What is the proper way to set SMTP headers for emails sent as someone else?

2

1

Some applications require that system-generated emails be sent as someone else, or said more accurately, they call for the appearance of being sent from someone else.

What is the proper/acceptable way to construct the email headers to achieve this?

To serve as fodder for the question I have included below headers for two emails I received:

  1. An email sent via Gmail, sent using an alternate From address that was configured in addition to the main Gmail email address.
  2. A bogus email with forged headers, surreptitiously sent as someone other than the actual person.

Email 1:

In this example, RealGmailAccount@gmail.com is the email address of the actual sender and AlternateEmail@example.com is the alternate email address configured in Gmail and used to send the email below.

Return-Path: <RealGmailAccount@gmail.com>
X-Orig-To: me@example.com
Received: from [209.85.216.45] ([209.85.216.45:57830] helo=mail-qa0-f45.google.com)     by smtp13.gate.ord1c.rsapps.net (envelope-from <RealGmailAccount@gmail.com>)
Received: by mail-qa0-f45.google.com with SMTP id cm18so1356657qab.18 for <me@example.com>; Wed, 23 Apr 2014 13:32:45 -0700 (PDT)
Sender: <RealGmailAccount@gmail.com>
Subject: Test Message
From: Real User's Name <AlternateEmail@example.com>

Depending on the receiving user's email client the email may be displayed with something like: RealGmailAccount@gmail.com; on behalf of; Real User's Name <AlternateEmail@example.com>

Email 2:

In this example, RealUsersEmailAddress@example.com is the email address of the person this fake email is being sent as.

Return-Path: <RealUsersEmailAddress@example.com>
X-Orig-To: me@example.com
Received: from [190.114.206.6] ([190.114.206.6:49144] helo=mail) by smtp55.gate.dfw1a.rsapps.net (envelope-from <RealUsersEmailAddress@example.com>) 
Subject: Test message 2
From: Real User's Name <RealUsersEmailAddress@example.com>

Emails like this show up normally in email clients.

Is the Gmail example the proper way to do the headers?

Howiecamp

Posted 2014-04-29T16:03:55.473

Reputation: 1 438

@Barmar - If you put your initial comment as an answer I will mark it as accepted. – Howiecamp – 2015-01-25T22:49:56.400

1Gmail is correct, see section 3.6.2 of RFC 5322. But the second one is OK if the server can't determine the sender's actual email address. – Barmar – 2014-04-29T16:29:35.147

@Barmar - Can you please elaborate on the "...if the server can't determine the sender's actual email address." part? – Howiecamp – 2014-04-29T19:29:31.030

1If the SMTP server doesn't require user authentication, it doesn't know the client's actual address. – Barmar – 2014-04-29T19:35:10.763

Will the adoption of DMARC http://www.dmarc.org/ make these type of emails difficult to deliver?

– Howiecamp – 2014-05-16T19:06:22.770

1DMARC is based on SPF, and it checks the Return-Path address, not the other addresses. – Barmar – 2014-05-16T19:19:16.337

Answers

3

Section 3.6.2 of RFC 5322 explains how the originator headers should be filled in. When the sender wants to impersonate someone else (e.g. an assistant sending mail on behalf of their boss), the address they're impersonating goes in the From header, while their real address goes in the Sender header. This assumes that the Mail Submission Agent can determine the sender's real address, e.g. it requires user authentication.

Barmar

Posted 2014-04-29T16:03:55.473

Reputation: 1 913

Asked: 2014-04-29T16:03:55.473

Viewed: 3 950 times

Active: 2015-01-26T14:54:36.293