Proper Implementation of SMTP “Sender” Header for Email Forwarding Systems


1 views

When building web applications that need to send emails on behalf of users, we face an interesting SMTP header configuration challenge. The core issue emerges when trying to maintain both transparency (showing the original author) and deliverability (avoiding spam filters).

The technically correct approach according to RFC 2822 would be:

From: "Author Name" <author@example.com>
Sender: "Webapp Service" <webapp@mycompany.com>
Reply-To: "Author Name" <author@example.com>
To: recipient@example.com

This configuration clearly indicates the original author while showing the service as the technical sender.

Some mail servers implement strict SPF (Sender Policy Framework) checks that only verify the From domain against the originating IP. Here's a Python example of how to detect same-domain scenarios:

import tldextract

def is_same_domain(from_email, to_email):
    from_domain = tldextract.extract(from_email).registered_domain
    to_domain = tldextract.extract(to_email).registered_domain
    return from_domain and from_domain == to_domain

For better deliverability while maintaining UX, consider these options:

Option 1: Envelope Sender Differentiation

# Using Python's smtplib
with smtplib.SMTP('mail.mycompany.com') as smtp:
    msg = MIMEText(message_body)
    msg['From'] = 'author@example.com'
    msg['Sender'] = 'webapp@mycompany.com'
    smtp.sendmail(
        'webapp@mycompany.com',  # Envelope sender
        'recipient@example.com',
        msg.as_string()
    )

Option 2: Display Name Formatting

msg['From'] = 'Author Name via Webapp <webapp@mycompany.com>'
msg['Reply-To'] = 'author@example.com'

For enterprise solutions, you should implement:

  • DKIM signing with your company domain
  • DMARC policy with alignment for both domains
  • Proper SPF records for all sending IPs

Here's a complete Python implementation with fallback logic:

def send_notification_email(author_email, recipient_email, content):
    msg = MIMEMultipart()
    msg['To'] = recipient_email
    msg['Reply-To'] = author_email
    
    if is_same_domain(author_email, recipient_email):
        # Fallback for strict domains
        author_name = extract_name_from_email(author_email)
        msg['From'] = f'{author_name} via Webapp <webapp@mycompany.com>'
    else:
        # Standard RFC-compliant format
        msg['From'] = author_email
        msg['Sender'] = 'webapp@mycompany.com'
    
    # Add content and send
    msg.attach(MIMEText(content))
    with smtplib.SMTP('smtp.mycompany.com') as smtp:
        smtp.send_message(msg)

When implementing email functionality in web applications, developers often face authentication challenges with the From and Sender headers. The core issue emerges when:

FROM: user@domain.com
SENDER: service@yourcompany.com
TO: recipient@domain.com  # Same domain as FROM

Many mail servers perform SPF/DKIM checks only on the From domain while ignoring the Sender header, causing rejection with errors like 571 incorrect IP.

While RFC 2822 specifies that Sender should indicate the agent responsible for actual transmission, real-world implementations vary:

  • Gmail/O365: Properly evaluates both headers
  • Self-hosted Exchange: Often checks only From domain
  • Legacy mail servers: May treat Sender as suspicious

Here's a Python implementation that handles edge cases:

def get_smtp_headers(from_email, to_email, sender_email):
    """
    Returns properly formatted SMTP headers based on domain analysis
    """
    from_domain = from_email.split('@')[-1]
    to_domain = to_email.split('@')[-1]
    
    # List of problematic domains (should be configurable)
    strict_domains = {'example.com', 'corp.net', 'company.org'}
    
    if from_domain == to_domain and from_domain in strict_domains:
        return {
            'From': sender_email,
            'Sender': sender_email,
            'Reply-To': from_email,
            'X-Original-Author': from_email
        }
    else:
        return {
            'From': from_email,
            'Sender': sender_email,
            'Reply-To': from_email
        }

For mission-critical systems, consider these additional measures:

# DKIM signing example (Python)
import dkim

def sign_email(message, domain, selector, private_key):
    headers = [b'from', b'to', b'sender']
    sig = dkim.sign(
        message=message,
        selector=selector.encode(),
        domain=domain.encode(),
        privkey=private_key,
        include_headers=headers
    )
    return sig + message

Implement a feedback loop to detect failing domains:

class EmailBounceHandler:
    def __init__(self):
        self.strict_domains = set()
    
    def process_bounce(self, bounce_message):
        if '571 incorrect IP' in bounce_message:
            domain = extract_domain_from_bounce(bounce_message)
            self.strict_domains.add(domain)
            logger.warning(f'Added {domain} to strict domains list')

For high-volume systems, consider these approaches:

  • Domain aliasing (user@subdomain.client.com)
  • SMTP relay services with pre-authenticated IPs
  • Webhook-based notification systems as fallback