correct email FROM header usage

Question

I want to let users share information on my site by sending an email to a friend. Before I go to far I want to make sure I won't get blacklisted for doing something incorrectly.

If my domain is example.com can I set the mail FROM header to the email address supplied by the user?

For example, I want to share a page at example.com with my friend Bob. Bob's email address is bob@domain.com and my email address is me@anotherdomain.com. When example.com sends an email to Bob(bob@domain.com) it will set FROM to my email(me@anotherdomain.com).

Is this an issue since the email is being sent from example.com but the FROM header contains a domain other than itself?

The following would be sending from example.com

$to = 'bob@domain.com';
$subject = 'Some subject';
$msg = 'Some message';
$headers = 'From: me@anotherdomain.com <me@anotherdomain.com>' . "\n\r";

mail( $to, $subject, $msg, $headers );

Or do I need to do something like the following?

$headers = 'From: me@anotherdomain.com <share@example.com>' . "\n\r";

Any and all help will be greatly appreciated.

I can't really follow you. Are you trying to use a fake name to make it look as the real sender? — Álvaro González, Jun 18 '11 at 21:13
No, just didn't know if this would be some sort of 'spoofing' attempt and would later blacklist my domain from sending email. — hungerstar, Jun 18 '11 at 21:22
Well, it's not a stopper by itself but I'm sure it's one of the little things that score in SpamAssassin rules. — Álvaro González, Jun 18 '11 at 21:27

score 1 · Answer 1 · answered Jun 18 '11 at 21:17

1

What you write in the from header isn't that relevant. Important is that you you use an envelope sender address from your domain. This is checked against SPF for example. If you want the recipient to be able to reply to me@anotherdomain.com you need to add a reply-to header as well.

answered Jun 18 '11 at 21:17

Gryphius

75,626
6
48
54

Is this envelope sender address an additional header that is generated if to explicitly set? Or is it set the mail application? – hungerstar Jun 18 '11 at 21:25
the envelope sender is specified within the smtp protocol. if you use the php mail function is is done automatically and usually looks like 'nobody@yourserver.com' or 'www-data@yourserver.com' but can usually be overriden by using the 'additional_parameters' -f option in mail() mail( $to, $subject, $msg, $headers,"-f info@yoursitename.com" ); – Gryphius Jun 18 '11 at 21:32
Thank you for a quick and clean explanation! – hungerstar Jun 18 '11 at 21:36

score 1 · Accepted Answer · answered Jun 18 '11 at 21:26

There are multiple email headers that give some indication of who "sent" an email and who to reply to. A fairly good, casual writeup of the concept can be found on the page discussing how FormMail handles things.

In general, the Sender is the actual originator of the email message. The From Address, in contrast, is simply a header line in the email that may or may not be taken to mean anything. The From Address can often be left out completely. Spammers can easily spoof the From Address. ISPs try to ensure that spammers cannot spoof the Sender.

It sounds like what you might want is:

Sender : your site/program
From : either your site or the user
Reply-To : the user

score 0 · Answer 3 · answered Jun 18 '11 at 21:12

0

No, it really DOESN't matter which From: header email has been set

Why didn't you try it?

answered Jun 18 '11 at 21:12

genesis

50,477
20
96
125

I tried it. I just didn't want it to work for some period of time and then not have it work and not be able to send mail. I guess I'm asking if I setting the FROM header in my PHP script is more 'cosmetic' vs it being some attempt at 'spoofing'. – hungerstar Jun 18 '11 at 21:17
There are also many fake mailers, using same method http://emkei.cz/ they use mail() function too, exactly as you do – genesis Jun 18 '11 at 21:19

score 0 · Answer 4 · answered Jun 18 '11 at 21:31

0

Many, if not most, email servers are not registered for a specific domain, the bigger issue is if your server correctly identifies itself (having a reverse lookup entry can help) and make sure it's not blacklisted. You can use a service like: http://www.dnsbl.info/ to check.

Most hosts with dynamic IPs are considered suspect, but even a dedicated VPS can be listed, so it's worth checking. You should also correctly format the headers as outlined in some of the other responses. If this is for a critical application (e.g., you are charging people and they expect to get mail), you should consider a 3rd-party SMTP which should take care of making sure you don't get blacklisted.

answered Jun 18 '11 at 21:31

ldg

9,112
2
29
44

I was going to set additional headers. I was trying to keep it simple. – hungerstar Jun 18 '11 at 21:34
I would follow @RHSeeger advice re the headers, but you also need to make sure ISPs can verify the sender info. You will find some are more tolerant than others, so unless you can send a test to all major providers, you won't know for sure as many failures will not even bounce. – ldg Jun 18 '11 at 21:42

correct email FROM header usage

4 Answers4