Sender domain policy and spoofing overview
source link: https://help.dreamhost.com/hc/en-us/articles/215036058-Sender-domain-policy-and-spoofing-overview
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Sender domain policy and spoofing overview
Overview
When emails are sent, the email program or script can say the sender is "from" any address it wants. Email spoofing occurs when email is sent with a forged FROM address. For example, you can send emails from your website example.com that are "from" [email protected]. So, it’s always possible to change the FROM address when sending email.
This article details good and bad spoofing and explains DreamHost’s sender domain policy which protects legitimate email.
What is useful spoofing?
Without spoofing, any email sent from your website would be sent "from" [email protected]. While that's accurate, it's not very nice to look at, and can be confusing to site users or customers who expect to see the email coming from the same domain name as your website. So in a sense, the email is spoofed to clearly show it’s originating from your website.
What is Bad spoofing?
Spammers often use email spoofing to hide from where their spam emails are sent. They do this so they can send out hundreds of emails that appear to be originating from your website. If you receive "undeliverable" bounced emails that you never actually sent, a spammer could be spoofing your domain.
Protecting against bad spoofing
DKIM records can make spoofed emails more easily recognizable as suspicious, and hopefully discourage the spammers from spoofing your domain:
- DKIM is a method of email authentication that is enabled automatically for all DreamHost mail accounts.
PHP code
This basic code sends contact form emails using your email address as the sender. The $visitor_name, $visitor_email, and $message are set by the contact form:
//set the recipient email address, where to send emails to $to_email = [email protected];
//set the sender email address $your_email = [email protected];
//use your email address as the sender $header = "From: " . $your_email . "\r\n";
//put the site visitor's address in the Reply-To header $header .= "Reply-To: " . $visitor_email . "\r\n";
//set the email Subject using the site visitor's name $subject = "Contact Form Submission from " . $visitor_name;
//set the email body with all the site visitor's information $emailMessage = "Name: " . $visitor_name . "\r\n"; $emailMessage .= "Email: " . $visitor_email . "\r\n"; $emailMessage .= "Message: " $message . "\r\n";
//send the email mail($to_email, $subject, $emailMessage, $header);
This code only spoofed the FROM header (the one seen in a mail client program). Any bounces or error messages from the mail server are sent to the envelope sender, which was left unspoofed and will still be the default [email protected] address.
To spoof the envelope sender and have bounced emails go to that email address instead of the Maildir/new directory on the webserver, use the mail function's -f additional parameter as in the following:
mail($to_email, $subject, $emailMessage, $header, "-f$your_email");
Further PHP mail script examples can be found here:
What if my domain doesn't use DreamHost-hosted mail service? (SMTP)
If your domain does not use regular DreamHost-hosted mail service, then your domain may have mail service from another provider like Google Suite. For these domains, your website must use SMTP to connect directly to your domain's mail server. In this way, your website logs in to your mail account at that host and sends email through their server instead of through DreamHost's mail servers.
- WordPress has SMTP support via a plugin. There are many SMTP plugins to choose from, WP Mail SMTP is one
- Joomla has built-in SMTP support (version 3.1)
- phpBB has built-in SMTP support
- ZenCart has built-in SMTP support
If your website was built by you or someone else by hand and is written in PHP, you can add SMTP support using PHPMailer. Just use the SMTP host/server your email provider gives you, and your username and password in their system. Another option is to use the PEAR Mail package to send via SMTP. View the Sending SMTP mail article for an example.
See also
Did this article answer your questions?
Recommend
-
10
创建Emacs版的notify-sender Table of Contents 最近对EmacsScript颇有兴趣,刚好翻看Emacs Lisp Manual的时候看到"Desktop Notifications"这一章,于是突发奇想,尝试实现一个Emacs版的notify-send. 1 notify-s...
-
5
What is the sender domain policy? DreamHost’s sender domain policy exists to ensure email that is sent from your website is legitimate. This policy requires two things: You must use a FROM address that’s on the same...
-
14
Some thoughts on the std::execution proposal and my understanding of the underlying theory. What’s proposed From the paper’s
-
6
Inside Out Security Blog /
-
8
DNS settings to avoid email spoofing and phishing for unused domain nixCraft →
-
7
The Sender Policy Framework (SPF) August 30th, 2022 If you ever feel like you understand something, something that you think is simple, I recommend that you go ahead and read the RFC and you'll find...
-
3
What is Content Spoofing and how to prevent it 578 views 10 months ago Security In this article, we will discuss a...
-
4
Yan Gerzon Oct 16 at 09:48 AM Email subject and sender char limitations 80 Views Last edit Oct 18 at 12:41...
-
5
-
5
中文版:电子邮件防伪:SPF, DKIM与DMARC – Frank’s Weblog Background Email Spoofing If your employer uses Knowbe4 for information s...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK