I am asking this question just because I am curious and probably it is a really dumb and very well known thing but I couldn’t find an answer online:
Today I was helping a friend with his website. He asked me to prepare an html e-mail template that he can send via his website (e.g. http://www.myfriendswebsite.com) with phpmailer. I prepared it and tested in my domain/server by putting his e-mail address (e.g. info@myfriend.com) in “from” part. I sent an e-mail to my personal e-mail address (e.g. myname@hotmail.com) via my website (e.g. http://www.mywebsite.com) and when I received the e-mail I realized I don’t even see my domain’s name or e-mail address (e.g. info@mydomain.com); instead I see my friend’s e-mail address (info@myfriend.com). When I hit “reply” it replies to my friend’s address; it looks like it has been sent from my friend’s website directly. Of course; if I pull up the raw source I see the details of where I received the e-mail but what prevents someone else using my e-mail address and spam people? I am pretty sure this is another way of spamming and hacking people’s accounts but is there a way to prevent that? It scared me a little and I didn’t know where else to turn but Stackoverflow 🙂
For one, you should not send emails whereby the
From:is populated by user supplied data; use theReply-To:header for such purposes.The reason you shouldn’t do that is because inbox services, such as Google Mail, Yahoo, etc. use the Sender Policy Framework (SPF) to determine whether the mail server that sent the message is authorized to send on a domain’s behalf; you would risk messages sent from your server to get recognized as spam and not delivered.
So, to answer your question, even though it’s possible to masquerade anyone’s email address, it’s getting increasingly more difficult to get those messages delivered due to improving spam filters and black lists, and doing so can even get your mail server blacklisted.