Before delving into the details of sending email on behalf of users, I thought I’d provide a bit of background information.
For simplicities sake, I’ll just scratch the surface when describing the headers of interest when sending messages out on behalf of users of your application. In my next posts, further description of these headers will be provided as needed.
Envelope sender – The envelope sender (return-to) address is, for the most part hidden from the user. This address receives bounces, and is typically, the address used for Sender Policy Framework (SPF) lookups, as well as domain key records.
Message sender – The message sender is also hidden from users more often than not. As I’ll discuss later, SenderID will generally use the Sender message header to authenticate the message. MUA’s such as hotmail and outlook (and I recon any other SenderID/Microsoft supported agent) expose the sender to the user. If you’ve ever received a message in outlook where you see something like “From John on behalf of Jane,” you’re seeing the effect of a Sender header. Ie. An application or mailing list has sent mail on behalf of Jane; so the message sender = John and the message from = Jane.
Message from – The message from is what is most often exposed to the user receiving the message. Surprisingly, although this header is what is exposed to an end user, it’s simple to impersonate. I quote from one of the users in the thread:
It is therefore, our goal to set the following headers in an effort to have our users receive email from users of our application as opposed to our application itself.
Envelope sender: email@example.com
Message sender: firstname.lastname@example.org
Message from: email@example.com
If we successfully set these headers, SPF checks will pass (assuming we create SPF records for ourapplication.com), SenderID checks will pass (again assuming we create SPF records), and users will receive invitations from actual users as opposed to our application.
As I found out, setting these headers, and having email land in the inbox of users was easier said than done. I’ll start to describe the steps needed to accomplish setting these headers in my following