Should one use "From", "Reply-To" or both headers to reflect their client's email address when sending an email to yourself from a "Contact Us" page?

email email-server pear

I have written a website that uses the PHP Pear Mail function to send a few email messages. Mainly to people who have lost their password and to me when somebody submits the "contact us" form.

My question is this: since I am sending the email from my own server's IP address to myself, do I use the client's email address in the From or Reply-To headers?

It would make sense to place it in the Reply-To header, because that is most definitely what I want to do.

However, many email clients seem to work best with the client's name and email info located in the "From:" headers.

Is it safe to "falsify" the From: headers in an email? Or am I even falsifying the sender?

I mean... technically... the client is sending the message, it's just originating from my server.

Sincerely, -somebody_who_knows_nothing_about_email_deployment_and_is_worried_about_having_his_IP_blacklisted


In this case, you should be able to use either From or Reply-to. It may be best put the client's address in Reply-to and use a no-reply address for your domain in the From header. If your web-server is not trusted by your email server, this may be required.

If you were allowing the client to send a message, as some sites do, put the client's address in Reply-to and use a no-reply address for your domain in the From header.

It is possible to use an address different from that in the From header as the envelope sender. This should be listed in a Sender header. However, I don't recommend it for this case. It is more applicable to personal business mail where someone is sending on behalf of someone else (and where the sender and from addresses are in the same domain).

There are cases which can cause problems if you put the client's email address in the From address.

  • The client's domain may have an SPF record which does not allow you to send email for their domain;
  • The clients' domain may specify all email from that domain is DKIM signed (currently not very likely to cause problems); and
  • If the email is sent to the client, the client;s domain may not accept mail sent with address in its domain(s) from untrusted (Internet) servers.

On my server the first and last cases apply. I am working on DKIM, but many DKIM signers don't publish their policy. All three rules are very effective against SPAM. Unfortunatly, automated systems (including web servers) are often configured poorly and their email gets blocked or assigned to the spam folder.


It's perfectly safe to just use the From header. It wouldn't be considered falsification.

Related

HylaFax - Get status of a job
Security in shared hosting vs VPS 'virtual appliances'
Impact of MTU on IP packet fragmentation and reassembly
Save changes to iptables
tar gzip slowing down server
How can I force all internet traffic over a PPTP VPN but still allow local lan access?
Slapd service won't start, unable to open pid file
How to redirect ports for on a virtual interface?
Glob Not Match?
Why does heavy I/O slow my server to a crawl?
Why I'm getting MD5 Sums don't match! error?
Limit JOIN to 1 result (latest) MySQL