Overview
The following describes good and bad spoofing and explains DreamHost’s sender domain policy, which protects legitimate email.
Email spoofing
When emails are sent, the email program or script can say the sender is "from" any address it wants. Email spoofing occurs when email is sent with a forged FROM address. For example, you can send emails from your website example.com that are "from" FakeFromAddress@example.com. So, it’s always possible to change the FROM address when sending an email.
Good vs Bad spoofing
Good spoofing
-
Good spoofing occurs when an email sent from your website appears to be sent from your domain (contact@example.com).
Without spoofing, the email would instead be sent from username@server.dreamhost.com, which can be confusing to site users or customers. In this case, the email is spoofed, so it clearly shows it's originating from your website.
Bad spoofing
-
Bad spoofing is when spammers use your email address to hide from where their spam emails are originating, allowing them to send out hundreds of emails that appear to be from your website.
-
Protecting against bad spoofing
If you receive "undeliverable" bounced emails that you never actually sent, a spammer could be spoofing your domain.
DKIM is a method of email authentication that is enabled automatically for all DreamHost mail accounts. You can use DKIM records to make spoofed emails more easily recognizable as suspicious and, hopefully, discourage spammers from spoofing your domain.
DreamHost recommends that you do not whitelist your own email address or domain, as it may allow spammers to spoof your address much more easily.
Good spoofing using a PHP contact form
The following basic code sends contact form emails using your email address as the sender. The $visitor_name, $visitor_email, and $message are set by the contact form:
//set the recipient email address, where to send emails to $to_email = incoming@example.com;
//set the sender email address $your_email = administrator@example.com;
//use your email address as the sender $header = "From: " . $your_email . "\r\n";
//put the site visitor's address in the Reply-To header $header .= "Reply-To: " . $visitor_email . "\r\n";
//set the email Subject using the site visitor's name $subject = "Contact Form Submission from " . $visitor_name;
//set the email body with all the site visitor's information $emailMessage = "Name: " . $visitor_name . "\r\n"; $emailMessage .= "Email: " . $visitor_email . "\r\n"; $emailMessage .= "Message: " $message . "\r\n";
//send the email mail($to_email, $subject, $emailMessage, $header);
This code only spoofed the FROM header (the one seen in a mail client program). Any bounces or error messages from the mail server are sent to the envelope sender, which was left unspoofed and will still be the default username@server.dreamhost.com address.
Spoofing the envelope sender
To spoof the envelope sender and have bounced emails go to that email address instead of the Maildir/new directory on the webserver, use the mail function's -f additional parameter as in the following:
mail($to_email, $subject, $emailMessage, $header, "-f$your_email");
You can also see more PHP mail script examples here.