I want to let users share information on my site by sending an email to a friend. Before I go to far I want to make sure I won't get blacklisted for doing something incorrectly.
If my domain is example.com can I set the mail FROM header to the email address supplied by the user?
For example, I want to share a page at example.com with my friend Bob. Bob's email address is bob#domain.com and my email address is me#anotherdomain.com. When example.com sends an email to Bob(bob#domain.com) it will set FROM to my email(me#anotherdomain.com).
Is this an issue since the email is being sent from example.com but the FROM header contains a domain other than itself?
The following would be sending from example.com
$to = 'bob#domain.com';
$subject = 'Some subject';
$msg = 'Some message';
$headers = 'From: me#anotherdomain.com <me#anotherdomain.com>' . "\n\r";
mail( $to, $subject, $msg, $headers );
Or do I need to do something like the following?
$headers = 'From: me#anotherdomain.com <share#example.com>' . "\n\r";
Any and all help will be greatly appreciated.
There are multiple email headers that give some indication of who "sent" an email and who to reply to. A fairly good, casual writeup of the concept can be found on the page discussing how FormMail handles things.
In general, the Sender is the actual originator of the email message. The From Address, in contrast, is simply a header line in the email that may or may not be taken to mean anything. The From Address can often be left out completely. Spammers can easily spoof the From Address. ISPs try to ensure that spammers cannot spoof the Sender.
It sounds like what you might want is:
Sender : your site/program
From : either your site or the user
Reply-To : the user
What you write in the from header isn't that relevant. Important is that you you use an envelope sender address from your domain. This is checked against SPF for example. If you want the recipient to be able to reply to me#anotherdomain.com you need to add a reply-to header as well.
No, it really DOESN't matter which From: header email has been set
Why didn't you try it?
Many, if not most, email servers are not registered for a specific domain, the bigger issue is if your server correctly identifies itself (having a reverse lookup entry can help) and make sure it's not blacklisted. You can use a service like: http://www.dnsbl.info/ to check.
Most hosts with dynamic IPs are considered suspect, but even a dedicated VPS can be listed, so it's worth checking. You should also correctly format the headers as outlined in some of the other responses. If this is for a critical application (e.g., you are charging people and they expect to get mail), you should consider a 3rd-party SMTP which should take care of making sure you don't get blacklisted.
Related
Recently AOL has started rejecting emails sent from my production server.
Customers make product enquiries through my site and can "cc" themselves if they wish. I check for spam (e.g. don't send if request contains banned phrases, urls, etc). However, recently, if the enquirer is an AOL customer, the message bounces:
<*removed!*#aol.com>: host mailin-04.mx.aol.com[64.12.88.132] said: 521 5.2.1 :
AOL will not accept delivery of this message. (in reply to end of DATA
command)
Email protocol is not my area of expertise! I just use the standard PHP mail() function and this has worked ok for years.
I have looked through the AOL Postmaster support pages and contacted AOL (which, obviously, was my first port of call - but they have yet to respond), plus I don't really understand the problem (which is 50% of finding the solution!).
http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/
...it seems as though AOL are saying "we don't like the way that you send emails, sorry to inconvenience you..."
If anyone has any experience or specific insight into how to get AOL to accept emails then I would love to hear from you. I'm guessing that it could be something to do with how my emails are formed: this hasn't changed in years and (previously) I've had no reason to look at the code:
Here is an edited version of how I send emails...
$recipient = "\"$supplier[supplierName]\" <$supplier[supplierEmail]>";
$subject = "$supplier[supplierName] enquiry";
$headers = "MIME-Version: 1.0".PHP_EOL ;
$headers .= "Content-type: text/html; charset=utf-8".PHP_EOL;
$headers .= "Reply-To: \"$cleanArrayEmail[realname]\" <$cleanArrayEmail[email]>".PHP_EOL;
$headers .= "From: \"Admin\" <ADMIN_EMAIL>".PHP_EOL;
if ($_POST['cc']){$headers .= "cc: \"$cleanArrayEmail[realname]\" <$cleanArrayEmail[email]>".PHP_EOL;}
mail ($recipient, $subject, $msg, $headers, '-f'. ADMIN_EMAIL );
Many thanks
Steve
To the best of my knowledge, AOL indeed rejects mails, which either claim to be from AOL (FROM header, DMARC), or mails, which are not from AOL, but use an AOL address as Reply-To header. However, I cannot say whether this is due DMARC or not. I hence can confirm what Steve is saying, I noticed the same behavior in my application.
