CFMAIL - Send from any email address?

Question

I am very familiar with the cfmail tag and how it works, but I am still a little unsure about sending an email from any email address (without server login credentials). To clarify, I want to send an email FROM an email address entered by someone who submits my form.
I know this is possible using:

<cfmail from=”form.email” to=”[email from database]”…

Is there any problems sending an email from the email address entered by the client through a form? This will surly cause the email to be classified as Spam, will it not?

Thank you

Dave Watts · Accepted Answer

SMTP has no built-in mechanism to validate a sender's address. So, in many cases, you could put whatever you want for the from address. But many mail servers nowadays use standards like SPF and DKIM to validate email - SPF validates the origin of email as matching a sender's address, and DKIM expects email to be signed by the sender. Also, the mail server through which you're sending mail may reject mail if it doesn't belong to a domain for which the server has been configured to accept mail.

Now, if your goal is to ensure mail delivery, but allow a user to receive a reply from something sent by a submission form on your server, you can specify a valid from address corresponding to your infrastructure, but a reply-to corresponding to their address.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Owainnorth · Answer

The email "from" address is probably one of the most misunderstood elements of the internet basics, and causes us untold support issues at work. When people get bounces or replies from a spam email they've apparently sent they often start panicking and changing passwords left, right and centre.

The reality is that it's no more validated than if I sent a letter and put someone else's address at the top - yes it looks like it's come from them, but I'll never receive a reply to my read address, so most of the time it's pointless. I don't need keys to their house or to know anything about them - it's just an address.

So yes, on a technical level it's a non-issue. An email address doesn't even need to be replyable in order to work.

However there are a few issues to consider.

Firstly, why are you spoofing someone's email address in the first place? There's generally no need to do so, as it looks to others as if you're trying to be dishonest on purpose, even if your'e not.

Secondly what about reply-to's? If you send an email from someone else, that person will get any replies. As they didn't send the original email then again, concerns could be raised.

And thirdly yes, there is a new (thankfully emerging) method of validating email. They're called SPF records, and they reside within the DNS zone file for a domain. It's basically a list of valid IP addresses that a recipient can expect to receive emails from yourself through. *If* the user's domain name has an SPF record and *if* the receipient's mailserver is configured to check for SPF then your email will definitely end up in Spam, or more likely just deleted. SPF is such a cut-and-dried "has it come from an authorised IP, yes or no" that I'd be surprised if anyone would flag it as spam, it'd simply be deleted or rejected immediately.

So yes, what you're doing will work most of the time. However, I'd strongly urge you to consider another option.

O.

Inscrivez-vous

Login social

Bienvenue

Login social

Analyse virus du fichier

Ce fichier ne peut pas être téléchargé