We have a script that sends emails out. We want to personalize the "From" email address for outgoing emails, so that the email is being sent from the email address of the user sending it, even if we don't have their SMTP credentials to send the email from that user.
The script connects to an SMTP server to send the emails, we'd like to understand the best option for sending the emails, while ensuring the emails don't end up in Spam or Junk folders.
The options that we understand so far are:
Option 1:
Send the emails with a common email address that we have SMTP credentials for, but change the name each time. Also set the actual corporate email address as the Reply-to: header.
Example headers:
From: John Doe < my-generic-email#smtp-email.com >
From: Jane Doe < my-generic-email#smtp-email.com >
From: Joe Smith < my-generic-email#smtp-email.com >
We're not sure if there are consequences to changing the display name each time we send the email, like ending up on blacklists or identified as possible phishing.
Option 2:
Setting the From: as the actual email address we want it to appear that it came from.
From: John Doe < john-doe#corporate-email.com >
From: Jane Doe < jane-doe#corporate-email.com >
From: Joe Smith < joe-smith#corporate-email.com >
Our understanding is that this is bad practice and most email servers will drop the email as a phishing attempt.
Are there any other options available for us to have the personalized "From" field while connecting to a common SMTP mail server / account?
Also note that we are connecting to a different domain for the SMTP server than the corporate email addresses are from.
You could find a group name like support or xyz-department in order to get around your problem.
Option 1 should not be a problem and work fine, I don't think that mail service providers keep a record of which clear name is associated with which mail address in the mail headers of the mails that pass their servers. That would seem paranoid to me. I had a mail account once whiches from field changed quite often, because I changed it frequently and because my mail clients on different machines were configured inconsistently and it worked perfectly fine.
I think option 2 is indeed bad practice and you should be honest in the mail header.
You mentioned that the hostname of your smtp server deviates from the hostname in the from field. This is no problem. Email is designed to be able to be forwarded from one mail transfer agent (mail server) to anoter to another to... Just make sure that all servers are configured correctly so that their hostname matches the dns entry pointing towards them and you may want to make sure, the reverse dns is set, too.
Still, you seem to pursue a rather uncommon strategy. Usually, every user should have his*her own smtp login credentials and what you plan seems to be fooling the recipient that he*she received mail from different people who are only one (one script) in the end.
Related
Suppose I own an email 'demo#gmail.com'. Now, I create a new Microsoft account using my existing email. Thus I get another email 'demo#gmail.com', but this one is served by Microsoft.
So the situation is: one email and two providers.
If I send a hello email to 'demo#gmail.com' using my personal SMTP server, to which of the above will it send: will it send to the one hosted by Microsoft or the one hosted by Google?
How does it solve such an ambiguity? What are the factors that influence this?
This is a very common problem because many providers are giving us an option to create a new account using our existing email.
My observations:
I saw the emails inside the inboxes of both the services. I found that they had completely different emails.
There was no email which was common to both the inboxes. So there must be some mechanism to deal with it.
Let us look at the problem the other way round: If I had an email 'demo#outlook.com' initially and I created a new Google Account with this email address, then:
An email sent to this email address from another gmail account goes to the Google's server. An email sent to this email address from an Outlook also goes to the Google's servers.
There are two different ways of looking up an email. The 'normal' way:
You send an email to an server, in this example gmail.com.
Your mail delivery agent looks for mx record of gmail.comand send it to the ip-address of gmail.com.
If an email is delivered locally by the domain outlook.com it perhaps doesn't lookup the mx record, but lookups in a local database if the email-address exist there, and sends it to the ip-address of the outlook.com.
I think in the inbox of outlook.com are only microsoft emails.
More details can be found at https://www.socketlabs.com/blog/smtp-email-delivery/
I have a server on OVH and I'm trying to send some mail to my Gmail address using sendmail.
I installed sendmail with apt-get on debian, and echo "Subject: test" | /usr/sbin/sendmail -v mymail#gmail.com works. However Gmail puts the mail in the spam folder and says the mail is not authenticated.
I have no knowledge of how email works and from what I've seen I could use SPF or DKIM to provide authentication, but it seems it requires admin access to ovh DNS servers.
What would be the easiest way, using only admin access to the server that sends mails, to make sure emails sent from it are not marked as spam ?
Thanks
There are no easy way. That's the simple answer.
Google Mail is fighting spam every second, every day, all year. To get mail delivered directly to the inbox requires time and patience and there are no shortcuts. If there where, spammers would have it way to easy!
You are very correct that Google's SMTP servers will ask you to beef up your SMTP mail headers to include better authentication and security. There's no way around it if you want to be on good terms with Google's SMTP servers.