As soon as the Reply-To header is removed or changed to a non-AOL address, the mail is delivered correctly. It is however interesting to note, that only the AOL customer which is put in the Reply-To field does not receive the mail. If there are other AOL-mails in the TO header, those delivered and not blocked.
I mentioned that I am not sure, whether they reject it due to DMARC or not. An interesting hint can be found at the AOL postmaster blog introducing DMARC. Here it is explicitly recommended to use the Reply-To line and put the actual address in there. Further, mails rejected to a failed DMARC check are normally rejected using an error code noting the failed DMARC check.
Ditto what waza-ari said (AOL will not deliver email that is sent from a non-AOL server with a Reply-to containing an AOL address) - and this also applies to addresses containing a Compuserve address. I have heard it also applies to Hotmail & Yahoo addresses, but have not personally experienced that.
I have system code that emails 2 people if one of them accesses the other's research data (it's a collaborative research system, so users want to know if another person shares their interests). I prefer to have the Reply-to contain only their two addresses, as I don't need to be part of the subsequent conversation. However, I can't put an AOL/Compuserve address in the Reply-to field, as it will be rejected.
My solution is for the code to parse the user addresses and if either is in one of those domains, it substitutes our site's "info#" address as the Reply-to address, and the body of the email shows both user's addresses and tells them to email each other. This might not scale well to a larger customer base of users who ignore instructions and just hit Reply. It works well for me, but I probably generate less than 100 of these emails per month, and in a year of using this code, I've never had someone accidentally reply to me. I use the same "parse and substitute" code in our contact form where a user's email address would normally be inserted as the Reply-to.
AOL recently implemented DMARC Rejection, as did Yahoo before them. What this means is that if your PHP code attempts to send an email that claims to be FROM a Yahoo.com or AOL.com address, it will not be accepted by the recipients mail server, be it AOL, Yahoo, Gmail, or anyone else that supports DMARC.
Look at your email FROM address, is it AOL or Yahoo? If so then DMARC may be your problem, if not than it's probably something else. DMARC policies are set in DNS records for every domain, you can use this tool to check the DMARC policy for your FROM domain.
https://dmarcian.com/dmarc-inspector/aol.com
My webhost ONLY allows sending/recieving emails IF either the sender or reciever is hosted with them. (freehostia.com)
This is a huge disadvantage to me (and I'm assuming everyone else), because of the way my website works.
(My website: I have a classifieds website where CustomerA posts an ad with her email and CustomerB replies via the email form with his email. Neither email is hosted with my host.)
I asked if I could use an external SMTP server (such as Gmail) to bypass the limitations, and they said "Even if you set an external MX record for your domain you will not be able to send e-mails via your mail forum, if you do not use a mailbox from your hosting account with us as a sender or recipient."
Theoretical Workaround:
Auto-enter and hide my hosted email into the "email" section of the form
Have a new section for customer to input their email
When a message is sent, embed customers message and email into a default message. It will look like this:
To: customerA#example.com
From: DONOTREPLY#example.com
Subject: You have recieved a message!
Body: Blahblahblah (customers message) blahblah. To reply, email: customerB#example.com
Sorry about all the confusion. Would this work? Should I give up? I really like my host, but should I switch? Or is there a better workaround?
While you don't need to send through a different server, you can just send to whom you need and set the reply to any address you want.
The mail function allows you to set your own headers as a final parameter.
$headers = 'Reply-To: someone#some_other_domain.com\n\r';
mail($to, $subject, $body, $headers);
You can set the reply-to address.
That way even though the email is sent from your address, when the recipient hits reply it creates an email to the address given in the reply-to.
I'm not sure what you are using to send mail but there are some examples in the PHP documentation mail function - http://php.net/manual/en/function.mail.php
Im using PHP's mail() function to send some emails. But all my mails land automaticly in the trash box. Is there a way of preventing this? If so, where should i read to learn more about it.
Would you recommend me using PHPmailer?
Best of regards,
Alexander
TL;DR: There's no magic bullet. Just because you can learn how to form an email in PHP, does not guarantee it is routed to someone's mailbox, or even accepted. Success is based on reputation, not any single fix.
I am (edit: was) a mail server engineer, have written SpamAssassin rules, and have deep-dived issues for customers sending or receiving email.
