views:

361

answers:

6

I'm working on a web application. A user will create an email message that will be sent to another person.

I would like the e-mail that gets sent to appear from the user's name and e-mail address of the user on my system. And if they reply to the e-mail then it should go directly to the sender's email address.

However I am worried about the email message looking like spam to email filters along the way.

Is there a proper way to do this?

I noticed on a "contact" page on a WordPress blog that something very similar is done. The e-mail headers look like:

To: [email protected]
Subject: [Test Blog] =?UTF-8?B?aGVsbA==?=
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
From:=?UTF-8?B?aGVsbA==?=<[email protected]>
Message-Id: <[email protected]>
Date: Sat,  7 Feb 2009 23:47:37 +0000 (UTC)
Return-Path: [email protected]

What is interesting is that the display name in the "from" tag and the name that shows up in the subject line is encoded. I do not know if this helps with the spam filters or not, but thought it was at least worth mentioning.

Also, who would receive an undeliverable notification in this example? Would it go to [email protected] or would it go to [email protected]?

+1  A: 

Basically all you need to do is set the From header to the email address of the user sending the email. The value of From is what is displayed in a recipient's email client. Most spam detection systems in place today look only at the message content, not the email headers, so you currently wouldn't have that much of a problem based on what you set the From header to.

However, there are some systems which are gaining popularity which could prevent you from sending email with somebody else's email address - most notably SPF, the Sender Policy Framework Basically, a mail server that implements SPF will check the domain of the From address of each email it receives and check with that domain directly to see if it authorizes the email. For example, if your server is mydomain.com, the email address of the user is [email protected], and the recipient is [email protected],

  1. mydomain.com contacts example.com via SMTP to try to send the email
  2. example.com looks up the SPF records for gmail.com
  3. example.com checks whether mydomain.com is on the list of domains allowed to send email with the domain gmail.com
  4. If it's not, the email is blocked

Also, I found a forum post suggesting that Return-Path is the intended destination for undeliverable notifications. Apparently that header is set based on the value of the SMTP MAIL FROM command.

David Zaslavsky
Generally SPD does *not* check the From header. "The vast majority of SPF implementations today use the return-path as the subject of authentication and do not get involved with the header 'From:'" See http://www.openspf.org/FAQ/Envelope_from_scope
bmb
A: 

Setting email fields is generally trivial, but the exact method of doing so depends on the language and framework you are using, which you don't mention. Usually it is a matter of creating a new email object, and just doing something along the lines of:

email.from = "From Name <[email protected]>";

You can set the specific from address to your user's, if you like, it is not at all uncommon though I personally am not a fan. You could also set the from field to something like: "Sender Name (via Your Site Name) <[email protected]>".

Rob Drimmie
Rob I think your second paragraph will do the trick. This will enable me to have a familiar name show up in the receivers mailbox, while staying away from the SPF spam problems that David points out. I'll also use the Reply-To header and set that to the senders e-mail address as Ali points out.
Richard West
A: 

Don't do this.

It really depends on how your mail relay is set up, but actually just don't do it. From header should contain the email address that sent the email, in your case [email protected]. If you want people to reply to a different address, you can always use the Reply-To header. Here are some notes.

Ali A
A: 

If I understand the standard (RFC 822) correctly, this is exactly what the Sender header is for (see §4.4.2. SENDER / RESENT-SENDER). Still, I'd go with a different approach and use your sites official contact address in the From header and put the user's address in the Reply-To header. Maybe add some boilerplate text that clearly states where the mail is coming from.

One further advice besides the technical stuff: don't let anonymous users use this facility, you'd become a perfect platform for spamming. Also, out of kindness, you probably want to make sure that your (registered) users know that their email addresses are exposed to the recipients.

paprika
A: 

Be aware that doing this will make spam filters more suspicious of your email. Combined with suspicious looking content your email may get filtered.

Harry
A: 

Whoever is in the "From" header will receive the undeliverable notification.

For the filtering - it really depends more on the subject and body of your message than the From address. So with that said, a couple ideas....

  1. Use HTML encoding rather than Plain Text with simple formatting (I know there's probably an argument going the other way but in my personal experience HTML gets through more often)
  2. Always include a footer with ("This e-mail was sent to you from ... blah blah") to identify it; if you don't want people to know it's coming from your system (i.e. really impersonated from the "From" user) then you need to find a more legit way to take care of the requirement.
  3. If at all possible, use a real address from your system as the "From" address with the address of the user as the "Reply-To".
routeNpingme