Sender Domain Policy and Spoofing
- 1 Overview
- 2 What is useful spoofing?
- 3 What is Bad spoofing?
- 4 Sender domain policy: FAQs and examples
- 4.1 What is the sender domain policy?
- 4.2 When was this policy put into place?
- 4.3 Why did DreamHost create this policy?
- 4.4 How does this policy work?
- 4.5 What domains am I not allowed to send from?
- 4.6 Where do blocked emails go? How do I find out if emails have been blocked from sending?
- 4.7 Example of acceptable FROM addresses
- 4.8 Examples of blocked FROM email addresses
- 4.9 Example of a complete email
- 5 PHP code
- 6 What if my domain doesn't use DreamHost-hosted mail service? (SMTP)
- 7 See also
When emails are sent, the email program or script can say the sender is "from" any address it wants. Email spoofing occurs when email is sent with a forged FROM address. For example, you can send emails from your website example.com that are "from" FakeFromAddress@example.com. So, it’s always possible to change the FROM address when sending email.
This article details good and bad spoofing and explains DreamHost’s sender domain policy which protects legitimate email.
What is useful spoofing?
Without spoofing, any email sent from your website would be sent "from" firstname.lastname@example.org. While that's accurate, it's not very nice to look at, and can be confusing to site users or customers who expect to see the email coming from the same domain name as your website. So in a sense, the email is spoofed to clearly show it’s originating from your website.
Detailed example of useful spoofing
Generally speaking, you must simply set the FROM or "sender" setting to match an email address hosted at DreamHost. Many times it is an option in your CMS, plugin, or script so you can tell it to send emails in this way. For example, a popular plugin with this option used with WordPress is Contact Form 7.
However, not all programs have these kinds of configuration options. For example, some contact form plugins always use the site visitor's information as the sender and don't allow you to change it. In this situation, you may need to switch to a different plugin or modify the script. When selecting or configuring a plugin or script for your site, you may want to check that it spoofs all the necessary information so that bounced emails go to you instead of to the Maildir/new directory on the web server.
Email messages are similar to old-fashioned paper letters in that both have two sets of addressing information. An email's To and From headers are similar to a paper letter's salutation and signature. A paper letter's envelope has sender and recipient information used for delivery, and an email's envelope also has a sender and recipient.
An email's To and From headers are shown in an email program. View the Viewing Full Headers article for more details. Separately, the envelope's Sender and Recipient are what mail servers use for instructions on where to send the email and where any errors or bounces are sent. The plugin or script you use automatically sets where the email is sent. It takes the To header from the email message and uses this as the recipient on the envelope. An email can be sent with just that information, and the server will automatically fill in the From header and the envelope Sender. This is where the default email@example.com sender comes from, as it is automatically set by the webserver based on the username that hosts the site or script that sent the email. If you want a nicer custom From header and/or Sender like firstname.lastname@example.org, the script or program you use must set that.
The From header and envelope Sender do not automatically match each other, as the To header and envelope Recipient do. Often, only the From header is spoofed or set to a custom address, and the envelope sender is left unchanged and still set to the default email@example.com. This is why many bounced emails are delivered to the Maildir/new directory on the web server, and not to your mail account where you normally check email. If the envelope sender is not spoofed, bounced emails will go to back to the server user who hosts the site that sent the email. Those emails are stored in that user's Maildir/new folder on the web server. Each file is one email, and despite the rather odd names they are simple text files that can be viewed with any text editor.
The flowchart to the left illustrates the path an email from your website (such as a contact form submission, or an eCommerce purchase confirmation) can travel.
If the email can be delivered successfully, it is delivered normally and you'll be able to see it with your regular email. If the email cannot be delivered and the envelope sender is spoofed correctly, the bounced email is delivered to that email address that was spoofed as the From header. In this case you'll see the bounced email in that email address's regular inbox. If the email cannot be delivered and is not spoofed correctly, the bounced email is delivered back to the web server and stored in that Maildir/new folder.
To find out if a script or plugin your website uses spoofs both the From header and the envelope sender, you can ask the developer or person who made the script or plugin. If you see bounced emails being delivered to the Maildir/new directory on the web server, this is a big hint that the envelope sender is probably not being spoofed in your mail form.
So what can you do about it? As mentioned above, if you are receiving bounced emails to the Maildir/new directory instead of your email inbox, then the envelope sender is probably not being spoofed or set to your custom address to match the From header. You can ask the developer of the plugin or script you currently use to update it so that it spoofs both (header and envelope). You can also switch to a different plugin or script that spoofs both (header and envelope). If you're not sure which ones do this, you can test some out or ask their developers to let you know if this is something their plugin or script does. If you wrote your own code, you can make this change yourself. You can see an example below of how to do this in PHP.
How to spoof in your CMS or website application
First, make sure the administrator email address is hosted at DreamHost. You can verify this by doing an MX record lookup on the following site:
Once you've confirmed your email is hosted with DreamHost, you can proceed with spoofing your FROM address in a useful manner.
