On 07-10-2020 02:27, Pau Peris wrote:
I'm hosting my dad's webpage which has a contact form (which should be
improved to avoid spam and/or bots) and from time to time someone
types multiple email addresses in the from field of the form so
contact emails with multiple from addresses like "from:
h...@example.com, f...@example.net" are generated. I though that those
kind of messages should get rejected and thought that maybe there was
a builtin restriction for this use case.
Your basic setup is lacking, and causing you problems. The website
should not send the emails using the email addresses of the person
submitting data on your website in the From: header.
If the email address has DKIM/SPF/DMARC policies attached, actual
delivery of the message is likely harder, because f.i. the webserver is
not listed in the SPF policy of the sender domain. Essentially, the
email your website is sending, is spoofing the From: header. This might
not be too obvious when all email sent from the website ends up in your
mailbox (being the website administrator), but when you try to deliver
to 3rd parties, you'll find this out very quickly.
Conceptually, you could even say that ther person entering data in the
form did not send an email: he/she entered data into a form on a
website, and the website sent the email. Hence, the From: header should
contain webs...@example.org.
Back to your problem: the website controls the From: header so no
multiple email addresses in there. You could configure the website to
put the email address of the person entering data in the form in the
Reply-To: header.
Kind regards,
Tom
