I've configured several headers in the mail() function, sender name and other fields appear as set. But, in the gmail mailed-by field, I see the hostname of my server, even though I've set the Mailed-By header to be different... Is there a way to change this, or am I specifying the wrong header to effect the change?
Current Headers:
From: no-reply#example.com
Mailed-By: Example.com
X-Mailer: Example/1.0
If you post the headers you are sending it will be easier to diagnose the issue. But the header should be "X-Mailer" to set the application mailed-by field, as far as I know. If that does not work, post your current headers and we can help you further / better.
EDIT:
Doing some further research, it seems the 5th parameter with the "-f" flag would be the way to do it:
mail($to, $message, $body, $headers, '-fnoreply#yourmailer.com');
Is a possibility. That is generally an email address, so you would have to see what values it accepts etc. I found this information from the Joyent Discussion Board.
But reading that it may not be what you want.
-fname Sets the name of the from'' person (i.e., the sender of the mail). -f can only be used by trusted'' users (normally
root, daemon, and network) or if the person you are trying to
become is the same as the person you are.
From the sendmail Man page. I will see if I cannot strum anything else up.
It sounds like that mailed-by header was added by your mail transfer agent, or gmail, after it left PHP. Sounds like it may be a security measure so abuse reports can be tracked down.
I don't know if this has been solved as it's old but I had the same issue on a contact page from my website. We wanted club members to be able to use a form to contact the officers. But I wanted it to look like it came from the e-mail address the user entered so the officer could respond directly. I found this code and modified it for my site.
$headers = "From: <$email> \n";
$headers .= "X-Sender: <$from>\n";
$headers .= "X-Mailer: PHP\n";
$email is the address the user entered. I can't say I understand it all but it solved my issue.
You Cannot Set the Mailed-by option of your own.
you have to publish your spf record and should have DKIM signature for this.
For extra Information click on this link.
https://support.google.com/mail/answer/180707?hl=en
Related
I appologize, if my questions sound naive, but I have no one to ask. I am new in PHP and right now I am playing with PHP.mail() function.
I am using XAMPP, PHP, SMTP server in our work just to see the functionality.
In C:\xampp\sendmail\sendmail.ini I set
smtp_server=mail.heaven.com
auth_username=fairy
auth_password=nice
I created sendmail.php to send test mail to myself:
<?php
$to = 'fairy#heaven.com';
$subject = 'greetings';
$message = 'if you read this, everything is fine';
$headers = 'From: devil#hell.com';
mail($to, $subject, $message, $headers);
?>
I ran that and received email from devil#hell.com, so actually from me. I could not find out real sender from this message and my attempt to reply failed... because devil#hell.com did not exist, of course.
And now comes, what confuses me. As far as I know, the first step is to provide the real login and the pass (auth_username, auth_password) to the SMTP server. The server knows I exist, it lets me in, so I can send email from my REAL account.
I thought, that SMTP server takes automaticaly all necessary info from my account and wrap it into the email message, so the other people could reply, but obviously not.
I do not understand, why can I add misleading information so easily. It seems me, I can use my account to generate fake emails to molest my colleagues daily. I was not able to find out, who actually was the real sender.
Is this information stored anywhere? Is it possible for a client to see, who sent email or is it totally dependent on the From: header in PHP.mail() function?
Thanx for clarification
It is the way SMTP protocol is made.
You're telling the recipient who you're supposed to be, and how it can answer you. There is no central repository of who controls a email domain, or an email user.
It can check by itself, by implementing security mechanism, such as what gmail is doing using DKIM. You can't impersonate a gmail email.
See https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail for more information.