Here is a list of things to consider
SPF (Must have, also to defend spam sent in your name)
DKIM (Must have, this is somewhat a step up from SPF)
ESMTP (Google likes it when you talk to them encrypted)
Bulk headers (Use them if it's bulk, no reason to lie!)
Unsubscribe headers (Use them if you are sending out maillist content)
SMTP relay's with nice Senderscores (Easy access to the inbox, but cost)
SMTP relay's with good reputation (Easy access to the inbox, but cost)
Feedback loop headers/setup (If you send large amount of mails)
Only use "warmed up" SMTP relay servers (Mostly used by bulk senders)
Reverse DNS to match HELO/HELO (Mismatch can make problems)
Static IP (It's a given)
As you can see it's no simple task to "just" send an email to Google and expect it to be passed along to the users Inbox without getting targeted as spam.
Most of the options above requires extensive server knowlagde or that your hosting provider supports it. You need to have access to change your own DNS records but also the SMTP server that you send your mail from needs to be setup with the things in advance.
Now to the:
"How to send emails to Google Mail that always land in the inbox for dummies"
Well you basically buy your way into the inbox. Use SMTP services like Mailchimp, Amazon AWS-SMS (Simple Mail Service) many if not all of these services have already setup DKIM, SPF and are on good terms with Google. They do however have many rules and what and what not to do so if you don't follow the rules they will close your account right away.
since a few days our internal email info#ourdomain.com seems to go bananas and sends out emails to all sort of email addresses. Some of those emails bounce and we receive Mail Delivery Failed emails every minute.
Here is our setup:
Domain hosted at Germany's 1und1 provider
Nameserver configured on Amazon Route 53
MX server mx01.kundenserver.de and mx00.kundenserver.de
Rails application hosted on heroku
I called the support at 1und1 and they told me to set a SPF record which I did:
"v=spf1 a mx ~all"
after researching the topic via http://www.spf-record.de/
Unfortunately this did not resolve the problem.
Honestly I am cluesless now what to do to prevent this random email sending.
Our account could have been hacked but the password was already changed.
Any of your email account or script/code compromise can cause outgoing spam emails. If outgoing emails are originating from particular email account and you find large outgoing email account from particular email account, you should consider to reset the password of that email account immediately. Also, compromised email sending script/code can can cause outgoing spam.
If "from" email address on spam email is none of your existing account then "From" email address is getting authenticated from any of your existing email account for which you should inspect SMTP logs of mail server(you should have administrative access of mail server)
Mail server IP address should not be blacklisted,please check IP here :- http://mxtoolbox.com/blacklists.aspx
If IP address is blacklisted, you can request IP whitelist after you identify and fix the outgoing spam source as RBL keeps IP address blacklisted until they find the spamming activity relaxed.
SPF and PTR record should be correct so that email recipient server can trust the sender mail server.
Bounce back email and spam email header can help to identify the issue more preciously.
This happened to me before, I had a "refer a friend" feature on my website and someone use an automated script to send emails to a ton of people. My server wasn't comprised, it was just bad coding in the feature that I installed that allowed my mail server to send mail to different people on my behalf.
Since the email is coming from you, your SPF/DKIM will check out just fine.
So thing about all the points on your website that can send email and see if any of them can be compromised.
Also you'll want to do a blacklist scan, I use this service it does more then 200+ blacklist: https://www.unlocktheinbox.com/blacklist/bl/
Make sure you scan both your domain name and IP address. But before you take any action to remove yourself, you should wait 24 hours until after you fix the exploit on your system. Requesting removal and popping up again can get you permanently listed.
We have an application that allows users exchange messages, and delivers the message through email. But we don't reveal sender's email, instead; every time a message is sent out a new email address gets generated for the "From" field. Something similar to the way Facebook or LinkedIn send out messages.
Everything works fine, except the recipient's email client caches all these email addresses.
For instance, if Jack sends two messages to Jill, the sender's addresses can be: a123#FakeEmail.com and a456#FakeEmail.com, so next time Jill composes a new message and starts typing Jack's name, the email client suggests two addresses for Jack.
So my question is, how we can prevent email caching on client's machine? Is there something similar to HTTP header Pragma: no-cache for SMTP?
Thanks
Nivresh
OK, here is what I ended up doing. To prevent Outlook and other mail clients from suggesting several dummy email addresses generated for the same contact name, I add a special character to the beginning of the sender's name. This can be a space or if you use Unicode, you can add a zero-width space (\u200B) to the beginning of the name.
So in my example, the email is sent from "\u200BJack" which will be shown as "Jack". The dummy email address will be saved in mail client under the name of "\u200BJack" and when the recipient later on tries to send an email to Jack, email client won't suggest this address.
Hope this helps someone.