Some WordPress contact forms created by plugins or themes have settings that let you completely control how emails are sent. Contact Form 7 is an example. You can use the plugin settings in the WordPress admin panel to send emails out with the name of the site visitor and an email address of a site admin, webmaster, or anyone associated with running the site:
- From: [your-name] <firstname.lastname@example.org>
You can also configure the Reply-To header so that replies to these emails will go directly to the site visitor:
- Reply-To: [your-name] <[your-email]>
There is a separate Configure SMTP plugin you can use to set the From information on all emails sent from WordPress, regardless of the plugin or theme that sends the email.
Additional WordPress information can be reviewed at WordPress troubleshooting contact forms. Please note however that not all plugins and themes allow you to control this.
The Contact Reply-To module changes Drupal's contact form to send from the website's email address. It also sets a reply-to header to the actual user, avoiding the restrictions discussed here.
Joomla has a "Custom Reply" that sends emails with the site visitor's from address. You can turn that off in the Joomla dashboard configuration. Go to 'Components -> Contacts -> Options'. On the Form tab, make sure the "Custom Reply" is set to NO.
|Note:||If this is not done, Joomla may not even generate the email, and might result in the form being non-functional.|
For Joomla versions 3.1 or higher, you can access the SMTP authentication settings in the Joomla dashboard at 'Site -> Global Configuration -> Server tab -> Mail Settings'. Enter your email settings in a similar format as the WordPress plugin example above.
WooCommerce includes the option to change the sender ‘from’ name and email address in the 'Settings -> Emails' tab. This should be set to a DreamHost-hosted mail account.
What is Bad spoofing?
Spammers often use email spoofing to hide from where their spam emails are sent. They do this so they can send out hundreds of emails that appear to be originating from your website. If you receive "undeliverable" bounced emails that you never actually sent, a spammer could be spoofing your domain.
Protecting against bad spoofing
DKIM and SPF records are are two methods that can make spoofed emails more easily recognizable as suspicious, and hopefully discourage the spammers from spoofing your domain:
- DKIM is a method of email authentication that is enabled automatically for all DreamHost mail accounts.
- SPF is a custom DNS record that says "this is a list of all the servers I send mail from. If you received an email from 'me' and it came from a different place, it's probably fake." Some mail servers even reject emails that fail SPF checks.
Sender domain policy: FAQs and examples
What is the sender domain policy?
DreamHost’s sender domain policy exists to ensure email that is sent from your website is legitimate. This policy requires two things:
- You must use a FROM address that’s on the same website you’re sending email from
- The email must be hosted at DreamHost.
For example, if your website is example.com and you have a PHP mail form sending email, the FROM address in that email must be something like email@example.com.
Emails that are sent using a FROM address from somewhere else (such as Yahoo or Google) will be blocked and never sent. If this happens, you can see the mail failure in your FTP account, and emails will be in your user’s directory in the Maildir/new folder. Open the file in that directory to view why it failed to send. When emails are blocked by this policy, you’ll see the following error message:
5.7.1 Sender domain not allowed
|Note:||Emails sent through DreamHost's shared web servers must use a FROM address that is fully hosted at DreamHost. Forward only aliases will not work.|
When was this policy put into place?
The policy which restricts the 'from' address on emails was created in April of 2012. It was then slowly rolled out over the following months.
You can review the following page for more information about the policy:
Why did DreamHost create this policy?
Over time, spoofed emails sent from DreamHost’s servers began to negatively affect the reputation of DreamHost's mail servers. This in turn threatened the ability to host mail at all with DreamHost. To protect the reputation of DreamHost’s mail servers and provide a stable and reliable service to customers, this policy was created.
How does this policy work?
The most accurate way to send email is to send them from the server where the domain's mail service is hosted. For example, email from Hotmail should be sent from Hotmail's servers and email from Google should be sent from Gmail's servers. DreamHost's mail policy states that emails sent through DreamHost's mail and shared web servers should only be 'from' domains that have their mail service hosted at DreamHost. So, when you send email from a DreamHost shared web server, you must do the following:
- The FROM address must be an email on your domain
- Your email must be hosted at DreamHost
|Note:||This policy does not apply to DreamHost's VPS and Dedicated servers. Emails sent from a VPS or Dedicated server using PHP's mail(), Sendmail, or SMTP via localhost, are sent directly through the server's postfix mail system and go out to the recipient without passing through any other DreamHost server.|
What domains am I not allowed to send from?
The list of blocked domains does not include every single domain that does not use DreamHost mail service. Instead, it’s a dynamic list maintained by DreamHost's mail administrators. While you may occasionally be able to send an email using a FROM address with a domain that is not hosted at DreamHost, there is no guarantee it won't be blocked in the future. To ensure your emails will not be blocked, only use a FROM address on a domain that uses DreamHost-hosted mail service. The other option is to use SMTP authentication in any website form. When you use SMTP authentication, you can then use any FROM address you like. View the Sending SMTP mail article for an example.
