When emails are sent, the email program or script can say the sender is "from" any address it wants. Email spoofing occurs when email is sent with a forged FROM address. For example, you can send emails from your website example.com that are "from" FakeFromAddress@example.com. So, it’s always possible to change the FROM address when sending email.
This article details good and bad spoofing and explains DreamHost’s sender domain policy which protects legitimate email.
What is useful spoofing?
Without spoofing, any email sent from your website would be sent "from" email@example.com. While that's accurate, it's not very nice to look at, and can be confusing to site users or customers who expect to see the email coming from the same domain name as your website. So in a sense, the email is spoofed to clearly show it’s originating from your website.
What is Bad spoofing?
Spammers often use email spoofing to hide from where their spam emails are sent. They do this so they can send out hundreds of emails that appear to be originating from your website. If you receive "undeliverable" bounced emails that you never actually sent, a spammer could be spoofing your domain.
Protecting against bad spoofing
DKIM and SPF records are are two methods that can make spoofed emails more easily recognizable as suspicious, and hopefully discourage the spammers from spoofing your domain:
- DKIM is a method of email authentication that is enabled automatically for all DreamHost mail accounts.
- SPF is a custom DNS record that says "this is a list of all the servers I send mail from. If you received an email from 'me' and it came from a different place, it's probably fake." Some mail servers even reject emails that fail SPF checks.
This basic code sends contact form emails using your email address as the sender. The $visitor_name, $visitor_email, and $message are set by the contact form:
//set the recipient email address, where to send emails to $to_email = firstname.lastname@example.org; //set the sender email address $your_email = email@example.com; //use your email address as the sender $header = "From: " . $your_email . "\r\n"; //put the site visitor's address in the Reply-To header $header .= "Reply-To: " . $visitor_email . "\r\n"; //set the email Subject using the site visitor's name $subject = "Contact Form Submission from " . $visitor_name; //set the email body with all the site visitor's information $emailMessage = "Name: " . $visitor_name . "\r\n"; $emailMessage .= "Email: " . $visitor_email . "\r\n"; $emailMessage .= "Message: " $message . "\r\n"; //send the email mail($to_email, $subject, $emailMessage, $header);
This code only spoofed the FROM header (the one seen in a mail client program). Any bounces or error messages from the mail server are sent to the envelope sender, which was left unspoofed and will still be the default firstname.lastname@example.org address.
To spoof the envelope sender and have bounced emails go to that email address instead of the Maildir/new directory on the webserver, use the mail function's -f additional parameter as in the following:
mail($to_email, $subject, $emailMessage, $header, "-f$your_email");
Further PHP mail script examples can be found here:
What if my domain doesn't use DreamHost-hosted mail service? (SMTP)
If your domain does not use regular DreamHost-hosted mail service, then your domain may have mail service from another provider like Google Suite. For these domains, your website must use SMTP to connect directly to your domain's mail server. In this way, your website logs in to your mail account at that host and sends email through their server instead of through DreamHost's mail servers.
- WordPress has SMTP support via a plugin. There are many SMTP plugins to choose from, Configure SMTP is one
- Joomla has built-in SMTP support (version 3.1)
- phpBB has built-in SMTP support
- ZenCart has built-in SMTP support
If your website was built by you or someone else by hand and is written in PHP, you can add SMTP support using PHPMailer. Just use the SMTP host/server your email provider gives you, and your username and password in their system. Another option is to use the PEAR Mail package to send via SMTP. View the Sending SMTP mail article for an example.
- How to spoof in your CMS or web application
- Sender domain policy FAQs
- What is useful spoofing?
- How do I send PHP mail via SMTP?