Can I send mail “from” a domain name I don't host with you?
Customers occasionally ask if it’s okay to send outgoing email through our servers using a “from” email address that isn’t hosted with us.
For example, we’ve been asked if it’s okay to send email from a “harvard.edu” address through our servers, because Harvard University doesn’t provide their alumni with an outgoing email server.
Another common issue is that when a visitor fills out form on a website, people sometimes use scripts that try to send an email message as if it were “from” the email address of the person filling out the form.
Unfortunately, you can’t do that. While that sort of thing was commonly allowed before spam became a problem, it’s neither secure nor reliable on today’s Internet.
On this page:
- E-mail security
- Can you bypass the checks?
- What is DMARC?
- What’s the solution for forms and scripts?
E-mail forgery is a big problem. When you get a spam message falsely claiming to be from Citibank, Harvard, or another institution, that happened because another email company incorrectly allowed one of their users to send mail claiming to be from citibank.com, harvard.edu, and so on.
If every mail company prevented their users from sending mail from unrelated domain names, email forgery would stop immediately. Most mail companies do that, but some don’t, particularly if they’ve been “hacked”.
If you send mail claiming to be from “firstname.lastname@example.org”, well-run mail servers (both on the sending end and the receiving end) make sure that you’re authorized to do that (and not forging a stranger’s harvard.edu address). Only Harvard can say whether that’s legitimate and approve it, which they do by publishing a list saying what servers are allowed to send mail from them, and what the expected “digital signature” will be. Of course, our servers aren’t on that list, and we can’t sign that mail with their digital signature. It will look like a forgery.
So you can’t send mail claiming to be from other domain names we don’t handle mail for.
Can you bypass the checks?
People occasionally ask if we can modify our email servers to not perform the required check, thinking that will allow the messages to be sent. But that wouldn’t work, because most receiving mail servers do the same type of check — and if it fails, they reject the mail, filter it into the user’s “spam folder”, or even just delete it.
The checks are based on SPF and DKIM, which allow receiving servers to check whether a message is sent from an authorized server and/or whether it has a “digital signature” to indicate that it's not a forgery.
If you sent mail claiming to be “from” harvard.edu through our servers, it’s unlikely to be accepted by a receiving server, because our servers aren’t on the SPF list and we can’t sign that mail with DKIM. It will be rejected, filtered, or even just deleted.
What is DMARC?
A system called DMARC allows receiving mail servers to easily check the SPF and DKIM details mentioned above. If you receive a “bounce” mentioning “DMARC”, or saying that a message was “not accepted for policy reasons”, it often means that a script on your site is sending messages claiming to be “From” an address you don’t really own.
What’s the solution for forms and scripts?
This problem is particularly common with website contact form scripts. These sometimes try to send messages claiming to be “From” the address of the person filling out the form, which is always wrong.
For example, if your site has a “Contact Us” form, and a visitor fills it out using their own “email@example.com” AOL address, your script should not send a message to your Gmail address like this:
From: Visitor <firstname.lastname@example.org> To: example.com Webmaster <email@example.com> Subject: Feedback form
This won't work. Gmail will notice that your site is sending messages from an aol.com address, but they know you aren’t really aol.com, so they reject it as a “forgery”. (While it may be the case that your visitor really owns the address “firstname.lastname@example.org”, you don’t know if that’s actually true, and you can’t just take someone’s word for it on today’s Internet. And Gmail has no idea at all where you got the address from or why example.com is trying to send mail that claims it’s from AOL.)
Instead, make your script send email only from addresses ending with your own domain name, as in this example:
From: email@example.com Reply-To: Visitor <firstname.lastname@example.org> To: example.com Webmaster <email@example.com> Subject: Feedback form from Visitor (firstname.lastname@example.org)
Gmail will accept this because you’re explicitly sending it from an address @example.com, even if it mentions “email@example.com” in the “Reply-To” and “Subject” fields.
(Most people asking us about this turn out to be using a WordPress plugin called “Contact Form 7” that seems to send the wrong way by default; we have a page explaining how to modify Contact Form 7 to work with DMARC. And we have another page explaining how to fix this for the Gravity Forms plugin.)
Copyright © 2000-2021 Tiger Technologies LLC