letting anonymous users use a form to send emails as if it is from their own mailboxes without getting flagged as spam

nudora asked:

I am working on a project for an environmental NGO.
They want to let users use a form on their website, provide their name, their email address and select certain emails from a list to send complaints or other contents to city council members or clean-air committee members, and so on.

The form would have these input fields:
– Name
– Email
– Subject line (with default text related to current campaign)
– Message (with default text related to current campaign)
– Target emails list (the user would check every function/role/person, they’d like the message to be sent to)

The submitted form needs to be sent to the selected addresses with the edited content while setting the header From to the user’s Name+Email.

The question is: what needs to be done in order to have this system deliver emails without getting flagged as spam?

My answer:

One thing you must do in order to avoid the mail being flagged as spam, or rejected entirely, is do not use the user’s provided email address in the From field.

Your web form is not authorized to send email from arbitrary domains on the Internet, and destinations which check SPF and DMARC records for domains which use them will either mark these messages as spam or refuse to deliver the messages. Worse, if the message is bounced, the bounce message will end up being delivered to the user who put his email in your web form, and so he will know your form is misbehaving.

Instead, From should contain a no-reply address or a postmaster address which can deal with bounced email. The address provided by the web user should be elsewhere, such as Reply-To (if you want recipients to be able to reply to it), in the body of the email, or both.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.