I am using phpmailer to send email. I need to know how to hide or mask sender email address
You can specify any sender email address anyway, since SMTP by itself does not place any requirements on sender email addresses.
If the actual SMTP server you use places restrictions on email addresses (e.g. corporate servers which do not allow sender emails outside of the company domain) there's no way around that, unless of course you can influence the mail server configuration.
Update:
You say in a comment that you want to use gmail to send email where the sender's address is not a gmail address. There is no way to do that.
This is a rare situation you have here... if you do not have a mail server you can still tell PHPMailer to send from a different address just set the From attribute of the PHPMailer object to the address you want. But Wait! if your server doesn't exists, the client can't verify the account and then your mail will more likely be deleted (moved to spam in the more benevolent scenario). If you are trying to mimic third party mail, I'll help you no futher.
Note: Your mail server may be valid but clients are still unable to verify it, and thus you are getting mails delivered to spam or deleted. Check "Must Read" to below to have some inside on how to solve this.
On the other hand, if you already have a mail server, then tell PHPMailer you want to use it, set the Host and Port attributes to your domain name and port respectively. The same if you want to use an account form a different server, remember to set the attributes Username and Password correctly, you may also need to set SMTPAuth = true; and SMTPSecure = 'ssl'; depending on the server. [Note: Username and From may differ]
Now, if you want to use an account from Gmail, you could easily set an alias in Gmail to send as another account [Go to Settings-> Accounts And Import -> Send mail as -> (click) Send Mail From Another Address], that can be the case if you have a mail server but you cannot afford to have it online, you will need to start your server so you can receive the confirmation code Gmail generates to verify your account. Check recommended read for PHP side configuration details.
Lastly if for some rare circunstancies you can't tell PHPMailer to use your mail server, but you do in fact have one, and that one is able to recieve the mail... you can use AddReplyTo('me#example.com', 'My Name'); Most clients will understand that any reply to the message must be (unless explicitly defined by the user) directed to "me#example.com" in this case.
Disclaimer: I take no responsibility of any harm result of the use of the method I mention here, such as (but not limited to) your mail account getting banned.
Must read:
Coding Horror on sending mail via code
Recommended read: PHPMailer Tutorial (old version)
No need (neither a good way) to hide or mask whatsoever.
I assume you already know how to use the class you are talking about.
You probably have some variable for sending email, like
var $From = "someguy#whatever.com";
you can type whatever you want into that email address. Gmail dont care what email things is sent from.
And no, this dosent sound very legit.
One more thing: Gmail requires a gmail account to relay mails. Its no problem, it wont be visible.
You want to "show the company email address as sender" but you "didn't (sic) have any email server"?
Can anyone actually send you email at your company email address? If so, use that server which is hosting your email to send out from.
If you don't really have a company email address, then I suggest you get a gmail address like companyname#gmail.com and just send from that. Otherwise the email will appear as spam to a great many of your recipients.
Now, if the people you are about to send an email to actually signed up to be on your mailing list then you can use a third party application like Constant Contact to do your broadcasts from.
If they haven't, then I suggest you not send an email at all.
in mail headers you can have both a Sender: and a From: header which in most mail clients is displayed as either just the From or in some cases Sender on behalf of From, using this way is a nice and clean way to be able to send From a different mail address then the actual Sender mail server
This is highly illegal.
var $From = "someguy#whatever.com";
Is the only option your have for trying to hide email address. But no matter what your email will be inscribed with IP. Someone who knows what they are doing will still be able to trace the email back to the source.
Related
I have a website with a webform which users can use to contact a company. The webform internally creates an email in PHP using PHPMailer and is sending this email via SMTP to the company.
The company has a customer-management-system which identifies the user by looking at the sender of the email. Which means I couldn't send the email from the form from "form#example.com" to "customer-relations#example.com", but need to send it from "customeremail#customerdomain.com" to "customer-relations#example.com".
