Do we really need -f flag in PHP mail? Why?

Question

I've always included -f flag in my php applications because I thought it is important as the documentation told us:

The user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a 'X-Warning' header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.

So it looks like it is used to prevent spoofing - by verifying who I am. Then I did a experiment. It turns out, if I do not include -f, there will still be no X-Warning when I send mails. In fact, the sender doesn't even need to be myself. For example, I tried Obama@whitehouse.org as sender, and I received the email with no warning. I even tried using Obama@whitehouse.org to send out a few hundreds of emails to multiple email accounts, and they didn't get flagged as spam.

So, my question is, what does -f flag really do (since it seems to me that without it, emails will send through just fine)?

Answer 1

The -f flag is used to specify the envelope sender address. You should use the -f flag to set this address so that it matches the FROM address in the headers of the message, otherwise some spam filters will be more likely to treat the message as spam due to the fact that the two do not match.

You can do something like the following to set both, so that they match:

$to = "to@to.com";
$from = "from@from.com";
$subject = "subject";
$message = "this is the message body";

$headers = "From: $from"; 
$ok = @mail($to, $subject, $message, $headers, "-f " . $from);