Best practices: Sending email on behalf of users

email smtp email-spam send-on-behalf-of
63,227

Solution 1

The on-behalf-of header is the best way to do that, but you are also going to get trapped by spam filters. The best to mitigate or lessen the likelihood that you will end up in the spam filter is to implement all the industry standards around verifying your domain and mail server. As indicated in this article:

http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-email-through-code.html

However that is very tough to do, because you need to stay on top of SPAM standards, and abide by CAN-SPAM laws and everything else. The better bet is to use a on-demand cloud based SMTP server like this one:

https://www.postmarkapp.com

Use a company that is a domain expert in the area of sending email and has gone through all the leg work to get the highest deliverability rate. And will stay on top of the standards for you, and monitor black lists for problems.

Solution 2

You're probably looking for Reply-To. It's an official and widely supported header, unlike On-Behalf-Of, and it's not subject to the same spam checks as From.

If you really wanted to appear as sending on behalf of another user, the "mostly" correct way, by SMTP standards, would be to put your "real" address in Sender: and your client's address (of whom you're sending on behalf) in From:. However, From: is specifically targeted by DMARC, a very strict spam prevention protocol implemented by most major e-mail providers. They won't overlook a From: DMARC failure just because you have a valid Sender: header.

DMARC allows domain owners to specify how SPF and DKIM should be applied to the From: header. A popular policy is to reject e-mail that fails either SPF or DKIM, which means your e-mail won't even be flagged as spam: it will be downright rejected.

Sender: + From: still works, technically. It was originally created with the intention of being used by people in the same organization, such as a secretary or an assistant. This has turned into a hard constraint with the advent of spam prevention mechanisms.

Solution 3

You want to cheat and hack email authentication systems by trying to send emails on behalf of others. Maybe this hack can work temporarily, but in the future it will be banned by mailbox providers, as phishing attacks require more and more strict policies mailbox providers need to apply.

To avoid such hacks here is a solution I would suggest. Create a unique email address for every client and make it "mediator" for conversation between client and employees.

How it works

All email conversation must be done through your created email. You can set custom display names (e.g. John <[email protected]) to not confuse email receivers with your strange unique ids. So when A needs to write to B, it actually writes to your email, then you forward email to B, and vice versa for B to A.

This implementation have some complexity, but that will be paid in the future.

Share:
63,227
Ben Doom
Author by

Ben Doom

Updated on July 09, 2022

Comments

  • Ben Doom
    Ben Doom almost 2 years

    The company I work for provides testing services for the healthcare industry. As part of our services, we need to send email to our clients' employees. Typically, these are temp, part-time, or contract employees, and so have private email addresses (eg Hotmail, GMail, Yahoo!, etc).

    Up to now, we've been sending from an internal address, but this means that replies come back to us when employees aren't paying attention or don't know to send queries to our clients. I'd like to change this, so that the person who requests that the email is sent is the person that is replied to.

    We've used reply-to: in the past, but it seemed to cause additional mail to be trapped by spam filters.

    I've been reading about sender: and on-behalf-of: headers, and was wondering what the current best-practice was for sending email in a scenario where we need to send email such that the reply goes to a domain we don't control.

  • Ben Doom
    Ben Doom about 14 years
    We already do most of what is recommended in the codinghorror blog (which I read). We use an SPF/Sender-ID record, we have a proper reverse PTR to our web system's SMTP relay. We don't have a problem getting spam trapped at the moment, sending from our own domain. The problem is getting replies routed to the correct parties.
  • Jerph
    Jerph about 14 years
    The problem is that the two methods you listed are for verifying your domain as a valid sender. You need to take the next step and sign every email that is delivered. With a domain key. You need to implement the DKIM, if you read wikipedia (en.wikipedia.org/wiki/DKIM) it says "... the transit path; or an indirect handler, such as an independent service that is providing assistance to a direct handler...". It is going to be hard if your emails code is all over the place, or if your SMTP server doesn't automatically sign them, another reason to get the service I mentioned above.
  • Jerph
    Jerph about 14 years
    After you sign every email you can use on-behalf-of or you can even just put the actual email in the from address which is the bullet proof solution.
  • Ben Doom
    Ben Doom about 14 years
    I'll start testing DKIM and see if I can get it running correctly on our mail server(s). I'll let you know if it works.
  • tripleee
    tripleee almost 12 years
    I have never heard of On-Behalf-Of: and Google only seems to turn up Outlook and Gmail results, nothing like an official standard. Traditionally you would put your client in From: and yourself in Sender:. My suspicion is that this is what turns up as "on behalf of" in Outlook and possibly Gmail.
  • Zenexer
    Zenexer almost 11 years
    @triplee Putting your client in From: violates DMARC. You'll likely get your e-mails rejected, or at least marked as spam.
  • tripleee
    tripleee almost 11 years
    @Zenexer Thanks, I didn't know. More of a historical note then.
  • jazzcat
    jazzcat over 7 years
    on-behalf-of - There's no such header in RFC or any known mail standards, Googling does not help too. This question is the only source that pops up. @NickBerardi please indicated the source
  • gabn88
    gabn88 over 3 years
    This is definitely the way to go. But there must be a ready-made package for forwarding emails that way. Do you know of something?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

trouble with hostedemail blacklist
Tracking email bounces, opens, clicks
Why there are no sent mails after the Jenkins ext. mail step?
Android App Development - Send email directly with no Intents
SMTP mail error in CodeIgniter : server might not be configured to send mail
smtp send mail via postfix and nodejs nodemailer connection closed
Swiftmailer config : send mail using gmail
spoof from address through gmail
Sending Email to Gmail's SMTP server using TLS and Plain Authentication
smtp.gmail.com vs ssl://smtp.gmail.com while sending email using gmail smtp server