We have a classified ads website. Buyers can contact sellers. The message is directly generated on the site (php7) and sent to the user by email.
If we follow the recommandations from openspf, we have these 2 solutions:
Solution 1
Return-path: [email protected]
Sender: [email protected]
From: [email protected]
Subject: I am interessted
To: [email protected]
Solution 2
Return-Path: [email protected]
From: [email protected]
Reply-To: [email protected]
Subject: I am interessted
To: [email protected]
These work okish with spf but:
Solution 1 is simply rejected by domains having a strict DMARC policy (p=reject), for exemple yahoo.com:
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected];
Solution 2 is less and less working. When replying many mobile phones (Chinese brands) and email clients do not consider Reply-To but only From. Also, for exemple Gmail displays an enormeous warning message which scares users.
Be careful with this message
This email claims to come from my-classified-ads-website.com, but replies will go
to an email address at another domain. Avoid replying to this email
unless you reach out to the sender by other means to ensure that
this email address is legitimate.
Is there a solution?
(We would like to avoid a solution like craigslist or obliging users to use an internal message solution a-la-facebook).
You want to cheat and hack email authentication systems by trying to send emails on behalf of others. Maybe this hack can work temporarily, but in the future it will be banned by mailbox providers, as phishing attacks require more and more strict policies mailbox providers need to apply.
To avoid such hacks here is a solution I would suggest. Create a unique email address for every pair of contacts and make it "mediator" for conversation between parties.
How it works
All email conversation must be done through your created email. You can set custom display names (e.g.
John <[email protected]) to not confuse email receivers with your strange unique ids. So whenAneeds to write toB, it actually writes to your email, then you forward email toB, and vice versa forBtoA.This implementation have some complexity, but that will be paid in the future.
As stated, option 1 is certainly not advised. DMARC will cause these mails to be rejected.
Option 2 can work correctly. We would advise you to add a DKIM signature to these mails to increase trustworthiness and build a domain reputation on your d= domain. This could cause Google to prevent the 'big alert' if they would trust your domain 'enough'.
However.... Your wish is to send mail on behalf of your customers. Therefore a third option could also be to make sure your clients allow you to do so. This could mean they would allow you through their SPF record, but (preferably) you'd also want to take a look at signing these mails with a custom (per client) DKIM signature.
That would lead to these headers:
Does this help you and provide you with a solution?
Regards,
Michiel
DMARC Analyzer