Sender Domain Policy and Spoofing

= What is email spoofing? =

When emails are sent, the program or script can say the sender is "from" any address they want. For example, you can send emails from your website example.com that are "from" King_of_Mars@SolarSystem.Milky.Way.

Useful Spoofing
Without spoofing, any email sent from your website would be sent "from" my_server_username@my_web_server_name.dreamhost.com. While that's accurate, it is not very nice to look at, and can be confusing to site users or customers who expect to see the email coming from the same domain name as your website. The sender domain policy restricts what domains can be spoofed on DreamHost's servers, so please review that before spoofing an address.

Bad Spoofing
Spammers often use email spoofing to hide from where their spam emails are sent. If you receive "undeliverable" bounced emails that you never actually sent, a spammer could be spoofing your domain. If you have a catch-all address, you may want to remove it so you receive less of those emails.

DKIM and SPF are are two steps you can take to make the spoofed emails more easily recognizable as suspicious, and hopefully discourage the spammers from spoofing your domain:
 * DKIM is a method of email authentication that is enabled automatically for all DreamHost mail accounts.
 * SPF is a custom DNS record that says "this is a list of all the servers I send mail from. If you received an email from 'me' and it came from a different place, it's probably fake". Some mail servers even reject emails that fail SPF checks.

= What is the sender domain policy? =

Emails sent through DreamHost's servers (mail servers and shared web servers) should only use a from address that is hosted here at DreamHost. Emails that are sent with a from address hosted somewhere else (like Hotmail or Google) may be blocked.

When emails are blocked by this policy, the error message is: 5.7.1 Sender domain not allowed

Why did DreamHost make this policy? When was it put in place, and how exactly does it work?
The most accurate way to send emails is to send them from the servers where the domain's mail service is hosted. Emails from Hotmail should be sent from Hotmail's servers, emails from Gmail should be sent from Gmail's servers, and so on. DreamHost's mail policy is that emails sent through DreamHost's mail and shared web servers should only be 'from' domains that have their mail service hosted here at DreamHost.

This policy, to restrict the 'from' address on emails, was made in April 2012, and slowly rolled out over the following months. http://www.dreamhoststatus.com/2012/04/04/improvements-to-outgoing-spam-prevention-policy/

It was not a decision made lightly. Sending emails through DreamHost's servers with a 'from' address that is not hosted here at DreamHost is a technique called spoofing, where the DreamHost server is sending mail but is pretending to be someone else. This technique has negatively affected the reputation of DreamHost's mail servers (endangering the ability to host mail at all), and led to this policy change.

The list of blocked domains is not "every single domain that does not use DreamHost mail service", but instead a dynamic list maintained by DreamHost's mail administrators. While you may occasionally be able to send an email out with a domain that is not hosted here, there is no guarantee it won't be blocked in the future. To ensure your emails will not be blocked, only use a from address on a domain that uses DreamHost-hosted mail service.

This policy does not apply to DreamHost's VPS and dedicated servers. Emails sent from a VPS or dedicated server using PHP's mail, sendmail, or SMTP via localhost, are sent directly through the server's postfix mail system and go out to the recipient without passing through any other DreamHost server.

Where do blocked emails go? How do I find out if emails have been blocked from sending?
Blocked emails are returned to the sender as an 'undelivered' bounced email. Inside that bounced email is a notification that the mail server could not deliver the email, the error message the mail server provided as an explanation for that, and a copy of the original email that could not be sent. Those bounced emails may be delivered to your regular mailbox, or they may be stored in a Maildir folder on the web server.

Tech support can also check the server mail logs for any errors recorded there. When you contact support, give them as many details about the email you want them to research as you can, including the date and time it was sent, and the email addresses it was sent to and from.

For more information about why bounced emails may be stored on the web server, and how to control where blocked emails are sent, see the How do I set my spoofing? section below.

Examples of okay From email addresses
Emails sent from your mail account normally automatically set the 'from' to your email address: Emails sent from your website may have the default 'from' information, and that's okay, it just looks weird: Emails sent from your website can have a 'from' address that matches the website, as long as the domain uses regular DreamHost mail service:
 * Bob.Customer@MyDreamHostSite.com
 * bobFTP@shared-web-server.dreamhost.com
 * admin@MyDreamHostSite.com

Examples of blocked From email addresses
Emails should not be sent when they are hosted somewhere else, such as:
 * bob@hotmail.com
 * bob@comcast.net
 * bob@some-other-hosting-company.com

Example of a complete email
This is an example of an email sent by a website's contact form, such as when a site visitor fills out a submission form on your website. The 'From' header has the email address hosted here at DreamHost and it has the name of the site visitor; when Joe checks his email, he can easily see the name of the site visitor. The Site Visitor's information is included in the email body and also in the Reply-To header; when Joe clicks 'reply', the email is automatically addressed to be sent to the Site Visitor's email address.