The recipient's mail server scans your email, looking for attributes and "historical problems" (lack of mail agent, coming from your webserver IP, etc). These get "points". The total number of points is compared, and the recipient's server may do one or more of the following:
List item
refused during SMTP,
routed to Spam folder,
routed to Inbox, but tagged "SPAM"
blackholed (accepted, then mysteriously lost).
"Points" (score) only means something to a particular anti-spam solution. There is no public test. Fix ALL the problems you can, and success goes up.
*The #1 issue is: do not send email directly to the recipient's SMTP server. This network space sends 99.9% spam. It costs money to scan email, so a good email admin will block or refuse such connections.
The "fix" for your source IP is: Use an SMTP Gateway. The gateway can be our ISP mailserver, or a commercial service. Check first with their terms of service. They may prohibit sending emails using an authenticated web form, since these are so frequently abused ("someone hacked me" is not an excuse).
If you have email hosting, do the following: create a mailbox called for example 'website-notification#websitedomain.com'. Call it what you like. Now you want your PHP script to send the email -through- that address, using Authenticated SMTP. I'll leave the process of learning how to use Authenticated SMTP from PHP as a learning exercise for you -- there are many tutorials online).
Once you send emails through your valid SMTP server, the mail is seen as "originating" from your SMTP gateway. It's not seen as coming from your script. But this isn't the end of the story
As someone else noted, Be sure you are not missing display headers such as To: From: Subject: and Date:. Strictly speaking these headers are NOT "required" in email handshaking, but in practical terms no reputable email software omits them. Also, Date must be in the standard date format, or some spam filters will flag it.
This topic is not to be confused with "envelope headers" (the hidden stuff in the SMTP handshaking), which also can also impact your score. Using an SMTP Gateway usually takes care of this (since the recipient's mailserver will handshake with your gateway host).
Your FROM address must be VALID. Do not use a fake domain. Do not use your domain name with a fake mailbox name. Some anti-spam software will do a "Sender Verify" to test if the From address is bogus or fake (oversimplified: they'll try sending a reply and see if you would accept it or not).
The #1 mistake is setting your from address as "noreply#yourdomain.com", and not creating that mailbox. When that happens, everyone's "Sender Verify" on your email fails, and you look like a spammer covering their tracks.
If your domain DNS has an SPF record, be 100% sure it lists every IP that might send email for your domain. This is a technical topic. Having a valid, correct SPF record helps your deliverability a little bit. But if you misunderstand and create a bad (incorrect) SPF record, you will be worse off. Take your time to understand before using this.
If you have a business with a real address or PO box, don't use "Domain Registration Privacy" or "Domain Proxy" services if you can avoid it. When this was written (2011) It used to be very true that anonymizing services could get your mail blocked, or "tagged spam". This is less true today, but it's still worth considering.
Know the IP address of your mailserver, and regularly check that it is not "blacklisted" at SpamCop, SpamHaus, or the Barracuda spam blacklists. Google for more. There are monitoring services, and scripts which can alert you. But if you get on these lists, it means there is something else happening you were not monitoring for...
As said, no simple answer. :)
I suppose you mean thrash box at the receiver's end. So basically the receiving email server is regarding it as spam. This can happen if:
1) The IP you are sending from is already blacklisted for spamming (happens often in shared hosting)
2) The IP and domain are relatively new and unknown.
(Note that many times, newsletters from well established sites also end up in spam).
If its your dedicated IP, then setting RDNS for the IP, to match the domain name will very likely solve the issue. Another usual practice is to alert the receiver (if she is subscribing on your website) to check their thrash/spam folder and whitelist your email address in their mail account.
regards,
JP
JP's answer is partly correct but it also could be your header's in the email i know from experience this sends stuff to the spam folder try the following;
set the emails to your domain something like no-reply or a valid reply.
$to = 'nobody#example.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster#example.com' . "\r\n" .
'Reply-To: webmaster#example.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
This probably has something to do with your mail client and spam settings configuration. Try opening account on gmail.com and sending email there, if it's OK you know it is your mail server/client problem. If it's not, post your PHP code and full email headers of the email you've got.
This happens because many a times, headers are missing / if its a well known email server domain key signature is not present, or something like that. If you already have a separate email server, you should check out if you can use the PHP Pear Mail package to send email using your email server, rather than directly via mail function. That's what I find convenient, as its much more flexible.
