The proper way to set SMTP headers for emails sent as someone else

emailheaderssmtp

Some applications require that system-generated emails be sent as someone else, or said more accurately, they call for the appearance of being sent from someone else.

What is the proper/acceptable way to construct the email headers to achieve this?

To serve as fodder for the question I have included below headers for two emails I received:

  1. An email sent via Gmail, sent using an alternate From address that was configured in addition to the main Gmail email address.
  2. A bogus email with forged headers, surreptitiously sent as someone other than the actual person.

Email 1:

In this example, RealGmailAccount@gmail.com is the email address of the actual sender and AlternateEmail@example.com is the alternate email address configured in Gmail and used to send the email below.

Return-Path: <RealGmailAccount@gmail.com>
X-Orig-To: me@example.com
Received: from [209.85.216.45] ([209.85.216.45:57830] helo=mail-qa0-f45.google.com)     by smtp13.gate.ord1c.rsapps.net (envelope-from <RealGmailAccount@gmail.com>)
Received: by mail-qa0-f45.google.com with SMTP id cm18so1356657qab.18 for <me@example.com>; Wed, 23 Apr 2014 13:32:45 -0700 (PDT)
Sender: <RealGmailAccount@gmail.com>
Subject: Test Message
From: Real User's Name <AlternateEmail@example.com>

Depending on the receiving user's email client the email may be displayed with something like: RealGmailAccount@gmail.com; on behalf of; Real User's Name <AlternateEmail@example.com>

Email 2:

In this example, RealUsersEmailAddress@example.com is the email address of the person this fake email is being sent as.

Return-Path: <RealUsersEmailAddress@example.com>
X-Orig-To: me@example.com
Received: from [190.114.206.6] ([190.114.206.6:49144] helo=mail) by smtp55.gate.dfw1a.rsapps.net (envelope-from <RealUsersEmailAddress@example.com>) 
Subject: Test message 2
From: Real User's Name <RealUsersEmailAddress@example.com>

Emails like this show up normally in email clients.

Is the Gmail example the proper way to do the headers?

Best Answer

Section 3.6.2 of RFC 5322 explains how the originator headers should be filled in. When the sender wants to impersonate someone else (e.g. an assistant sending mail on behalf of their boss), the address they're impersonating goes in the From header, while their real address goes in the Sender header. This assumes that the Mail Submission Agent can determine the sender's real address, e.g. it requires user authentication.

Related Question