Sender domain policy and spoofing overview

 

Overview

The following describes good and bad spoofing and explains DreamHost’s sender domain policy, which protects legitimate email.

Email spoofing

When emails are sent, the email program or script can say the sender is "from" any address it wants. Email spoofing occurs when email is sent with a forged FROM address. For example, you can send emails from your website example.com that are "from" FakeFromAddress@example.com. So, it’s always possible to change the FROM address when sending an email.

Good vs Bad spoofing

Good spoofing

Good spoofing occurs when an email sent from your website appears to be sent from your domain (contact@example.com).

Without spoofing, the email would instead be sent from username@server.dreamhost.com, which can be confusing to site users or customers. In this case, the email is spoofed, so it clearly shows it's originating from your website.

Bad spoofing

Bad spoofing is when spammers use your email address to hide from where their spam emails are originating, allowing them to send out hundreds of emails that appear to be from your website.

Protecting against bad spoofing

If you receive "undeliverable" bounced emails that you never actually sent, a spammer could be spoofing your domain.

DKIM is a method of email authentication that is enabled automatically for all DreamHost mail accounts. You can use DKIM records to make spoofed emails more easily recognizable as suspicious and, hopefully, discourage spammers from spoofing your domain.

DreamHost recommends that you do not whitelist your own email address or domain, as it may allow spammers to spoof your address much more easily.

Good spoofing using a PHP contact form

The following basic code sends contact form emails using your email address as the sender. The $visitor_name, $visitor_email, and $message are set by the contact form:

//set the recipient email address, where to send emails to
$to_email = incoming@example.com;

//set the sender email address $your_email = administrator@example.com;
//use your email address as the sender $header = "From: " . $your_email . "\r\n";
//put the site visitor's address in the Reply-To header $header .= "Reply-To: " . $visitor_email . "\r\n";
//set the email Subject using the site visitor's name $subject = "Contact Form Submission from " . $visitor_name;
//set the email body with all the site visitor's information $emailMessage = "Name: " . $visitor_name . "\r\n"; $emailMessage .= "Email: " . $visitor_email . "\r\n"; $emailMessage .= "Message: " $message . "\r\n";
//send the email mail($to_email, $subject, $emailMessage, $header);

This code only spoofed the FROM header (the one seen in a mail client program). Any bounces or error messages from the mail server are sent to the envelope sender, which was left unspoofed and will still be the default username@server.dreamhost.com address.

Spoofing the envelope sender

To spoof the envelope sender and have bounced emails go to that email address instead of the Maildir/new directory on the webserver, use the mail function's -f additional parameter as in the following:

mail($to_email, $subject, $emailMessage, $header, "-f$your_email");

You can also see more PHP mail script examples here.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?