Sender Domain Policy and Spoofing

From DreamHost
Jump to: navigation, search

What is email spoofing?

When emails are sent, the program or script can say the sender is "from" any address they want. For example, you can send emails from your website that are "from" King_of_Mars@SolarSystem.Milky.Way.

Useful Spoofing

Without spoofing, any email sent from your website would be sent "from" While that's accurate, it is not very nice to look at, and can be confusing to site users or customers who expect to see the email coming from the same domain name as your website. The sender domain policy restricts what domains can be spoofed on DreamHost's servers, so please review that before spoofing an address.

Bad Spoofing

Spammers often use email spoofing to hide from where their spam emails are sent. If you receive "undeliverable" bounced emails that you never actually sent, a spammer could be spoofing your domain. If you have a catch-all address, you may want to remove it so you receive less of those emails.

DKIM and SPF are are two steps you can take to make the spoofed emails more easily recognizable as suspicious, and hopefully discourage the spammers from spoofing your domain:

  • DKIM is a method of email authentication that is enabled automatically for all DreamHost mail accounts.
  • SPF is a custom DNS record that says "this is a list of all the servers I send mail from. If you received an email from 'me' and it came from a different place, it's probably fake". Some mail servers even reject emails that fail SPF checks.

What is the sender domain policy?

Emails sent through DreamHost's servers (mail servers and shared web servers) should only use a from address that is hosted here at DreamHost. Emails that are sent with a from address hosted somewhere else (like Hotmail or Google) may be blocked.

When emails are blocked by this policy, the error message is:

5.7.1 Sender domain not allowed

Why did DreamHost make this policy? When was it put in place, and how exactly does it work?

The most accurate way to send emails is to send them from the servers where the domain's mail service is hosted. Emails from Hotmail should be sent from Hotmail's servers, emails from Gmail should be sent from Gmail's servers, and so on. DreamHost's mail policy is that emails sent through DreamHost's mail and shared web servers should only be 'from' domains that have their mail service hosted here at DreamHost.

This policy, to restrict the 'from' address on emails, was made in April 2012, and slowly rolled out over the following months.

It was not a decision made lightly. Sending emails through DreamHost's servers with a 'from' address that is not hosted here at DreamHost is a technique called spoofing, where the DreamHost server is sending mail but is pretending to be someone else. This technique has negatively affected the reputation of DreamHost's mail servers (endangering the ability to host mail at all), and led to this policy change.

The list of blocked domains is not "every single domain that does not use DreamHost mail service", but instead a dynamic list maintained by DreamHost's mail administrators. While you may occasionally be able to send an email out with a domain that is not hosted here, there is no guarantee it won't be blocked in the future. To ensure your emails will not be blocked, only use a from address on a domain that uses DreamHost-hosted mail service.

This policy does not apply to DreamHost's VPS and dedicated servers. Emails sent from a VPS or dedicated server using PHP's mail(), sendmail, or SMTP via localhost, are sent directly through the server's postfix mail system and go out to the recipient without passing through any other DreamHost server.

Where do blocked emails go? How do I find out if emails have been blocked from sending?

Blocked emails are returned to the sender as an 'undelivered' bounced email. Inside that bounced email is a notification that the mail server could not deliver the email, the error message the mail server provided as an explanation for that, and a copy of the original email that could not be sent. Those bounced emails may be delivered to your regular mailbox, or they may be stored in a Maildir folder on the web server.

Tech support can also check the server mail logs for any errors recorded there. When you contact support, give them as many details about the email you want them to research as you can, including the date and time it was sent, and the email addresses it was sent to and from.

For more information about why bounced emails may be stored on the web server, and how to control where blocked emails are sent, see the How do I set my spoofing? section below.

Examples of okay From email addresses

Emails sent from your mail account normally automatically set the 'from' to your email address:


Emails sent from your website may have the default 'from' information, and that's okay, it just looks weird:


Emails sent from your website can have a 'from' address that matches the website, as long as the domain uses regular DreamHost mail service:


Examples of blocked From email addresses

Emails should not be sent when they are hosted somewhere else, such as:


Example of a complete email

This is an example of an email sent by a website's contact form, such as when a site visitor fills out a submission form on your website. The 'From' header has the email address hosted here at DreamHost and it has the name of the site visitor; when Joe checks his email, he can easily see the name of the site visitor. The Site Visitor's information is included in the email body and also in the Reply-To header; when Joe clicks 'reply', the email is automatically addressed to be sent to the Site Visitor's email address.

From: Site Visitor <>
Reply-To: Site Visitor <>
To: Joe Website Owner <>
Subject: Contact Form Submission
Date: 15 January 2013 10:47pm

Site Visitor <> filled out the contact
form on your website at 10:47pm on 15 January 2013.

Their message was:
Hey dude, your website is super awesome!  Is there any chance you can
build me a website?  Give me a call at 111-555-9999.

How do I set my spoofing?

Generally, you just need to set the "from" or "sender" setting to match an email address hosted here at DreamHost. Many times it is an option in your CMS, plugin, or script so you can tell it to send emails in this way. However, not everything has these kinds of configuration options; for example, some contact form plugins always use the site visitor's information as the sender and don't allow you to change that. In that case, you may need to switch to a different plugin or modify the script. When selecting or configuring a plugin or script for your site, you may want to check that it spoofs all the necessary information so that bounced emails go to you instead of to the Maildir on the web server.