This worked for some years now, but since some time, we get the error-message:
"envelope sender not allowed customeremail#customerdomain.com"
for example from emails from #gmail.com. Other domains still work.
I understand that it is not good practice to "fake" the sender of the email to make the identification of the customer-management-system work. The developer of the customer-management-systems are not able to offer a solution yet (no comment on that...), so perhaps there are any ideas here which we could try to make this work?
I want to use PHPMailer configure the contact page for my website. The prroblem I am facing is that for the script to work, the from address has to be set in the local server e.g. if my domain is example.com, the from address has to be name#example.com. When I set it this way, the script works perfectly.
the issue I'm having is that being a contact page, the from address has to be the senders email address this there for means that if a customer contacts me with the email address like name#email.com, the script will throw an error similar to the one below:
SMTP ERROR: DATA END command failed:
550-Your FROM address ( name#email.com , Dev Customer 550-)
must match your authenticated email user ( name#example.com ).
Does anyone have any idea on a way to work around this? Or are there any alternatives? I will appreciate any form of assistance offered. Thank you in advance.
As per Tigger's suggestion, you should never send using the submitter's address as a From address. It's forgery, and will make your messages fail SPF checks, causing you no end of delivery problems either with messages bouncing or consigned to spam folders. It's been actively advocated against for at least a decade anyway, and it's also one of the practices that would cause you to be vulnerable to the security hole in PHPMailer fixed back in December.
Since you've tagged this with PHPMailer, I'll show how to use that to do what you ask:
$mail->setFrom('me#example.com', 'Contact form');
$mail->addReplyTo($_POST['email'], $_POST['name']);
This is exactly what the example contact form script provided with PHPMailer does. It's also worth checking submitted values - addReplyTo will validate the address automatically, so you should check the return value to be sure.
There may be some email clients that do not handle reply-to addresses correctly, but you should not expose yourself to being blacklisted because of the ineptitude of a small number of clients.
I have a web app which needs to send emails to clients 'From' staff email addresses. What's the best way to prevent my messages from being flagged as spam?
For instance, if I own charles#gmail.com, I'd like to be able to send mail "From" that address with PHP in my App, without getting the "This message may not have been sent by...." message.
Right now I'm just using the mail() function within PHP, with Headers for the From, Return Path, and X-Mailer variables.
I'm generally pretty confused by everything I've read so far about SPF and DKIM, so I appreciate any advice. Thanks.
This is a very lengthy subject with lots of things to consider.
The most important rule is to not use HTML and to send only correct mails that people want, and that the recipients do not flag as spam theirselves.
For instance, if I own
charles#gmail.com, I'd like to be able
to send mail "From" that address with
PHP in my App, without getting the
"This message may not have been sent
by...." message.
If you own a gmail address you could just sent the messages via gmail's SMTP service, but keep in mind that gmail has a 500 email sent limit. Below is a topic describing how to use gmail's SMTP server with the popular PHPMailer.
Right now I'm just using the mail()
function within PHP, with Headers for
the From, Return Path, and X-Mailer
variables.
Outsourcing this is probably the way to go using for example:
http://sendgrid.com/
We also offer a Free Plan with 200
Email Credits per day.
To read pricing visit http://sendgrid.com/pricing.html
http://elasticemail.com/
No monthly committments, no minimums,
no limits. Just pay for what you use
at $0.001 / email or less.
http://aws.amazon.com/ses/
Email messages are charged at $0.10
per thousand.
http://aws.amazon.com/ses/pricing/
http://www.cloudsmtp.com/
http://postmarkapp.com/
Just to name a few which are very cheap to use without any hassle/setup.
If instead of using the mail() function, you use an SMTP mailer such as the PEAR mailer package then you can send the mail using google's own SMTP servers. This will require you to provide the correct credentials to the google account you wish to send from. This should avoid the issue you are having.
