As designed Undeliverable emails from XenForo due to From address spoofing

digitalpoint

Well-known member
Affected version
2.2
Domain owners can instruct mail servers to reject email if it doesn't come from a whitelisted IP address (normally the mail servers for that domain). In the case of XenForo, the contact form sets the From address to be something arbitrary so that someone can respond to the user.

I know it's by design, but the "correct" way to do it would be the From address being the site's email address, but the Reply To header being the user. That would allow emails to pass DMARC policies rather than being rejected.

As an example, yahoo.com instructs mail servers to reject emails that don't pass through their servers:


See this thread: https://xenforo.com/community/threads/contact-us-error-gmail-550-5-7-26.208972/
 
I don't think this is correct .. Xenforo uses "Default email address" for all outgoing emails and uses reply to header as you recommended in contact form emails .. I think the user on that bug report has a yahoo email as default email address
 
Skimming the code (in the Contact.php service), it looks like XenForo will use the Reply-To header if there is no Contact email address option set, but if there is a contact email address set, it uses the From header. Not sure what the logic is behind that, but that's what it looks like to me:

PHP:
if ($options->contactEmailSenderHeader)
{
   $mail->setSender($options->contactEmailAddress)
      ->setFrom($this->fromEmail, $this->fromName);
}
else if ($this->fromEmail)
{
   $mail->setReplyTo($this->fromEmail, $this->fromName);
}
 
Yes, I forgot about this option
1663691886015.webp

it is off by default
If enabled, emails sent via the "Contact us" form will be sent with the sender's info in the "From" header rather than the "Reply-To" header. Enabling this may help with situations where replying to a contact message does not go to the correct address, but it may not be compatible with all SMTP servers.
 
Top Bottom