I've been getting very annoyed at this as no matter what it seems spam filters are still calling my websites auto responder as spam. I've set all my headers correctly and this is what I have so far!
$headers = "From: Name<name#website.com>\r\n"
."Return-Path: Name<name#website.com>\r\n"
."Reply-To: Name<name#website.com>\r\n"
."Message-ID: <". time() .rand(1,1000). "#".$_SERVER['SERVER_NAME'].">\r\n"
."X-Mailer: PHP v".phpversion()."\r\n"
."MIME-Version: 1.0\r\n"
."Content-Type: text/plain; charset=iso-8859-1\r\n";
#mail($_POST['email'], "Subject", "Message", $headers);
Please help me on this one! :)
This is being sent from my shared hosting providers servers.
would it help if I added the 5th parameter as below?
"-f email#website.com"
Have you read this?
So You'd Like to Send Some Email (Through Code)
In a nutshell:
Make sure the computer sending the email has a Reverse PTR record
Configure DomainKeys Identified Mail in your DNS and code
Set up a SenderID record in your DNS
There are a huge amount of things that contribute to deliverability issues. To scratch the surface:
Subject line?
Message Body?
Are your PTR records correct?
Do you have SPF / Sender ID / DKIM / Domain keys setup and configured?
Are your sending IPs blacklisted? (senderbase.org is a good way to check reputation. mxtoolbox.com is nice for checking common blacklist status.)
Most spam software will append headers to the messages marked as spam. You can check those out for additional information / the reason why they are being marked spam.
Is this on a home IP address? I've found that many spam filters will automatically block E-Mails coming from what looks like a home IP address.
Reverse lookup on your mx records are crucial too. The email address that it's coming from (in your example: website.com" better be sent from the server where the mx record for website.com points to.
So if I sent an email from the address example.com, but it was sent from a server hosted at website.com, then the reverse lookup on the MX record fails because it sees that the IP address for the email address doesn't match where it was sent from.
You can also use a service like http://www.mxtoolbox.com/blacklists.aspx to check if your domain has been blacklisted.
There are also services that will analyze your email for getting labeled as spam or junk. Just search google for email spam checker.
You mentioned in a comment that you're using shared hosting: that right there is a huge strike against you when it comes to spam filters. Most recipients now perform a reverse DNS lookup to confirm the IP address and the host name of the sender match up; which will not happen on shared hosting.
More info:
Anti-spam techniques: PTR/Reverse DNS checks
I've configured several headers in the mail() function, sender name and other fields appear as set. But, in the gmail mailed-by field, I see the hostname of my server, even though I've set the Mailed-By header to be different... Is there a way to change this, or am I specifying the wrong header to effect the change?
Current Headers:
From: no-reply#example.com
Mailed-By: Example.com
X-Mailer: Example/1.0
If you post the headers you are sending it will be easier to diagnose the issue. But the header should be "X-Mailer" to set the application mailed-by field, as far as I know. If that does not work, post your current headers and we can help you further / better.
EDIT:
Doing some further research, it seems the 5th parameter with the "-f" flag would be the way to do it:
mail($to, $message, $body, $headers, '-fnoreply#yourmailer.com');
Is a possibility. That is generally an email address, so you would have to see what values it accepts etc. I found this information from the Joyent Discussion Board.
But reading that it may not be what you want.
-fname Sets the name of the from'' person (i.e., the sender of the mail). -f can only be used by trusted'' users (normally
root, daemon, and network) or if the person you are trying to
become is the same as the person you are.
From the sendmail Man page. I will see if I cannot strum anything else up.
It sounds like that mailed-by header was added by your mail transfer agent, or gmail, after it left PHP. Sounds like it may be a security measure so abuse reports can be tracked down.
I don't know if this has been solved as it's old but I had the same issue on a contact page from my website. We wanted club members to be able to use a form to contact the officers. But I wanted it to look like it came from the e-mail address the user entered so the officer could respond directly. I found this code and modified it for my site.
$headers = "From: <$email> \n";
$headers .= "X-Sender: <$from>\n";
$headers .= "X-Mailer: PHP\n";
$email is the address the user entered. I can't say I understand it all but it solved my issue.
You Cannot Set the Mailed-by option of your own.
you have to publish your spf record and should have DKIM signature for this.
For extra Information click on this link.
https://support.google.com/mail/answer/180707?hl=en