed to send mails using the domain in the MAIL_FROM
header and the DNS system. Now, with my example above, when I send emails in the web application with the FROM
header set to e.g. bob@example.com
(that's the address my website visitor set) this should (?) not affect the MAIL_FROM
header. Because the email will be sent through my email service, the MAIL_FROM
header will contain my domain and as far as I understand, it should be possible to send the mail and passing SPF.
The other anti-spam technology is DKIM:
It will sign the email and the recipient server will look in the DNS to find the right public key to verify the signature. Here, I am not sure how that's done exactly. I know that the FROM
header will be part of the signature, but how does the recipient server check DKIM? Is it looking again at the DNS from the MAIL_FROM
header? If yes, I could also pass DKIM with my example above, is that right? Or do have the domain in MAIL_FROM
and FROM
be identical? I'm kind of lost.
So after all I understand now, both DKIM and SPF should not be a problem for my web application. Why, though, is it sill said to be a bad idea and emails will most likely be rejected? Or did not I understand DKIM properly?
My overall question: How exactly will the recipient server determine if the email is rejected?