I am asking this question just because I am curious and probably it is a really dumb and very well known thing but I couldn't find an answer online:
Today I was helping a friend with his website. He asked me to prepare an html e-mail template that he can send via his website (e.g. www.myfriendswebsite.com) with phpmailer. I prepared it and tested in my domain/server by putting his e-mail address (e.g. info#myfriend.com) in "from" part. I sent an e-mail to my personal e-mail address (e.g. myname#hotmail.com) via my website (e.g. www.mywebsite.com) and when I received the e-mail I realized I don't even see my domain's name or e-mail address (e.g. info#mydomain.com); instead I see my friend's e-mail address (info#myfriend.com). When I hit "reply" it replies to my friend's address; it looks like it has been sent from my friend's website directly. Of course; if I pull up the raw source I see the details of where I received the e-mail but what prevents someone else using my e-mail address and spam people? I am pretty sure this is another way of spamming and hacking people's accounts but is there a way to prevent that? It scared me a little and I didn't know where else to turn but Stackoverflow :)
For one, you should not send emails whereby the From: is populated by user supplied data; use the Reply-To: header for such purposes.
The reason you shouldn't do that is because inbox services, such as Google Mail, Yahoo, etc. use the Sender Policy Framework (SPF) to determine whether the mail server that sent the message is authorized to send on a domain's behalf; you would risk messages sent from your server to get recognized as spam and not delivered.
So, to answer your question, even though it's possible to masquerade anyone's email address, it's getting increasingly more difficult to get those messages delivered due to improving spam filters and black lists, and doing so can even get your mail server blacklisted.
what prevents someone else using my e-mail address and spam people?
Nothing. Imagine a postcard, what prevents someone else using your address and send postcards out into the world? Nothing.
The same is for email, the postcard of the internet.
Editing your headers like this will/should fix the problem.
$headers = 'From: info#myfriend.com' . "\r\n";
$headers .= 'Reply-To: info#myfriend.com' . "\r\n";
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
I want to let users share information on my site by sending an email to a friend. Before I go to far I want to make sure I won't get blacklisted for doing something incorrectly.
If my domain is example.com can I set the mail FROM header to the email address supplied by the user?
For example, I want to share a page at example.com with my friend Bob. Bob's email address is bob#domain.com and my email address is me#anotherdomain.com. When example.com sends an email to Bob(bob#domain.com) it will set FROM to my email(me#anotherdomain.com).
Is this an issue since the email is being sent from example.com but the FROM header contains a domain other than itself?
The following would be sending from example.com
$to = 'bob#domain.com';
$subject = 'Some subject';
$msg = 'Some message';
$headers = 'From: me#anotherdomain.com <me#anotherdomain.com>' . "\n\r";
mail( $to, $subject, $msg, $headers );
Or do I need to do something like the following?
$headers = 'From: me#anotherdomain.com <share#example.com>' . "\n\r";
Any and all help will be greatly appreciated.
There are multiple email headers that give some indication of who "sent" an email and who to reply to. A fairly good, casual writeup of the concept can be found on the page discussing how FormMail handles things.
In general, the Sender is the actual originator of the email message. The From Address, in contrast, is simply a header line in the email that may or may not be taken to mean anything. The From Address can often be left out completely. Spammers can easily spoof the From Address. ISPs try to ensure that spammers cannot spoof the Sender.
It sounds like what you might want is:
Sender : your site/program
From : either your site or the user
Reply-To : the user
What you write in the from header isn't that relevant. Important is that you you use an envelope sender address from your domain. This is checked against SPF for example. If you want the recipient to be able to reply to me#anotherdomain.com you need to add a reply-to header as well.
No, it really DOESN't matter which From: header email has been set
Why didn't you try it?
Many, if not most, email servers are not registered for a specific domain, the bigger issue is if your server correctly identifies itself (having a reverse lookup entry can help) and make sure it's not blacklisted. You can use a service like: http://www.dnsbl.info/ to check.
Most hosts with dynamic IPs are considered suspect, but even a dedicated VPS can be listed, so it's worth checking. You should also correctly format the headers as outlined in some of the other responses. If this is for a critical application (e.g., you are charging people and they expect to get mail), you should consider a 3rd-party SMTP which should take care of making sure you don't get blacklisted.
My webhost ONLY allows sending/recieving emails IF either the sender or reciever is hosted with them. (freehostia.com)
This is a huge disadvantage to me (and I'm assuming everyone else), because of the way my website works.
(My website: I have a classifieds website where CustomerA posts an ad with her email and CustomerB replies via the email form with his email. Neither email is hosted with my host.)
I asked if I could use an external SMTP server (such as Gmail) to bypass the limitations, and they said "Even if you set an external MX record for your domain you will not be able to send e-mails via your mail forum, if you do not use a mailbox from your hosting account with us as a sender or recipient."
