Can someone explain this to me about impending email changes?

Ryan Petris ryan at petris.net
Wed Jan 31 05:10:14 MST 2024 

The point of all these emails is so that you, as a non-owner of gmail.com, can't send an email with a "From" address of gmail.com without authorization. That also means that you, as the owner of thetoolwiz.com, and me, as the owner of petris.net, can restrict who can send email using our domains.

For instance, I have DNS entries authorizing FastMail among a few others to send email on my behalf, thus emails from those places are recognized as valid. If someone goes to your website and enters my email address on your form, it will likely be rejected by the receiving mail server as I have my DMARC settings set such that any DKIM or SPF mismatch should be rejected, because your website shouldn't be sending emails on my behalf without authorization.

> If you’re collecting a message on YOUR SITE and simply stuffing the visitor’s email addy into the FROM header field and sending it out, how is that ever going to work if you cannot validate that visitor’s domain name?
> 
> This is going to break millions of websites that send out simple email messages that way!
> 
> Am I missing something?

Yes, you are.

I assume here you're referring to some kind of guest/support form on a website, and you're using the user's email address as the "From" field in the email you're sending. This may have been okay in the 90's, but hasn't been kosher for many many years now. You likely have missed many emails as they've likely been rejected without you even knowing.

What you should do instead is the following:

 1. The "From" address should be from a domain that you control, perhaps the domain the form is listed on.
 2. The email, when sent, should be properly signed and the server it's being sent from should have a valid SPF entry.
   1. If you can't configure this for some reason, consider using a third-party email service such as SendGrid, Mailgun, etc.
 3. If you want to be able to hit "reply" and have it go straight to the user, put their email address in the "Reply-To" field in the email. This will instruct email clients to send the email to that address when replying.
Note that this has affected mailing lists such as this one for years; mailing lists used to keep the "From" header while adding a footer to the email and sending that out to everyone in the list. While this was a problem when SPF was introduced, it was more or less ignored. Once DKIM rolled around, there was a problem; because the mailing list was modifying the email, the signature was no longer valid. The solution was to either:
 1. Don't modify the email with the mailing list footer and just forward it verbatim. The subject couldn't change either as was also popular at the time.
 2. Modify the email, but send it from the mailing list address with the original senders address in the Reply-To field.
#2 is what most mailing list software ended up going with, but only after the next part. This also introduced a problem where incoming emails that were invalid suddenly became valid with the mailing lists signature, therefore it also became necessary to validate incoming emails with stricter validation as well.

Then DMARC came along allowing you to specify what to do with invalid emails. I believe Yahoo was the first large email provider to set their settings to have others outright reject emails that weren't signed properly, vs. previously going into the Spam folder, causing all kinds of havoc with mailing list software causing ones that hadn't already switched to #2 above to switch to it.

> I’d think that the visitor’s email should be put into the REPLY-TO field and YOUR OWN email should go into the FROM field.
> 
> Or is there some other way to make this work?

Looks like you figured it out before I even wrote this. And no, there's no other way.

On Wed, Jan 31, 2024, at 4:31 AM, David Schwartz via PLUG-discuss wrote:
> Apparently, Google and Microsoft (?) are implementing a change that’s going to batten down the hatches on delivering email from non-verfied sources.
> 
> That requires you to get two or three fields from your SMTP host — SPF, DKIM, and DMARC — and put them into the DNS Zone records for each domain you want recognized as a FROM address.
> 
> That’s fine if you have a form on your website that you want users to be able to send to you, since you can use one of your own domains as the FROM email addy, right?
> 
> But here’s the rub: the user is asked to provide these fields:
> 
> * Name
> * EMail
> * message
> 
> So what if a site visitor enters a gmail addy like: tomsmith1234 at gmail.com into the EMail field?
> 
> A lot of people are stuffing that EMail right into the FROM field in the outgoing message so when it arrives, the admin can simply click Reply and it goes back to the user who provided it.
> 
> But if you don’t own gmail.com, there’s no frigging way for you to generate those three fields and THEN add them to the Zone records for gmail.com ... right?
> 
> If your SMTP host (relay) will only forward emails with a validated domain name in the FROM field that you told them about, then there’s no way in hell anything from anybody with, say, a gmail.com addy is going to get their email forwarded to you via your own SMTP host.
> 
> I’m using MailJet as my SMTP Host, and when this site I’m using tries sending me emails where they’re putting the visitor’s email address into the FROM field of the outgoing messages, I’m getting messages like this:
> 
> =============================
> We are contacting you as you (or one of your team members)
> tried to send an email with sender address: tomsmith1234 at gmail.com. 
> But this sender address has not been validated yet on your account: <my_acct_ID>
> =============================
> 
> It’s complaing about gmail.com not being validated — that is, it cannot find the correct SPF, DKIM, and/or DMARC fields in that domain’s DNS Zone records. 
> 
> If you’re collecting a message on YOUR SITE and simply stuffing the visitor’s email addy into the FROM header field and sending it out, how is that ever going to work if you cannot validate that visitor’s domain name?
> 
> This is going to break millions of websites that send out simple email messages that way!
> 
> Am I missing something?
> 
> I’d think that the visitor’s email should be put into the REPLY-TO field and YOUR OWN email should go into the FROM field.
> 
> Or is there some other way to make this work?
> 
> -David Schwartz
> 
> 
> 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20240131/680c55fe/attachment.htm>

More information about the PLUG-discuss mailing list