Where do blocked emails go? How do I find out if emails have been blocked from sending?
Blocked emails are returned to the sender as an 'undelivered' bounced email. Inside that bounced email are three things:
- A notification that the mail server could not deliver the email.
- The error message the mail server provided as an explanation for it not being delivered.
- A copy of the original email that could not be sent.
Those bounced emails may be delivered to your regular mailbox, or they may be stored in the Maildir/new folder on the web server. DreamHost support can also check the server mail logs for any errors that may have been recorded. When you contact support, provide as many details as possible about the email you want them to research.
The following list includes the minimum amount of details you should provide:
- Date and time it was sent (including timezone)
- Email addresses it was sent TO
- Email address it was sent FROM
- The website URL for the web form that may not be working properly
|Note:||If you find that your website form isn’t delivering email as it should, look in your user’s directory on your webserver. Log in via FTP, and then navigate to the Maildir/new folder. This folder will list any emails that failed to send properly.|
The Maildir folder
As stated above, blocked emails will be filtered into your Maildir/new directory. A Maildir is a directory (often named Maildir) with three subdirectories named tmp, new, and cur. Maildir is a widely-used format for storing email that does not require application-level file locking to maintain message integrity as messages are added, moved and deleted. Each message is kept in a separate file with a unique name.
Example of acceptable FROM addresses
|How the email is sent||FROM address used||Explanation of address|
Examples of blocked FROM email addresses
Emails should not be sent with a FROM address hosted somewhere else. For example:
If you need to use any address not hosted with DreamHost as your FROM address, you must use SMTP authentication.
Example of a complete email
This is an example of an email sent by a website's contact form, such as when a site visitor fills out a submission form on your website. This example uses the domain example.com which is hosted at DreamHost:
From: Site Visitor <firstname.lastname@example.org> Reply-To: Site Visitor <SiteVisitor@gmail.com> To: Joe Website Owner <email@example.com> Subject: Contact Form Submission Date: 15 January 2015 10:47pm Site Visitor <SiteVisitor@gmail.com> filled out the contact form on your website at 10:47pm on 15 January 2015. Their message was: Hello. I’m interested in your services. Please call me at 555-555-5555.
- The 'From' header displays the email address hosted at DreamHost.
- The ‘From’ header displays the name of the site visitor. This is useful because when Joe checks his email, he can easily see the name of the site visitor.
- The Site Visitor's information is included in the email body.
- The Site Visitor’s information is also in the Reply-To header. This is useful because when Joe clicks 'reply', the email is automatically addressed to be sent to the Site Visitor's email address.
This basic code sends contact form emails using your email address as the sender. The $visitor_name, $visitor_email, and $message are set by the contact form:
//set the recipient email address, where to send emails to $to_email = firstname.lastname@example.org; //set the sender email address $your_email = email@example.com; //use your email address as the sender $header = "From: " . $your_email . "\r\n"; //put the site visitor's address in the Reply-To header $header .= "Reply-To: " . $visitor_email . "\r\n"; //set the email Subject using the site visitor's name $subject = "Contact Form Submission from " . $visitor_name; //set the email body with all the site visitor's information $emailMessage = "Name: " . $visitor_name . "\r\n"; $emailMessage .= "Email: " . $visitor_email . "\r\n"; $emailMessage .= "Message: " $message . "\r\n"; //send the email mail($to_email, $subject, $emailMessage, $header);
|Note:||This code only spoofed the FROM header (the one seen in a mail client program). Any bounces or error messages from the mail server are sent to the envelope sender, which was left unspoofed and will still be the default firstname.lastname@example.org address.|
To spoof the envelope sender and have bounced emails go to that email address instead of the Maildir/new directory on the webserver, use the mail function's -f additional parameter as in the following:
mail($to_email, $subject, $emailMessage, $header, "-f$your_email");
Further PHP mail script examples can be found here:
What if my domain doesn't use DreamHost-hosted mail service? (SMTP)
If your domain does not use regular DreamHost-hosted mail service, then your domain may have mail service from another provider like Google Apps. For these domains, your website must use SMTP to connect directly to your domain's mail server. In this way, your website logs in to your mail account at that host and sends email through their server instead of through DreamHost's mail servers.
- WordPress has SMTP support via a plugin. There are many SMTP plugins to choose from, Configure SMTP is one
- Joomla has built-in SMTP support (version 3.1)
- phpBB has built-in SMTP support
- ZenCart has built-in SMTP support
If your website was built by you or someone else by hand and is written in PHP, you can add SMTP support using PHPMailer. Just use the SMTP host/server your email provider gives you, and your username and password in their system. Another option is to use the PEAR Mail package to send via SMTP. View the Sending SMTP mail article for an example.