emailspamemail-headersphishing

Should I use the Reply-To header when sending emails as a service to others?


Suppose we have an application that acts as a middleman, allowing Company A to send reports to their customers.

Company A → Company B (me) → Company A's customers

After getting the report we send email notifications to the recipients, but they necessarily originate from our company notifications email address, e.g.

joe.bloggs@a.com → notifications@b.com → peter@c.com

Now, customers tend to reply to those email notifications, wanting them to go back to whoever sent the report at Company A. Instead, they end up back at our address, notifications@b.com.

A simple solution may be to change the Reply-To header to the relevant Company A address on the notifications we send, e.g.

joe.bloggs@a.com → notifications@b.com [Reply-To: joe.bloggs@a.com] → peter@c.com

But my main concerns are:

Are these concerns founded at all? Or are there other concerns I should have?


Solution

  • You may want to consider placing the customer's name in the From header and your address in the Sender header:

    From: Company A <joe.bloggs@a.com>
    Sender: notifications@b.com
    

    Most mailers will render this as "From notifications@b.com on behalf of Company A", which is accurate. And then a Reply-To of Company A's address won't seem out of sorts.

    From RFC 5322:

    The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. For example, if a secretary were to send a message for another person, the mailbox of the secretary would appear in the "Sender:" field and the mailbox of the actual author would appear in the "From:" field.