The point of all these emails is so that you, as a non-owner of gmail.com, can't send an
email with a "From" address of gmail.com without authorization. That also means
that you, as the owner of thetoolwiz.com, and me, as the owner of petris.net, can
restrict who can send email using our domains.
For instance, I have DNS entries authorizing FastMail among a few others to
send email on my behalf, thus emails from those places are recognized as valid.
If someone goes to your website and enters my email address on your form, it
will likely be rejected by the receiving mail server as I have my DMARC
settings set such that any DKIM or SPF mismatch should be rejected, because
your website shouldn't be sending emails on my behalf without authorization.
If you’re collecting a message on YOUR SITE and simply stuffing the visitor’s
email addy into the FROM header field and sending it out, how is that ever
going to work if you cannot validate that visitor’s domain name?
This is going to break millions of websites that send out simple email messages
that way!
Am I missing something?
Yes, you are.
I assume here you're referring to some kind of guest/support form on a website, and
you're using the user's email address as the "From" field in the email you're
sending. This may have been okay in the 90's, but hasn't been kosher for many many years
now. You likely have missed many emails as they've likely been rejected without you even
knowing.
What you should do instead is the following:
1. The "From" address should be from a domain that you control, perhaps the
domain the form is listed on.
2. The email, when sent, should be properly signed and the server it's being
sent from should have a valid SPF entry.
1. If you can't configure this for some reason, consider using a
third-party email service such as SendGrid, Mailgun, etc.
3. If you want to be able to hit "reply" and have it go straight to the user, put their
email address in the "Reply-To" field in the email. This will instruct email clients to
send the email to that address when replying.
Note that this has affected mailing lists such as this one for years; mailing lists used
to keep the "From" header while adding a footer to the email and sending that
out to everyone in the list. While this was a problem when SPF was introduced, it was
more or less ignored. Once DKIM rolled around, there was a problem; because the mailing
list was modifying the email, the signature was no longer valid. The solution was to
either:
1. Don't modify the email with the mailing list footer and just forward it
verbatim. The subject couldn't change either as was also popular at the time.
2. Modify the email, but send it from the mailing list address with the
original senders address in the Reply-To field.
#2 is what most mailing list software ended up going with, but only after the
next part. This also introduced a problem where incoming emails that were
invalid suddenly became valid with the mailing lists signature, therefore it
also became necessary to validate incoming emails with stricter validation as
well.
Then DMARC came along allowing you to specify what to do with invalid emails. I
believe Yahoo was the first large email provider to set their settings to have
others outright reject emails that weren't signed properly, vs. previously
going into the Spam folder, causing all kinds of havoc with mailing list
software causing ones that hadn't already switched to #2 above to switch to it.
I’d think that the visitor’s email should be put into the REPLY-TO field and
YOUR OWN email should go into the FROM field.
Or is there some other way to make this work?
Looks like you figured it out before I even wrote this. And no, there's no
other way.
On Wed, Jan 31, 2024, at 4:31 AM, David Schwartz via PLUG-discuss wrote:
Apparently, Google and Microsoft (?) are implementing a change that’s going to
batten down the hatches on delivering email from non-verfied sources.
That requires you to get two or three fields from your SMTP host — SPF, DKIM,
and DMARC — and put them into the DNS Zone records for each domain you want
recognized as a FROM address.
That’s fine if you have a form on your website that you want users to be able
to send to you, since you can use one of your own domains as the FROM email
addy, right?
But here’s the rub: the user is asked to provide these fields:
* Name
* EMail
* message
So what if a site visitor enters a gmail addy like: tomsmith1...@gmail.com into
the EMail field?
A lot of people are stuffing that EMail right into the FROM field in the
outgoing message so when it arrives, the admin can simply click Reply and it
goes back to the user who provided it.
But if you don’t own gmail.com, there’s no frigging way for you to generate
those three fields and THEN add them to the Zone records for gmail.com ...
right?
If your SMTP host (relay) will only forward emails with a validated domain name
in the FROM field that you told them about, then there’s no way in hell
anything from anybody with, say, a gmail.com addy is going to get their email
forwarded to you via your own SMTP host.
I’m using MailJet as my SMTP Host, and when this site I’m using tries sending
me emails where they’re putting the visitor’s email address into the FROM field
of the outgoing messages, I’m getting messages like this:
=============================
We are contacting you as you (or one of your team members)
tried to send an email with sender address: tomsmith1...@gmail.com.
But this sender address has not been validated yet on your account: <my_acct_ID>
=============================
It’s complaing about gmail.com not being validated — that is, it cannot find
the correct SPF, DKIM, and/or DMARC fields in that domain’s DNS Zone records.
If you’re collecting a message on YOUR SITE and simply stuffing the visitor’s
email addy into the FROM header field and sending it out, how is that ever
going to work if you cannot validate that visitor’s domain name?
This is going to break millions of websites that send out simple email messages
that way!
Am I missing something?
I’d think that the visitor’s email should be put into the REPLY-TO field and
YOUR OWN email should go into the FROM field.
Or is there some other way to make this work?
-David Schwartz
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
