Skip to navigation

malevolent design weblog

This blog is now defunct, but you can find more stuff over at my personal site

Stop Spoofing Emails (Or Do It Carefully)

For things like contact forms and email-a-friend features, developers have usually ‘spoofed’/‘forged’ the outgoing email address to make it seem as though it’s coming from the person initiating the message. It conveniently makes that person’s identity clear to the recipient, and lets them reply normally.

But this flexibility in SMTP (anyone can send an email pretending to be anyone else) is great for spammers and phishers, so there’s been a gradual rise in the use of authentication schemes to verify senders. This means a spoofed email will often get blocked or flagged. Hosting firms and ISPs are also clamping down - DreamHost just announced that they’ll only be permitting email to be sent from addresses they host (they’ve temporarily rolled back this ridiculously-abrupt change), affecting both users and sites.

So I think it’s safe to say that nowadays sites should try to avoid spoofing emails, using a From address the site owns (preferably with commonly-used authentication schemes configured).

If you need to spoof, add a Sender header containing a site-controlled address. Gmail does this when sending as another email address, and it’s also used by mass-emailing providers such as MailChimp to add authentication (while avoiding clashes with any email authentication set up by customers). There are side-effects, such as messages being displayed with “via” or “on behalf of”, and it’s not always suitable (e.g. I don’t think it’ll get around the DreamHost restrictions), but it’s a big improvement over straight spoofing.


Comments are now closed for this entry.