One of the first things you need to ensure is that the email "From:..." really is from your server e.g your_mailings#yourcompany.com and it must exist and be a valid email on the server where the script works. You should try setting the sendmail user at the top of your script (assumes Linux server):
ini_set('sendmail_from', 'your_email#your_server.com');
Then you add a "Reply-To:" header and use your staff addresses perhaps and recipients will at least seem to have got an email that can be replied to. Without that you probably won't even get as far as being spam, you will get blocked on the way there.
This thread shows some of that and note the comments on PHPMailer - it is a good way to handle mailing and I have found it more successful than simple mail();
PHP mail form isn't working
Im using PHP's mail() function to send some emails. But all my mails land automaticly in the trash box. Is there a way of preventing this? If so, where should i read to learn more about it.
Would you recommend me using PHPmailer?
Best of regards,
Alexander
TL;DR: There's no magic bullet. Just because you can learn how to form an email in PHP, does not guarantee it is routed to someone's mailbox, or even accepted. Success is based on reputation, not any single fix.
I am (edit: was) a mail server engineer, have written SpamAssassin rules, and have deep-dived issues for customers sending or receiving email.
The recipient's mail server scans your email, looking for attributes and "historical problems" (lack of mail agent, coming from your webserver IP, etc). These get "points". The total number of points is compared, and the recipient's server may do one or more of the following:
List item
refused during SMTP,
routed to Spam folder,
routed to Inbox, but tagged "SPAM"
blackholed (accepted, then mysteriously lost).
"Points" (score) only means something to a particular anti-spam solution. There is no public test. Fix ALL the problems you can, and success goes up.
*The #1 issue is: do not send email directly to the recipient's SMTP server. This network space sends 99.9% spam. It costs money to scan email, so a good email admin will block or refuse such connections.
The "fix" for your source IP is: Use an SMTP Gateway. The gateway can be our ISP mailserver, or a commercial service. Check first with their terms of service. They may prohibit sending emails using an authenticated web form, since these are so frequently abused ("someone hacked me" is not an excuse).
If you have email hosting, do the following: create a mailbox called for example 'website-notification#websitedomain.com'. Call it what you like. Now you want your PHP script to send the email -through- that address, using Authenticated SMTP. I'll leave the process of learning how to use Authenticated SMTP from PHP as a learning exercise for you -- there are many tutorials online).
Once you send emails through your valid SMTP server, the mail is seen as "originating" from your SMTP gateway. It's not seen as coming from your script. But this isn't the end of the story
As someone else noted, Be sure you are not missing display headers such as To: From: Subject: and Date:. Strictly speaking these headers are NOT "required" in email handshaking, but in practical terms no reputable email software omits them. Also, Date must be in the standard date format, or some spam filters will flag it.
This topic is not to be confused with "envelope headers" (the hidden stuff in the SMTP handshaking), which also can also impact your score. Using an SMTP Gateway usually takes care of this (since the recipient's mailserver will handshake with your gateway host).
Your FROM address must be VALID. Do not use a fake domain. Do not use your domain name with a fake mailbox name. Some anti-spam software will do a "Sender Verify" to test if the From address is bogus or fake (oversimplified: they'll try sending a reply and see if you would accept it or not).
The #1 mistake is setting your from address as "noreply#yourdomain.com", and not creating that mailbox. When that happens, everyone's "Sender Verify" on your email fails, and you look like a spammer covering their tracks.
If your domain DNS has an SPF record, be 100% sure it lists every IP that might send email for your domain. This is a technical topic. Having a valid, correct SPF record helps your deliverability a little bit. But if you misunderstand and create a bad (incorrect) SPF record, you will be worse off. Take your time to understand before using this.
If you have a business with a real address or PO box, don't use "Domain Registration Privacy" or "Domain Proxy" services if you can avoid it. When this was written (2011) It used to be very true that anonymizing services could get your mail blocked, or "tagged spam". This is less true today, but it's still worth considering.
Know the IP address of your mailserver, and regularly check that it is not "blacklisted" at SpamCop, SpamHaus, or the Barracuda spam blacklists. Google for more. There are monitoring services, and scripts which can alert you. But if you get on these lists, it means there is something else happening you were not monitoring for...
