Hello,

Can someone please comment on this point:

When an e-mail is sent from a Drupal sub-system it uses the e-mail account details of the user as the From: field. What this does is spoof the senders name from a real, valid domain. On many systems this e-mail will be rejected because the system will consider this is spam.

A better way to do this would be to define a site e-mail address and then use that as the From: field. The Reply-To: field would then be loaded with the users e-mail details. Doing this will allow e-mail systems to accept the message as it will not originate from a spoofed address, but any replies will be directed to the correct party.

To see how this works, consider:

My domain is domain1.com, so my e-mail is me@domain1.com. Drupal is hosted by Drupal.com, so the From address should be something@drupal.com. Now another user registers from my domain as him@domain1.com and sees me in the user list. When he tries to contact me, Drupal poses the e-mail as:
From: him@domain1.com
To: me@domain1.com
Subject: Hello
Message: blah blah blah.

This message is relayed to my smtp server but is rejected as spam because it is a spoofed address. To make it work better, it would be more consistent to send the mail as:
From: something@drupal.com
Reply-To: him@domain1.com
To: me@domain1.com
Subject: Hello
Message: Blah Blah Blah

You could also modify the subject, such as Subject: (him@domain1.com) Hello
That would allow you to see easily who sent the message.

Now if I reply to the message I will still be sent to him@domain1.com, but the message will be correctly tagged as coming from the Drupal site (or whatever has been loaded into the Drupal site e-mail address).

I have tested this in my sites and feel that patching all the modules that use e-mail to have this feature is not feasible. Also, the likelyhood of rejection is increasingly more common as organisations tighten their smtp rules to combat spam.

For this to be effective it would require that any authors publishing e-mail solutions would need to make this change and possibly there would need to be a reference to the sites e-mail address or another e-mail address such as a site admin address.

I hope this is constructive input to making Drupal a more versatile and productive product.
Thanks.

Comments

magico’s picture

magico commented
Version: 4.7.0 » x.y.z
Kieg Khan’s picture

Kieg Khan commented

Hello Magico,

Are you suggesting that this has been done in 4.7.0?

Bye.

sepeck’s picture

sepeck commented

no. it's a feature request. 4.7.x is feature frozen. No new features will be introduced into it. He has switched it to CVS so that it can be revisited when development opens up again for 5.1
See http://drupal.org/handbook/version-info for information on versioning for the Drupal project.

LAsan’s picture

LAsan commented
Version: x.y.z » 7.x-dev
steven jones’s picture

steven jones commented
Status: Active » Closed (cannot reproduce)

We now set the 'Sender' and 'Return-Path' headers to mitigate the chance of emails with a different from address from the sending domain looking like spam.