tags:

views:

74

answers:

2
Q: 

smtp e-mail headers: return-path vs. sender vs. from

Please help me make some order with email headers.

What does each of the following mean: return-path, sender, from.

The question is being asked in the context of an email receiving app (let's say a posterous clone).

  • What can be easily faked?
  • What can be verified?
  • Under what circumstances can the three or two of them differ?
+1  A: 

Based on my experience -

  • From is the person that wrote the email. This can be set by the user's mail software.

  • Return-Path is the address where bounce messages (undeliverable notifications, etc.) should be delivered. It can be set by the sending or receiving mail server, or sometimes by the user's mail software. For a normal message, it is usually the same as the From address. Some messages (often system generated messages) may use a different Return-Path, and bounce messages typically leave it blank.

  • Sender is the person that sent the email, if different than the From ("Sent by X on behalf of Y"). Sometimes this is set by the user's mail software, and sometimes by their mail server. This, if present, should be different from the From address.

These headers can all be faked pretty easily, so verification is pretty much out.

However, if the sending domain has an SPF record, you can verify the Received headers against the list of approved mail servers for that domain. That will at least tell you whether or not the message really came from that domain, but that doesn't guarantee that the particular user sent it (it could be spoofed by another user on the same domain). Plus, not all domains publish SPF records, so it's not always an option.

Bill B  2010-10-01 05:27:14
A: 

I would add that in our experience, you cannot verify who is sending the message from the headers.

For this reason we implemented disposable addresses ([email protected]) at CloudMailin so that our users can give everyone a address to send to as a way to validate who is sending the message. Some other users include something in the subject line.

The Posterous FAQ's suggest that they are doing something in addition to make sure that you are who you say you are. You could for example track the IP/DNS of the server that delivers email to your email server the first time and then ask a user to confirm if you suspect there is an issue. Although its easy to spoof the headers its not to easy to receive their incoming mail.

Steve Smith  2010-10-01 11:35:33

related questions

I ALMOST understand how email works, but I'm missing something.
Sending Email in .NET Through Gmail
MS hotfix delayed delivery.
How to send email from a program _without_ using a preexisting account?
Email SMTP validator
Maximum length of a MIME Content-Type header field?
If email is not the answer then what is?
Accessing an Exchange Server without Outlook
Recommendations for a .NET component to access an email inbox
Email queueing in php
How do I open the default mail program with a Subject and Body in a cross-platform way?
How do I send a file as an email attachment using Linux command line?
Read from .msg files
What was your biggest mistake involving programmatically sending email?
Good email service for bulk emailing
parsing raw email in php
Is there any wiki engine that supports page creation by email?
Sending emails without looking like spam
What's in your .procmailrc
Why won't Entourage work with Exchange 2007?
Can I use JavaScript to create a client side email?
E-mail Notifications
Is a "Confirm Email" input good practice when user changes email address?
MAPI and managed code experiences?
How do you make sure email you send programmatically is not automatically marked as spam?