From: Site Visitor  Reply-To: Site Visitor  To: Joe Website Owner  Subject: Contact Form Submission Date: 15 January 2013 10:47pm Site Visitor  filled out the contact form on your website at 10:47pm on 15 January 2013. Their message was: Hey dude, your website is super awesome! Is there any chance you can build me a website? Give me a call at 111-555-9999.

= How do I set my spoofing? =

How to spoof in your CMS or website application
Make sure the administrator email address is hosted here at DreamHost.

WordPress
Some WordPress contact forms, made by plugins or themes, have settings that let you completely control how emails are sent. Contact Form 7 is an example of a plugin like this. You can use the plugin settings in the WordPress admin panel to send emails out with the name of the site visitor and an email address of a site admin, webmaster, or anyone associated with running the site:
 * From: [your-name] 

You can also setup the Reply-To header so that replies to these emails will go directly to the site visitor:
 * Reply-To: [your-name] <[your-email]>

Not all plugins and themes let you control this, however. There is a separate Configure SMTP plugin you can use to set the From information on all emails sent from WordPress, regardless of the plugin or theme that sends the email, and even if you don't want to use the SMTP settings in the plugin.

Additional WordPress information is located at WordPress Troubleshooting: Contact Forms.

Drupal
The Contact Reply To module changes Drupal's contact form to send *from* the site mail address, with a reply-to to the actual user, avoiding the restrictions discussed here.

Others

 * Joomla has a "Custom Reply" that sends emails with the site visitor's from address. You can turn that off in the configuration, in Components -> Contacts -> Options. On the Form tab, make sure the "Custom Reply" is set to NO. (NOTE: If this is not done Joomla may not even generate the email and may result in the form being non-functional)
 * WooCommerce has sender ‘from’ name and email address in the Settings -> Emails tab. This should be set to a DreamHost-hosted mail account.

PHP code
This basic code sends contact form emails using your email address as the sender. The $visitor_name, $visitor_email, and $message are set by the contact form. //set the recipient email address, where to send emails to $to_email = incoming@my_awesome_domain.com; //set the sender email address $your_email = administrator@my_awesome_domain.com; //use your email address as the sender $header = "From: ". $your_email. "\r\n"; //put the site visitor's address in the Reply-To header $header .= "Reply-To: ". $visitor_email. "\r\n"; //set the email Subject using the site visitor's name $subject = "Contact Form Submission from ". $visitor_name; //set the email body with all the site visitor's information $emailMessage = "Name: ". $visitor_name. "\r\n"; $emailMessage .= "Email: ". $visitor_email. "\r\n"; $emailMessage .= "Message: " $message. "\r\n"; //send the email mail($to_email, $subject, $emailMessage, $header);

Note that this code only spoofed the From header, the one seen in a mail client program. Any bounces or error messages from the mail server will be sent to the envelope sender, which was left unspoofed and will still be the default my_server_username@my_web_server_name.dreamhost.com.

To spoof the envelope sender and have bounced emails go to that email address instead of the Maildir on the webserver, use the mail function's -f additional parameter, like this: mail($to_email, $subject, $emailMessage, $header, "-f$your_email");

What if my domain doesn't use DreamHost-hosted mail service? (SMTP)
If your domain does not use regular DreamHost-hosted mail service, your domain may have mail service from another provider like Google Apps. For these domains, your website must use SMTP to connect directly to your domain's mail server. In this way, your website logs in to your mail account there and sends emails through there instead of through DreamHost's mail servers.


 * WordPress has SMTP support via a plugin. There are many SMTP plugins to choose from, Configure SMTP is one.
 * http://wordpress.org/extend/plugins/configure-smtp/


 * Joomla has built-in SMTP support
 * http://docs.joomla.org/J1.5:Global_configuration


 * phpBB has built-in SMTP support
 * https://www.phpbb.com/support/documentation/3.0/adminguide/acp_general.php#acp_client_email


 * ZenCart has built-in SMTP support
 * http://www.zen-cart.com/wiki/index.php/Admin_-_Configuration_-_E-Mail_Options


 * MivaMerchant has built-in SMTP support but does not support SMTP authentication (username & password)
 * http://extranet.mivamerchant.com/forums/showthread.php?18264-SMTP-Authentication-in-Miva-Merchant

If your website was built by you or someone else by hand and is written in PHP, you can add SMTP support using PHPMailer. Just use the SMTP host/server your email provider gives you, and your username & password in their system.