31

I've got an application that emails users once they have filled in a form. It uses a no-reply@customerdomain.com as a from address. The customer wants it to use the email from the form as the from address which could be anything. I have been told that this is a bad idea due to spoofing/blacklisting and spam.

I feel really vague about the exact reason about why this is a bad idea particularly as i've got to try to counsel the client out of this. Can someone explain to me why this is a bad idea.

Interestingly the client has used a gmail account as the from address as a demo which not only works fine but has enabled the application to start sending emails (it wouldn't do it before with an email which was no-reply@customerdomain.com). Erm - what is going on. I'm told one thing and the opposite works.

Sorry - i know this is basic but I could find anything on a google search. Largely I think because I'm having trouble even framing the question.

EDIT

Thank you everyone - great answers. Interestingly the server sending the email and the mail box that it is going to are both behind the same firewall so the client says they are unconcerned about spam. Oh well.

Crab Bucket
  • 421

7 Answers7

50

Actually, you're allowed to set the From address to your customer's email, as long as you correctly set the Sender field to your own address. This is what Paypal does used to do!

FROM:   customer@yourCustomer.com
TO:     recipient@recipient.com
SENDER: you@yourCompany.com

Most email clients will render this as "From you@yourCompany.com On Behalf Of customer@yourCustomer.com". There shouldn't be any issues with SPF or DKIM on the customer's domain.

You should also probably set the Reply-to header to your customer's address, so replies go the customer's address rather than yours.

Community
  • 1
BlueRaja
  • 1,346
  • 1
  • 13
  • 18
47

It is bad practice for several reasons:

  • You are NOT allowed to send a mail from a domain you do not own. As such, it could be conceived as an attempt at impersonation.
  • It's a common enough practice used by spammers and, as such, is frequently tagged by spam filters.
  • It is pretty common for well-maintained domains to use SPF or DKIM to protect their reputation and help other systems identify impersonation and spam. You obviously will not be able to add the DKIM mail header or add your SMTP server into the domain's SPF DNS record and so you mail will be (rightly) considered as forged and rejected.

The proper practice is to use your local domain as sender, possibly using a non-existing address as user name.

Stephane
  • 6,482
11

TL;DR:

It's a bad practice to use the email address from the form. Instead, use an email address that is specifically used for this mailinglist only.

Long version:

First, there are actually two email addresses used. One is the envelope sender, the other one is the one shown on the From:-line in the email.

The envelope sender is the one used by email servers to issue non-delivery notices. If you're running a mailing list, that address will usually be to a script that can clear out non-working addresses from the mailinglist.

The From: address is the one that will be used when the recipient of the mail clicks on Reply. In this case it should point to someone that can actually answer any question the recipient may reply with (or at least forward to someone who can).

If you use the recipient's own email address as the envelope sender, you may expect that some/many mail servers will reject the mail or tag it as likely being spam - because people don't often send mails to themselves from their own address via an outside server.

If you use the recipient's own email address as the From:-sender, the user will not be able to respond to the messages if they should need to. Putting a link somewhere in the body of the mail message isn't enough; people will still use the Reply-button in their email client and be upset when it doesn't work.

Community
  • 1
Jenny D
  • 28,400
  • 21
  • 80
  • 117
9

You've got some great answers talking about the technical issues here. In terms of selling this to your customer it may be helpful to rephrase the question slightly. The customer is probably asking you a variation of "will it work", to which the answer is "yes, you can send email like that".

A better question for them to be considering is "will it "arrive", will our customers see it if it's sent that way". The answer with most modern spam filters, is "no, probably not".

Rob Moir
  • 32,154
4

There are two issues that I can think of, the largest issue is that you will be sending out email which could very possibly be undeliverable, and obviously the return address will also be so which will mean a lot of emails sitting and waiting to time out. The smaller issue might be that some of those emails end up in spam, as the servers are looking for email from certain domains to come from certain machines (per DKIM rules).

I would create the no-reply@customerdomain.com address, and decide what to do with the email later.

NickW
  • 10,289
1

Spoofing the user's own address as the From: is a poor idea. It is a good way to ensure that the mail never reaches the user, since anti-spam filters may regard it as a forgery (which it de facto is!)

It's quite reasonable and common for the SMTP server for "thisdomain" to reject a "MAIL From: user@thisdomain" request which comes from a TCP connection which is outside of "thisdomain". (Allowing such a request from local hosts allows the user within the "thisdomain" network to mail each other.)

Actually, the noreply@customerdomain.com is a poor idea also:

Here is a configuration snippet from my SMTP server (Exim software), which configures it to bounce messages from noreply senders:

deny
  message = Sorry, we do not accept SMTP traffic from "noreply" senders. \
            We believe that it is less than polite to send messages from \
            nonexistent e-mail addresses \
            which cannot be replied to! E-mail is a "two-way street". \
            If you want us to accept \
            your mail, then please accept replies.
  senders = ^noreply@.*

E-mails should only be sent by real senders that can accept replies.

Why should I listen to anything you say if your ears are plugged against anything I say?

Some people will reply to these e-mails anyway and they should be routed to the appropriate customer support account.

Kaz
  • 497
-1

The client may be unconcerned about spam, but the overriding issue here is that it is ethically wrong to use the customer's domain, as cited by all the other answers here.

Tim Sabin
  • 1