How to properly send e-mails in the name of others? I did some experiments in the last months and here are my results.

Let’s think about a service, that sends out e-mails in the name of its users. For example, a recommendation-form on a website, where users can enter the e-mail address of a friend, add some short text and the web server sends out the mail with a link to the current page. You may want, that the recipient sees, this mail has been sent by the user and that replies to this e-mail are sent to the user who filled the form.

When developing such an e-mail service you may stumble over the following three e-mail headers:

Solution

In fact, it’s not that tricky and from my experience there is only one way to achieve this:

  • Set the From: header to your own address.
  • Set the Reply-To: header to the users address.
  • Ignore (or do what you want with) the Sender: header.

Things to consider

The most important topic when sending e-mails is to avoid that your messages are interpretet as spam. Additionally you should do everything to avoid that your IP address gets blacklisted. Especially if your service sends mails on a regular basis and all the mails look very similar, both things could happen really soon and trying to remove an IP address from all blacklists is nothing you wanna do.

With this, the most important part of your e-mail is the From: header. This must be an e-mail address with a domain you own or at least your IP is allowed to send mails from. So, john.doe@gmail.com is not a candidate.

The magic term behind this is SPF, the Sender Policy Framework. With this, domain owners can specify, which IP addresses are allowed to send out e-mails using their domain. Many domain owners are using SPF-records to avoid that e-mails are sent from foreign servers and some e-mail providers are very picky when SPF records exist for a domain (with good reason).

So, if someone fills out the recommendation form (from the example above), provides john.doe@gmail.com as his address and you use this address for the From: header, this e-mail is very likely to be cought as spam, because there are SPF records for gmail.com and it’s very unlikely that your servers IP is part of the list.

So, the conclusion is: make sure your IP is allowed to send mails from the domain you use as From: header.

What about the Sender: header?

When reading RFC 2822 and RFC 4021 one might think the Sender: header is perfect for sending e-mails in the name of others. RFC2822 says:

For example, if a secretary were to send a message for another person, the mailbox of the secretary would appear in the “Sender:” field and the mailbox of the actual author would appear in the “From:” field.

To map this back to our example: If a person fills out the recommendation form, our service could be seen as the secretary and we can still pass the e-mail address of the user with the From: header. Wrong! The problem with this is SPF, which does not take care of the e-mail headers, it just uses the HELO and MAIL FROM commands of the SMTP protocol (RFC 2821). Typically SMTP clients generate these values from the From: header of the e-mail simply ignoring the Sender: header.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">