Can I send mail “from” a domain name I don't host with you?
Customers occasionally ask if it’s okay to send outgoing email through our servers using a “from” email address that isn’t hosted with us.
For example, we’ve been asked if it’s okay to send email from a “@gmail.com”address through our servers. It’s not.
Another common issue is that when a visitor fills out form on a website, people sometimes use scripts that try to send an email message as if it were “from” the email address of the person filling out the form.
Unfortunately, you can’t do that. While that sort of thing was commonly allowed before spam became a problem, it’s neither secure nor reliable on today’s Internet.
On this page:
E-mail forgery is a big problem, so mail companies try to detect when it happens.
If you send mail claiming to be from (say) “email@example.com”, well-run mail servers will check with Gmail to verify that Gmail actually sent or authorized the message in question. But if Gmail says they know nothing about the message, it will look like a forgery.
So you can’t send mail claiming to be from other domain names we don’t handle mail for.
How do these checks work?
The checks are based on SPF and DKIM, which allow receiving servers to check whether a message is sent from an authorized server and/or whether it has a “digital signature” to indicate that it’s not a forgery.
A system called DMARC allows receiving mail servers to easily check the SPF and DKIM details. If you receive a “bounce” mentioning “DMARC”, or saying that a message was “not accepted for policy reasons”, it often means that a script on your site is sending messages claiming to be “From” an address you don’t really own.
What’s the solution for forms and scripts?
This problem is particularly common with website contact form scripts. These sometimes try to send messages claiming to be “From” the address of the person filling out the form or another unrelated address, which is always wrong.
For example, if your site has a “Contact Us” form, and a visitor fills it out using their own “firstname.lastname@example.org” AOL address, your script should not send a message to your Gmail address like this:
From: Visitor <email@example.com> To: example.com Webmaster <firstname.lastname@example.org> Subject: Feedback form
This won't work. Gmail will notice that your site is sending messages from an aol.com address, but AOL will not say they authorized it, and it will be rejected as a “forgery”. (While it may be the case that your visitor really owns the address “email@example.com”, you don’t know if that’s actually true, and you can’t just take someone’s word for it on today’s Internet. AOL and Gmail have no idea where you got the address from or why example.com is trying to send mail that claims it’s from AOL.)
Instead, make your script send email only from addresses ending with your own domain name, as in this example:
From: firstname.lastname@example.org Reply-To: Visitor <email@example.com> To: example.com Webmaster <firstname.lastname@example.org> Subject: Feedback form from Visitor (email@example.com)
Gmail will accept this because you’re explicitly sending it from an address @example.com, even if it mentions “firstname.lastname@example.org” in the “Reply-To” and “Subject” fields.
(Most people asking us about this turn out to be using a WordPress plugin called “Contact Form 7” that seems to send the wrong way by default; we have a page explaining how to modify Contact Form 7 to work with DMARC. And we have another page explaining how to fix this for the Gravity Forms plugin.)
Copyright © 2000-2023 Tiger Technologies LLC