When developing an application that sends out notification email messages, what are the best practices for
not getting flagged as a spammer by your hosting company. (Cover any of:)
best technique for not flooding a mail server
best mail server products, if you were to set up your own
sending messages as if from a specific user but still clearly from your application (to ensure complaints, etc come back to you) without breaking good email etiquette
any other lessons learned
not getting flagged as spam by the receiver's client? (Cover any of:)
configuring and using sender-id, domain-keys, SPF, reverse-dns, etc to make sure your emails are properly identified
best SMTP header techniques to avoid getting flagged as spam when sending emails for users (for example, using Sender and From headers together)
any other lessons learned
An additional requirement: this application would be sending a single message to a single recipient based upon an event. So, techniques for sending the same messages to multiple recipients will not apply.
best technique for not flooding a mail server
not a lot you can do about this beyond checking with your mail server admin (if it's a shared hosting account / not in your control). but if the requirement is one email to a single recipient per event, that shouldn't be too much of an issue. the things that tend to clog mail systems are emails with hundreds (or more) of recipients.
if you have events firing off all the time, perhaps consider consolidating them and having an email sent that summarizes them periodically.
sending messages as if from a specific user but still clearly from your application (to ensure complaints, etc come back to you) without breaking good email etiquette
you can accomplish this by using the "Reply-To" header, which will then have clients use that address instead of the From address when an email message is being composed.
you should also set the "Return-Path" header of any email, as email without this will often get filtered off.
ex.
From: me#me.com
Return-Path: me#me.com
Reply-To: auto#myapp.com
configuring and using sender-id, domain-keys, SPF, reverse-dns, etc to make sure your emails are properly identified
this is all highly dependent on how much ownership you have of your mail and DNS servers. spf/sender-id etc... are all DNS issues, so you would need to have access to DNS.
in your example this could present quite the problem. as you are setting mail to be from a specific user, that user would have to have SPF (for example) set in their DNS to allow your mail server as a valid sender. you can imagine how messy (if not outright impossible) this would get with a number of users with various domain names.
as for reverse DNS and the like, it really depends. most client ISP's, etc... will just check to see that reverse DNS is set. (ie, 1.2.3.4 resolves to host.here.domain.com, even if host.here.domain.com doesn't resolve back to 1.2.3.4). this is due to the amount of shared hosting out there (where mail servers will often report themselves as the client's domain name, and not the real mail server).
there are a few stringent networks that require matching reverse DNS, but this requires that you have control over the mail server if it doesn't match in the first place.
if you can be a bit more specific i may be able to provide a bit more advice, but generally, for people who need to send application mail, and don't have a pile of control over their environment, i'd suggest the following:
make sure to set a "Return-Path"
it's nice to add your app and abuse info as well in headers ie: "X-Mailer" and "X-Abuse-To" (these are custom headers, for informational purposes only really)
make sure reverse DNS is set for the IP address of your outgoing mail server
first a quick correction to the previous
return-path: is a header added by recieving system based on the envelope-sender of the incomming message
for spf to work the return-path/envelope-sender needs to be yourapp#yourdomain.com
and ensure the spf record for yourdomain.com {or if per-user spf} for yourapp#yourdomain.com allows mails to originate on the server that hosts the app/sends the email
this envelope-sender is the address that will recieve all bounces/errors
now sender-id is different entirely it checks the return-path/envelope-sender
and the
from: address {stored inside the message}
if sending
from: hisname yourapp#yourdomain.com
reply-to: hisname hisaddres#hisdomain.com
this will be a non-issue
if sending
from: hisname hisaddres#hisdomain.com
it will be and you must add a
Resent-From: hisname yourapp#yourdomain.com
as this specifies to ignore the from: for sender-id checks use this instead as it has been sent by you on his behalf
now for the other bits that are worthwhile
ip's mentioned are your mailservers
a have your ip's ptr point to a name that also resolves to the same ip
FQDNS
b have your server helo/ehlo with whatever.domain.com where domain.com is the same as the domain of the name in step A {not the same name for resons below}
c have that helo/ehlo servername also resolve to the ip of your server
d add the following spf record to that helo/ehlo name "v=spf1 a -all"
{meaning allow helo/ehlo with this name from ip's this name points to only}
e add the following sender-id lines to the helo/ehlo name {purely for completeness
"spf2.0/mfrom,pra -all" {ie there are no users#this-domain}
f add the following spf to the FQDNS-name and any other hostnames for your server
"v=spf1 -all" {ie no machines will ever helo/ehlo as this name and no users#this-domain}
{as the fqdns name can be determined by bots/infections its better to never allow this name to be used in helo/ehlo greetings directly it is enough that it be from the same domain as the helo/ehlo identity to prove the validity of both}