Can I send mail “from” a domain name I don't host with you?
Customers occasionally try to send outgoing email through our servers using a “from” email address that isn’t hosted with us — for example, we’ve been asked if it will work to send email from a “@gmail.com” address through our servers. Unfortunately, you can’t do that.
This issue sometimes arises unintentionally, when customers add forms or scripts to their website that try to send an email message as if it were “from” the email address of the person filling out the form.
While that sort of thing was commonly allowed before spam became a problem, it’s not reliable on today’s Internet.
On this page:
E-mail security
E-mail forgery is a big problem, so mail companies try to detect when it happens.
If you send mail claiming to be from (say) “address@gmail.com”, well-run mail servers will try to verify that Gmail actually sent the message in question. If Gmail doesn’t “authenticate” the message, it will appear to be a forgery.
So you can’t send mail claiming to be from other domain names we don’t handle mail for.
How do these checks work?
The checks are based on SPF and DKIM, which allow receiving servers to check whether a message is sent from an authorized server and/or whether it has a “digital signature” to indicate that it’s not a forgery.
A system called DMARC allows receiving mail servers to decide what to do if SPF and DKIM details don’t match. If you receive a “bounce” mentioning “DMARC”, or saying that a message was “not accepted for policy reasons”, it often means that a script on your site is sending messages claiming to be “From” an address you don’t really own.
What’s the solution for forms and scripts?
This problem is particularly common with website contact form scripts. These sometimes try to send messages claiming to be “From” the address of the person filling out the form or another unrelated address, which is always wrong.
For example, if your site has a “Contact Us” form, and a visitor fills it out using their own “example@aol.com” AOL address, your script should not send a message to your Gmail address like this:
From: Visitor <example@aol.com> To: example.com Webmaster <address@gmail.com> Subject: Feedback form
This won't work. Gmail will notice that your site is sending messages from an aol.com address, but AOL will not say they authorized it, and it will be rejected as a “forgery”. (While it may be the case that your visitor really owns the address “example@aol.com”, you don’t know if that’s actually true, and you can’t just take someone’s word for it on today’s Internet. AOL and Gmail have no idea where your script got the address from, or why example.com is trying to send mail that claims it’s from AOL.)
Instead, make your script send email only from addresses ending with your own domain name, as in this example:
From: feedback@example.com Reply-To: Visitor <example@aol.com> To: example.com Webmaster <address@gmail.com> Subject: Feedback form from Visitor (example@aol.com)
Gmail will accept this because you’re explicitly sending it from an address @example.com, even if it mentions “example@aol.com” in the “Reply-To” and “Subject” fields.
(Most people asking us about this turn out to be using a WordPress plugin called “Contact Form 7” that seems to send the wrong way by default; we have a page explaining how to modify Contact Form 7 to work with DMARC. And we have another page explaining how to fix this for the Gravity Forms plugin.)
Copyright © 2000-2024 Tiger Technologies LLC