Useful spoofing

Useful spoofing would be when you change your FROM address to an email hosted at DreamHost. Generally speaking, you must set the FROM or "sender" setting to match an email address hosted at DreamHost (which is usually an email on your domain). Many times it is an option in your CMS, plugin, or script so you can tell it to send emails in this way. For example, a popular plugin with this option used with WordPress is Contact Form 7.

However, not all programs have these kinds of configuration options. For example, some contact form plugins always use the site visitor's information as the sender and don't allow you to change it. In this situation, you may need to switch to a different plugin or modify the script. When selecting or configuring a plugin or script for your site, you may want to check that it spoofs all the necessary information so that bounced emails go to you instead of to the Maildir/new directory on the web server.

To find out if a script or plugin your website uses spoofs both the From header and the envelope sender, you can ask the developer or person who made the script or plugin. If you see bounced emails being delivered to the Maildir/new directory on the web server, this is a big hint that the envelope sender is probably not being spoofed in your mail form.

Email messages are similar to old-fashioned paper letters in that both have two sets of addressing information. An email's To and From headers are similar to a paper letter's salutation and signature. A paper letter's envelope has sender and recipient information used for delivery, and an email's envelope also has a sender and recipient.

An email's To and From headers are shown in an email program. View the Viewing email headers article for more details. Separately, the envelope's Sender and Recipient are what mail servers use for instructions on where to send the email and where any errors or bounces are sent. The plugin or script you use automatically sets where the email is sent. It takes the To header from the email message and uses this as the recipient on the envelope. An email can be sent with just that information, and the server will automatically fill in the From header and the envelope Sender. This is where the default username@server.dreamhost.com sender comes from, as it is automatically set by the webserver based on the username that hosts the site or script that sent the email. If you want a nicer custom From header and/or Sender like admin@example.com, the script or program you use must set that.

The flowchart illustrates the path an email from your website (such as a contact form submission, or an eCommerce purchase confirmation) can travel.

If the email can be delivered successfully, it is delivered normally and you'll be able to see it with your regular email. If the email cannot be delivered and the envelope sender is spoofed correctly, the bounced email is delivered to that email address that was spoofed as the From header. In this case you'll see the bounced email in that email address's regular inbox. If the email cannot be delivered and is not spoofed correctly, the bounced email is delivered back to the web server and stored in that Maildir/new folder.

The From header and envelope Sender do not automatically match each other, as the To header and envelope Recipient do. Often, only the From header is spoofed or set to a custom address, and the envelope sender is left unchanged and still set to the default username@server.dreamhost.com. This is why many bounced emails are delivered to the Maildir/new directory on the web server, and not to your mail account where you normally check email. If the envelope sender is not spoofed, bounced emails will go to back to the server user who hosts the site that sent the email. Those emails are stored in that user's Maildir/new folder on the web server. Each file is one email, and despite the rather odd names they are simple text files that can be viewed with any text editor.

So what can you do about it? As mentioned above, if you are receiving bounced emails to the Maildir/new directory instead of your email inbox, then the envelope sender is probably not being spoofed or set to your custom address to match the From header. You can ask the developer of the plugin or script you currently use to update it so that it spoofs both (header and envelope). You can also switch to a different plugin or script that spoofs both (header and envelope). If you're not sure which ones do this, you can test some out or ask their developers to let you know if this is something their plugin or script does. If you wrote your own code, you can make this change yourself.