Can someone explain this to me about impending email changes?

David Schwartz newsletters at thetoolwiz.com
Wed Jan 31 04:31:12 MST 2024 

Apparently, Google and Microsoft (?) are implementing a change that’s going to batten down the hatches on delivering email from non-verfied sources.

That requires you to get two or three fields from your SMTP host — SPF, DKIM, and DMARC — and put them into the DNS Zone records for each domain you want recognized as a FROM address.

That’s fine if you have a form on your website that you want users to be able to send to you, since you can use one of your own domains as the FROM email addy, right?

But here’s the rub: the user is asked to provide these fields:

* Name
* EMail
* message

So what if a site visitor enters a gmail addy like: tomsmith1234 at gmail.com into the EMail field?

A lot of people are stuffing that EMail right into the FROM field in the outgoing message so when it arrives, the admin can simply click Reply and it goes back to the user who provided it.

But if you don’t own gmail.com, there’s no frigging way for you to generate those three fields and THEN add them to the Zone records for gmail.com ... right?

If your SMTP host (relay) will only forward emails with a validated domain name in the FROM field that you told them about, then there’s no way in hell anything from anybody with, say, a gmail.com addy is going to get their email forwarded to you via your own SMTP host.

I’m using MailJet as my SMTP Host, and when this site I’m using tries sending me emails where they’re putting the visitor’s email address into the FROM field of the outgoing messages, I’m getting messages like this:

=============================
We are contacting you as you (or one of your team members)
tried to send an email with sender address: tomsmith1234 at gmail.com. 
But this sender address has not been validated yet on your account: <my_acct_ID>
=============================

It’s complaing about gmail.com not being validated — that is, it cannot find the correct SPF, DKIM, and/or DMARC fields in that domain’s DNS Zone records. 

If you’re collecting a message on YOUR SITE and simply stuffing the visitor’s email addy into the FROM header field and sending it out, how is that ever going to work if you cannot validate that visitor’s domain name?

This is going to break millions of websites that send out simple email messages that way!

Am I missing something?

I’d think that the visitor’s email should be put into the REPLY-TO field and YOUR OWN email should go into the FROM field.

Or is there some other way to make this work?

-David Schwartz

More information about the PLUG-discuss mailing list