Allowing users so send emails via my site with their own sender details

I want to allow users to send emails to other people via my site as if they sent it from their own mail account. I know services such as Constant Contact do it. I also know that technically I can set the sender’s name and email address in the mail headers but doing so will probably trigger many anti spam filters.
Is there a safe way to do it?

Short answer, ‘no’.

Anytime you allow users to access resources in your domain, or send anything outside of your domain, there is a risk. The question is balancing functionality and security.

The first question I’ll ask is: Why? Why do you want to allow someone to send an email through your domain, but make it look as if it’s coming from their email address? This seems like something that could be very easily abused, not just by spammers. Relaying is not very secure, prone to abuse, and could add your domain to a spam blacklist, over and over and over… each time, most likely costing you at least $50 to have it unlisted.

Just my $0.03572. (Inflation, dontchaknow…)

Thanks WolfShade,

I’ll try an example to answer why: suppose you send you a friend of yours an email from my site, he may not even open the email if he sees my site as the Sender. If you are the sender it’s more likely he will…

Services like Constant contact do while avoiding all the pitfalls you mentioned. How do they do it then?

I don’t know how Constant Contact does it; but they have a whole team of developers working together, as well as an army of customer support people who monitor everything. So, unless you’re going to do the same, what you are proposing to do by yourself could be exploited.

Given the hypothetical situation you proffered, why would that be preferable to the user just opening their own email client and sending an email that way? Is there something you hope to gain by the user sending the message via your site?

It would be simpler from the user’s point of view. He would have to download something from my site and then send it as opposed to sending it directly!


With all due respect Liam, this smells like a pretty bad idea.

Perhaps it saves the user one step. But at what cost to you? This is just begging for abuse, and not only that, you will have to have a way to not only fight the abuse, but constant monitoring of who sends what through your server. You have to remember, you are held responsible for the manner people use your site…

And, if I am understanding this correctly, it doesn’t really address the question previously posed – why would that be preferable to the user just opening their own email client and sending an email that way?

They would have to add your IP address or server to their SPF record. It’s not always possible if folks don’t know how to or are using free web hosting.

It’s generally not a good idea to allow users to use your servers to send bulk mail. It can be too easily abused.

If you’re trying to make a social feature for users to share by email/facebook/twitter/etc., then you would send the email using your own email server and own email template, but including something like “this was send on behalf of [your friend]. They though you might like this.”