Why is it a bad idea to use a customer email as the from address
I've got an application that emails users once they have filled in a form. It uses a [email protected]
as a from address. The customer wants it to use the email from the form as the from address which could be anything. I have been told that this is a bad idea due to spoofing/blacklisting and spam.
I feel really vague about the exact reason about why this is a bad idea particularly as i've got to try to counsel the client out of this. Can someone explain to me why this is a bad idea.
Interestingly the client has used a gmail account as the from address as a demo which not only works fine but has enabled the application to start sending emails (it wouldn't do it before with an email which was [email protected]
). Erm - what is going on. I'm told one thing and the opposite works.
Sorry - i know this is basic but I could find anything on a google search. Largely I think because I'm having trouble even framing the question.
EDIT
Thank you everyone - great answers. Interestingly the server sending the email and the mail box that it is going to are both behind the same firewall so the client says they are unconcerned about spam. Oh well.
Solution 1:
It is bad practice for several reasons:
- You are NOT allowed to send a mail from a domain you do not own. As such, it could be conceived as an attempt at impersonation.
- It's a common enough practice used by spammers and, as such, is frequently tagged by spam filters.
- It is pretty common for well-maintained domains to use SPF or DKIM to protect their reputation and help other systems identify impersonation and spam. You obviously will not be able to add the DKIM mail header or add your SMTP server into the domain's SPF DNS record and so you mail will be (rightly) considered as forged and rejected.
The proper practice is to use your local domain as sender, possibly using a non-existing address as user name.
Solution 2:
Actually, you're allowed to set the From
address to your customer's email, as long as you correctly set the Sender
field to your own address. This is what Paypal does used to do!
FROM: [email protected] TO: [email protected] SENDER: [email protected]
Most email clients will render this as "From [email protected] On Behalf Of [email protected]". There shouldn't be any issues with SPF or DKIM on the customer's domain.
You should also probably set the Reply-to
header to your customer's address, so replies go the customer's address rather than yours.