Potential issues using member's "from" address and the "sender" header

Question

Hi all,

A major component of our application sends email to members on behalf of other members. Currently we set the "From" address to our system address and use a "Reply-to" header with the member's address. The issue is that replies from some email clients (and auto-replies/bounces) don't respect the "Reply-to" header so get sent to our system address, effectively sending them to a black hole. We're considering setting the "From" address to our member's address, and the "Sender" address to our system address. It appears this way would pass SPF and Sender-ID checks.

Are there any reasons not to switch to this method? Are there any other potential issues?

Thanks in advance,

-Paul

---

Here are way more details than you probably need:

When the application was first developed, we just changed the "from" address to be that of the sending member as that was the common practice at the time (this was many years ago). We later changed that to have the "from" address be the member's name and our address, i.e.,

From: "Mary Smith" <[email protected]>

With a "reply-to" header set to the member's address:

Reply-To: "Mary Smith" <[email protected]>

This helped with messages being mis-categorized as spam. As SPF became more popular, we added an additional header that would work in conjunction with our SPF records:

Sender: <[email protected]>

Things work OK, but it turns out that, in practice, some email clients and most MTA's don't respect the "Reply-To" header. Because of this, many members send messages to [email protected] instead of the desired member.

So, I started envisioning various schemes to add data about the sender to the email headers or encode it in the "from" email address so that we could process the response and redirect appropriately. For example,

From: "Mary Smith" <[email protected]>

where the string after "messages" is a hash representing Mary Smith's member in our system. Of course, that path could lead to a lot of pain as we need to develop MTA functionality for our system address. I was looking again at the SPF documentation and found this page interesting:

http://www.openspf.org/Best_Practices/Webgenerated

They show two examples, that of evite.com and that of egreetings.com. Basically, evite.com is doing it the way we're doing it. The egreetings.com example uses the member's from address with an added "Sender" header.

So the question is, are there any potential issues with using the egreetings method of the member's from address with a sender header? That would eliminate the replies that bad clients send to the system address. I don't believe that it solves the bounce/vacation/whitelist issue since those often send to the MAIL FROM even if Return Path is specified.

Answer 1

So I decided to answer my own question since no one else responded. Perhaps others will find this entry when searching.

What we're finally doing is this:

Set the From header to the user's actual email address.

From: "Mary Smith" <[email protected]>

Use a Sender header with the system wide email address.

Sender: <[email protected]>

Finally, the actual sender that shows up in the server supplied MAIL FROM/Return Path header is set with a unique identifier, i.e.,

Return Path: "Mary Smith" <[email protected]>

That allows a program running at [email protected] to intercept those auto replies and forward them onto the person they were originally intended to reach. Most real email clients will reply to the From: header. I haven't seen problems from blackberry users nor others responding to the system account.

After a month or so in production, we've had fewer issues with this than the previous method we were using.

The Sender header adds a small note in Microsoft Outlook clients about "On Behalf Of" but that's appropriate for our usage. There haven't been any issues with SPF in common clients/mta with this setup (Gmail, Yahoo, SpamAssassin, etc.)