Email messages are similar to old-fashioned paper letters: both have a To and From on the letter, and separately a Sender and Recipient on the envelope. An email's To and From headers are part of the email's headers and are shown in an email program. Separately, the envelope's Sender and Recipient are what mail servers use for instructions on where to send the email and where any errors or bounces are sent. The plugin or script you use automatically sets where the email is sent. It takes the To header from the email message and uses this as the recipient on the envelope. An email can be sent with just that information, and the server will automatically fill in the From header and the envelope Sender. This is where the default Sender comes from, as it is automatically set by the webserver based on the username that hosts the site or script that sent the email. If you want a nicer custom From header and/or Sender like, the script or program you use must set that.

The From header and envelope Sender do not automatically match each other, as the To header and envelope Recipient do. Often, only the From header is spoofed or set to a custom address, and the envelope sender is left unchanged and still set to the default This is why many bounced emails are delivered to a Maildir on the web server, and not to your mail account where you normally check emails. If the envelope sender is not spoofed, bounced emails will go to back to the server user who hosts the site that sent the email. Those emails are stored in that user's Maildir folder on the web server. Each file is one email, and despite the rather odd names they are simple text files that can be viewed with any text editor.

The flowchart to the right illustrates the path an email from your website (such as a contact form submission, or an ecommerce purchase confirmation) can travel. If the email can be delivered successfully, it is delivered normally and you'll be able to see it with your regular emails. If the email cannot be delivered and the envelope sender is spoofed correctly, the bounced email is delivered to that email address that was spoofed as the From header, and you'll see the bounced email in that email address's regular inbox. If the email cannot be delivered and is not spoofed correctly, the bounced email is delivered back to the web server and stored in that Maildir folder.

To find out if a script or plugin your website uses spoofs both the From header and the envelope sender, you can ask the developer or person who made the script or plugin. If you see bounced emails being delivered to the Maildir on the web server, this is a big hint that the envelope sender is probably not being spoofed.

So what can you do about it? As mentioned above, if you are receiving bounced emails to the Maildir instead of your email inbox, then the envelope sender is probably not being spoofed or set to your custom address to match the From header. You can ask the developers of the plugin or script you currently use to update it so that it spoofs both (header and envelope). You can also switch to a different plugin or script that spoofs both (header and envelope); if you're not sure which ones do this, you can test some out or ask their developers to let you know if this is something their plugin or script does. If you wrote your own code, you can make this change yourself; below is an example of how to do this in PHP.


How to spoof in your CMS or website application

Make sure the administrator email address is hosted here at DreamHost.


Some WordPress contact forms, made by plugins or themes, have settings that let you completely control how emails are sent. Contact Form 7 is an example of a plugin like this. You can use the plugin settings in the WordPress admin panel to send emails out with the name of the site visitor and an email address of a site admin, webmaster, or anyone associated with running the site:

From: [your-name] <>

You can also setup the Reply-To header so that replies to these emails will go directly to the site visitor:

Reply-To: [your-name] <[your-email]>

Not all plugins and themes let you control this, however. There is a separate Configure SMTP plugin you can use to set the From information on all emails sent from WordPress, regardless of the plugin or theme that sends the email, and even if you don't want to use the SMTP settings in the plugin.

Additional WordPress information is located at WordPress Troubleshooting: Contact Forms.


The Contact Reply To module changes Drupal's contact form to send *from* the site mail address, with a reply-to to the actual user, avoiding the restrictions discussed here.


  • Joomla has a "Custom Reply" that sends emails with the site visitor's from address. You can turn that off in the configuration, in Components -> Contacts -> Options. On the Form tab, make sure the "Custom Reply" is set to NO. (NOTE: If this is not done Joomla may not even generate the email and may result in the form being non-functional)
  • WooCommerce has sender ‘from’ name and email address in the Settings -> Emails tab. This should be set to a DreamHost-hosted mail account.

PHP code

This basic code sends contact form emails using your email address as the sender. The $visitor_name, $visitor_email, and $message are set by the contact form.

//set the recipient email address, where to send emails to
$to_email =;
//set the sender email address
$your_email =;
//use your email address as the sender
$header = "From: " . $your_email . "\r\n";
//put the site visitor's address in the Reply-To header
$header .= "Reply-To: " . $visitor_email . "\r\n";
//set the email Subject using the site visitor's name
$subject = "Contact Form Submission from " . $visitor_name;
//set the email body with all the site visitor's information
$emailMessage = "Name: " . $visitor_name . "\r\n";
$emailMessage .= "Email: " . $visitor_email . "\r\n";
$emailMessage .= "Message: " $message . "\r\n";
//send the email
mail($to_email, $subject, $emailMessage, $header);

Note that this code only spoofed the From header, the one seen in a mail client program. Any bounces or error messages from the mail server will be sent to the envelope sender, which was left unspoofed and will still be the default

To spoof the envelope sender and have bounced emails go to that email address instead of the Maildir on the webserver, use the mail function's -f additional parameter, like this:

mail($to_email, $subject, $emailMessage, $header, "-f$your_email");

What if my domain doesn't use DreamHost-hosted mail service? (SMTP)

If your domain does not use regular DreamHost-hosted mail service, your domain may have mail service from another provider like Google Apps. For these domains, your website must use SMTP to connect directly to your domain's mail server. In this way, your website logs in to your mail account there and sends emails through there instead of through DreamHost's mail servers.

  • WordPress has SMTP support via a plugin. There are many SMTP plugins to choose from, Configure SMTP is one.
  • Joomla has built-in SMTP support
  • phpBB has built-in SMTP support
  • ZenCart has built-in SMTP support
  • MivaMerchant has built-in SMTP support but does not support SMTP authentication (username & password)

If your website was built by you or someone else by hand and is written in PHP, you can add SMTP support using PHPMailer. Just use the SMTP host/server your email provider gives you, and your username & password in their system.