As said, no simple answer. :)
I suppose you mean thrash box at the receiver's end. So basically the receiving email server is regarding it as spam. This can happen if:
1) The IP you are sending from is already blacklisted for spamming (happens often in shared hosting)
2) The IP and domain are relatively new and unknown.
(Note that many times, newsletters from well established sites also end up in spam).
If its your dedicated IP, then setting RDNS for the IP, to match the domain name will very likely solve the issue. Another usual practice is to alert the receiver (if she is subscribing on your website) to check their thrash/spam folder and whitelist your email address in their mail account.
regards,
JP
JP's answer is partly correct but it also could be your header's in the email i know from experience this sends stuff to the spam folder try the following;
set the emails to your domain something like no-reply or a valid reply.
$to = 'nobody#example.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster#example.com' . "\r\n" .
'Reply-To: webmaster#example.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
This probably has something to do with your mail client and spam settings configuration. Try opening account on gmail.com and sending email there, if it's OK you know it is your mail server/client problem. If it's not, post your PHP code and full email headers of the email you've got.
This happens because many a times, headers are missing / if its a well known email server domain key signature is not present, or something like that. If you already have a separate email server, you should check out if you can use the PHP Pear Mail package to send email using your email server, rather than directly via mail function. That's what I find convenient, as its much more flexible.
I have a website, example.com hosted at godaddy. I was just messing around with PHP's mail function and uploaded the following to my website at example.com:
mail( "someone#yahoo.com", "test", "test message", "From: someone#gmail.com" );
Why does this work? I mean, it shouldn't, right? The "From" address domain isn't "#example.com". Yet, when I check my email at someone#yahoo.com, I get the message from someone#gmail.com... How is it that I'm able to (potentially) send an email from anyone's email account without their password?
This is possible, as in, you can put into the E-Mail headers whatever you want, including a totally arbitrary sender address. You are right, though, security-conscious providers will usually configure their outgoing mail services in a way that allows only sender addresses residing on the server the mail gets sent from; but they don't have to.
Also, on the receiving end, messages where the sender address belongs to a domain that is not associated with the sending mail server very often end up in the Spam folder.
It's (as you already know) very bad practice to make use of this. As to whether the provider is at fault - it could be anything from a sign of trust (if you are the only user on the server, or one of select few clients) to carelessness. You may have reason to complain because if one of your web hosting neighbours misuses this to send spam, the server's IP address might get blacklisted, causing any E-Mail coming from it (legit or not) to get caught in spam filters.
it's because of email format specification.
have a look at the email's header specification, you might refer to the http://en.wikipedia.org/wiki/Email#Header_fields
that is the reason why one should never trust the "from" information once you receive an email.
This is why systems like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) have been introduced.
SPF allows admins to define where email for a particular domain is supposed to originate. In your example, and assuming that SPF records were set up, the records would show that the Go Daddy host from which the mail was sent was not an authorised sender for the gmail.com domain. A (Yahoo) mail server that receives that mail and does SPF validation would probably reject the mail.
DKIM uses digital signatures to allow a sending mail server to show that an email came from the domain it says it came from. In your example, you wouldn't be able to sign your email and make it look like it really came from Gmail, because you don't have their key.
Both these systems require proper SPF/DKIM records to be set up, and also require that the mail server that handles the email for its recipient actually performs the validation.
So don't worry: this problem is being worked on :-)
Whether you should be able to do this is basically a matter of who you ask. The email RFC states that you should. Best practice for hosting and ISP says you shouldn't.
So seen from PHP point of view. Yes you should
Edit:
And btw you're not sending the mail from somebody's account your simply stating that you email is something differrent from what's actually true. Which is basically the same as introducing yourself to a stranger as, let's say "Bill Clinton". If the receiver is paying attention they'll know it's wrong. In the real world because you don't look like him and in the email world you can simply test if the sending server is allowed to rely from that specific domain.