13
votes

I'm creating an email a friend type system where I need our mail server to send emails from the user of the site to their friend, i.e. from [email protected], to [email protected].

If, as is the case in this example, the user's are both part of Gmail the friend would receive an email with the warning "This message may not have been sent by: [email protected].

I thought that by then adding a 'sender' header with our email (e.g. [email protected]) this should indicate to Gmail that we are the sender and are effectively openly spoofing the sender at their request. Is this true, can you get around Gmail's warning using the 'sender' header?

I realise this is similar to the following question but I'm more interested in whether the sender header should have an effect: Email sent from web server causes gmail to treat as phishing. How to get rid of this?

More info: I'm using netmailbot to send emails from our mail server using the '-customheader' parameter with 'sender' and 'x-sender' e.g. '-customheader sender:[email protected] x-sender:[email protected]'

1
How shall Google know you are spoofing "at their request"? All they know is, that you are spoofing. And that's the reason for showing the warning.Enno Gröper

1 Answers

16
votes

If gmail doesn't fail miserably, you have no way to suppress this warning.
Google is in control of both accounts and therefore knows, that this mail wasn't send by fred using their infrastructure.
There was used some third party infrastructure (yours) and this is all this warning is about. You can set an arbitrary email address as "from" and Google has no knowledge if this is legitimate use (if fred really wrote the message). Anyone could have written that message. Normally fred would use Googles infrastructure to send mails and then they would know its him.

A cleaner solution would be to put your email address ("[email protected]") as from header (that would be honest) and set [email protected] as reply-to header (so he gets the replies).