How to properly send e-mails in the name of others? I did some experiments in the last months and here are my results.
Let’s think about a service, that sends out e-mails in the name of its users. For example, a recommendation-form on a website, where users can enter the e-mail address of a friend, add some short text and the web server sends out the mail with a link to the current page. You may want, that the recipient sees, this mail has been sent by the user and that replies to this e-mail are sent to the user who filled the form.
When developing such an e-mail service you may stumble over the following three e-mail headers:
In fact, it’s not that tricky and from my experience there is only one way to achieve this:
- Set the From: header to your own address.
- Set the Reply-To: header to the users address.
- Ignore (or do what you want with) the Sender: header.
Things to consider
The most important topic when sending e-mails is to avoid that your messages are interpretet as spam. Additionally you should do everything to avoid that your IP address gets blacklisted. Especially if your service sends mails on a regular basis and all the mails look very similar, both things could happen really soon and trying to remove an IP address from all blacklists is nothing you wanna do.
With this, the most important part of your e-mail is the From: header. This must be an e-mail address with a domain you own or at least your IP is allowed to send mails from. So, firstname.lastname@example.org is not a candidate.
The magic term behind this is SPF, the Sender Policy Framework. With this, domain owners can specify, which IP addresses are allowed to send out e-mails using their domain. Many domain owners are using SPF-records to avoid that e-mails are sent from foreign servers and some e-mail providers are very picky when SPF records exist for a domain (with good reason).
So, if someone fills out the recommendation form (from the example above), provides email@example.com as his address and you use this address for the From: header, this e-mail is very likely to be cought as spam, because there are SPF records for gmail.com and it’s very unlikely that your servers IP is part of the list.
So, the conclusion is: make sure your IP is allowed to send mails from the domain you use as From: header.
What about the Sender: header?
For example, if a secretary were to send a message for another person, the mailbox of the secretary would appear in the “Sender:” field and the mailbox of the actual author would appear in the “From:” field.
To map this back to our example: If a person fills out the recommendation form, our service could be seen as the secretary and we can still pass the e-mail address of the user with the From: header. Wrong! The problem with this is SPF, which does not take care of the e-mail headers, it just uses the HELO and MAIL FROM commands of the SMTP protocol (RFC 2821). Typically SMTP clients generate these values from the From: header of the e-mail simply ignoring the Sender: header.