Reputation: 1012
SMTP relaying: avoid antispam filter using Amazon SES (or similar tools)
Our web application is an HR management app in which the user (typically an hr manager) can insert some SMTP credentials and send mail through our app (our app use javamail to handle the message sending) to the personal email addresses of his workers.
So, different users insert different SMTP credentials, but some of these use SMTP servers which are not designed to send massive number of mails (we are talking about not great numbers, hundreds) in a short span of time, so typically we have logs in which the SMTP rejects the messages with various errors of policy violations.
I thought that using a thirdy party service like Amazon SES, which offer a smtp who will not reject our messages could be a solution to our problem.
So, imagining that our app has two users
- user 1
- user 1
and each of these users has 10 workers with releted email addresses (or various domains like gmail, yahoo, etc).
We would use the Amazon SES SMTP to relay those mails using as sender address [email protected] or [email protected] to all the workers addresses.
But I fear that the gmail, yahoo, etc servers will probably check if the smtp who sent the message (amazonses in this case) is authorized to send mail of the sender domain (userdomain.com or anotheruserdomain.com).
Such a check I think is called SPF check, to avoid email spoofing.
Is there a way to avoid this, considering that I cannot access the userdomain.com and anotheruserdomain.com domain settings?
Thanks :)
Upvotes: 1
Views: 2044
Answers (1)
Reputation: 3827
You can avoid the spoofing issue by sending emails in your own name. The industry best practice is to use your own email address for delivery and only impersonate the sender in the email header. When you deliver an email using SMTP, you can specify a MAIL FROM address (also called the "envelope sender", "Return-Path" or P1 sender address), which may be different from the "From:" (MIME From) address in the email header.
In this model, emails from Amazon SES would be sent with the MAIL FROM address of [email protected] and the From: address would be [email protected]. As SPF checks are ran against the MAIL FROM address and never the MIME "From:", the emails will not be considered spoofed, as long as they satisfy the SPF policy of yourdomain.com, if any.
This practice is commonly employed by mailing lists and email newsletters. By using a unique sender address for each email (e.g. [email protected]), you can even do automated bounce tracking for each email sent, a technique called Variable Envelope Return-Path (VERP).
Upvotes: 1
Related Questions
- Email going to spam while using SES
- SMTP configures by SES aws is going to spam folder
- Amazon SES email security
- SES Email goes to spam in Outlook despite DKIM
- Use SES (with SNS) over SMTP
- How to Send e-mail to unverified address with Amazon SES SMTP
- How to properly set up DNS SPF records?
- Why does Amazon SES not require SPF modifications in their current implementation?
- Sending single emails without being marked as spam