Theoretical Workaround:
Auto-enter and hide my hosted email into the "email" section of the form
Have a new section for customer to input their email
When a message is sent, embed customers message and email into a default message. It will look like this:
To: customerA#example.com
From: DONOTREPLY#example.com
Subject: You have recieved a message!
Body: Blahblahblah (customers message) blahblah. To reply, email: customerB#example.com
Sorry about all the confusion. Would this work? Should I give up? I really like my host, but should I switch? Or is there a better workaround?
While you don't need to send through a different server, you can just send to whom you need and set the reply to any address you want.
The mail function allows you to set your own headers as a final parameter.
$headers = 'Reply-To: someone#some_other_domain.com\n\r';
mail($to, $subject, $body, $headers);
You can set the reply-to address.
That way even though the email is sent from your address, when the recipient hits reply it creates an email to the address given in the reply-to.
I'm not sure what you are using to send mail but there are some examples in the PHP documentation mail function - http://php.net/manual/en/function.mail.php
I am using php and mysql. And my site is in flash (full flash site)
I have a website which let users to sign up. The signup process including sending "activation email", click link to activate account.
The first two weeks was fine. Out of around 2000 users, 1800 users are activated. After that, the activated users drop drastically, to about 30%. Example: 1000 users signup, only 300 were activated.
At first, I found the problem is because the email could not be reach to ymail, msn and gmail users. (Most of my subscribers are Ymail (yahoo), hotmail/msn(live) and gmail (gmail)). I tried signup using ymail and hotmail, but i didnt get any activation email. I contacted yahoo and msn, eventually my email can go through now.
However, my signup statistic still showing, the activated users are only about 30%, which very confuse me. I contact my hosting company, ask them the whitelist my IP. And they did it.
I need your advice/help on following questions:
How to check where the problem lies? Is the email not delivered? User receive email but didnt click the activation link?
I am using php mail funstion. and this is my headers:
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=UTF-8' . "\r\n";
$headers .= 'From: Admin <\admin#domain.com>' . "\r\n";
$headers .= 'Return-Receipt-To: Bounce <\bounce#domain.com>' . "\r\n";
$headers .= 'Reply-To: Admin <\admin#domain.com>' . "\r\n";
$return_path = "\bounce#domain.com\";
(I hide my domain name, and i add backslashes within emails, cuz if not, the email wont show here, weird)
Is there anything wrong with the headers?
What can I do to improve my registration/signup activation process?
You should pass your return path as "-f" parameter for mail() function:
mail(
$this->recipient,
$subj,
$this->body,
$this->compose_headers(),
'-f ' . Options::obj()->mail->return_path);
Also, for the best results, if the sending server has a public domain name example.com, the return path should be something#example.com.
Anyway, you should definitely check the logs (/var/log/mail*) to know exactly what's going on.
Try using gmail as your smtp server istead of mail server like sendmail from a domain. Using gmail smtp would kinda ensure that your mails are sent on best effort surity. Also Gmail would not be treated as spam unless email id is marked as spam (so try using a one which is safe). To improve singup->activation through put your best bet is to ensure that email is reaching user's inbox.
For safety net you can have a feature in which you allow user to resend the activation link if the first one failed for some reason.
If you are uncomfortable using gmail as smtp, you can sign up ur domain with google apps (but that might require changes in business needs) and you can have admin#domain.com kind of email and still use efficient gmail smtp servers.
There are many libraries out there like phpMAiler which allows to use external smtp servers. Note all data through gmail servers go via SSL or TSL.
Do you have access to the log files of the email server sending out the registration emails? Any bounced emails normally go back to the sending server. By monitoring the log files you can check and see what number of emails (if any) are still getting bounced back.
What kind of access do users have to your web site without an activated email address? Are any features disabled? Are there any incentives to activate or use a real email address?
Your example doesn't show a Date header which is a required field. In my experience some mail handlers reject emails that don't have one (and some just add one with the current date.) If your actual code doesn't have one then try adding one and seeing if it makes a difference.
Search for RFC2822 for information on what is required,