[CONFSERVER-30833] Share page email has the from address of the mail server, but reply goes to the user.

Type: Bug
Resolution: Not a bug
Priority: Low
Fix Version/s: None
Affects Version/s: 4.3.7, 5.3
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Summary:

Share page email has the from address of the mail server, but reply goes to the user.

Can from address be changed to reflect the address of the user. As this can be confusing for the customer.

Steps to reproduce:

Configure a mail server, add the from address as "no_reply@something.com"
Go to a page, and share this page by the button on the upper right.
Check your e-mail and look for the from address of this email to see if is no_reply@something.com
Reply to the e-mail, and see that it goes the user.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

Selection_186.png
152 kB
21/Oct/2013 4:20 AM

relates to

CONFSERVER-28704 @mentions user's email should use the Confluence Mail Server settings in the From header

Closed

CONFSERVER-29317 Notifications are sent as different user than "From Address" mail server setting

Closed

fabs (Inactive) added a comment - 21/Oct/2013 5:10 AM - edited

I'd like to separate the concern of fragmenting a share conversation from the concern that the user might be confused about the From: header not being set to the sharing user's email address. If I understand correctly, by impersonating the user via From: we're running the risk of being identified as spam. E.g. if the domain of the user's email address publishes a DMARC record, and the configured mail server is e.g. either not in the SPF or does not add the DKIM signature, we're getting identified as potential spam, and depending on that record we might get rejected. However, even if we set the Sender: header, the From: is still suspect to SPF, see
We're completely circumventing that problem by setting the Reply-To:, and in fact we're doing exactly what the best practices recommend:

MAIL FROM: info@evite.com
...
From: "Mary Dinkleplotz" <info@evite.com>
Reply-To: "Mary Dinkleplotz" <mdinkleplotz@hotmail.com>
Subject: Mary Dinkleplotz has sent you an invite! evite.com does it this way:
Choose a general address in your domain (info@evite.com).
Change the "MAIL FROM" to that address.
Change the "From" header to that address.
Add a "Reply-To" header that contains your user's e-mail address.

By allowing the admin to configure an email for the From: header we're giving him the power to either opt-in verification mechanisms by choosing an email address which is not in a domain for which a DMARC record is published. As soon as we're setting the From: to a user's email address, we're taking away that (direct) control from him and he has to ensure that his mail server complies with all of those mails. If there's an SPF record for that domain, and the mail server is not in it, the mail will be identified as spam.

Also we're setting the personal name part of the From: already to the user's name, e.g. From: "Fabian Kraemer (Confluence)" <admin@noreply.com>, which is set on the mail server configuration

${fullname} (Confluence)

, that should lower the confusion.

I'm going to close this issue as "Not a bug" due to the above findings, if you want us to reconsider it, please raise a feature request.

fabs (Inactive) added a comment - 21/Oct/2013 5:10 AM - edited I'd like to separate the concern of fragmenting a share conversation from the concern that the user might be confused about the From: header not being set to the sharing user's email address. If I understand correctly, by impersonating the user via From: we're running the risk of being identified as spam. E.g. if the domain of the user's email address publishes a DMARC record, and the configured mail server is e.g. either not in the SPF or does not add the DKIM signature, we're getting identified as potential spam, and depending on that record we might get rejected. However, even if we set the Sender: header, the From: is still suspect to SPF, see We're completely circumventing that problem by setting the Reply-To:, and in fact we're doing exactly what the best practices recommend: MAIL FROM: info@evite.com ... From: "Mary Dinkleplotz" <info@evite.com> Reply-To: "Mary Dinkleplotz" <mdinkleplotz@hotmail.com> Subject: Mary Dinkleplotz has sent you an invite! evite.com does it this way: Choose a general address in your domain (info@evite.com). Change the "MAIL FROM" to that address. Change the "From" header to that address. Add a "Reply-To" header that contains your user's e-mail address. By allowing the admin to configure an email for the From: header we're giving him the power to either opt-in verification mechanisms by choosing an email address which is not in a domain for which a DMARC record is published. As soon as we're setting the From: to a user's email address, we're taking away that (direct) control from him and he has to ensure that his mail server complies with all of those mails. If there's an SPF record for that domain, and the mail server is not in it, the mail will be identified as spam. Also we're setting the personal name part of the From: already to the user's name, e.g. From: "Fabian Kraemer (Confluence)" <admin@noreply.com> , which is set on the mail server configuration ${fullname} (Confluence) , that should lower the confusion. I'm going to close this issue as "Not a bug" due to the above findings, if you want us to reconsider it, please raise a feature request.

Steve Haffenden (Inactive) added a comment - 03/Oct/2013 2:30 AM

The issue here seems to be an inconsistency in the From, Reply-To and X-Original-Sender information in the header of the information. The following illustrates how these values are currently set:

From: "User Name (Confluence)" <server_from_address@atlassian.com>
Reply-To: user_email@atlassian.com
X-Original-Sender: server_from_address@atlassian.com

I'd suggest that the From address and Reply-To should be the same.

Steve Haffenden (Inactive) added a comment - 03/Oct/2013 2:30 AM The issue here seems to be an inconsistency in the From, Reply-To and X-Original-Sender information in the header of the information. The following illustrates how these values are currently set: From: "User Name (Confluence)" <server_from_address@atlassian.com> Reply-To: user_email@atlassian.com X-Original-Sender: server_from_address@atlassian.com I'd suggest that the From address and Reply-To should be the same.

Stephen Gramm added a comment - 17/Sep/2013 8:43 PM

The 'reply' does not go back to the user email address. - It goes to the 'no_not_reploy@nasa.gov' black hole.

Stephen Gramm added a comment - 17/Sep/2013 8:43 PM The 'reply' does not go back to the user email address. - It goes to the 'no_not_reploy@nasa.gov' black hole.

Details

Description

Summary:

Steps to reproduce:

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: fabs (Inactive) added a comment - 21/Oct/2013 5:10 AM, Edited by fabs - 21/Oct/2013 5:10 AM

Expand comment: fabs (Inactive) added a comment - 21/Oct/2013 5:10 AM, Edited by fabs - 21/Oct/2013 5:10 AM

Collapse comment: Steve Haffenden (Inactive) added a comment - 03/Oct/2013 2:30 AM

Expand comment: Steve Haffenden (Inactive) added a comment - 03/Oct/2013 2:30 AM

Collapse comment: Stephen Gramm added a comment - 17/Sep/2013 8:43 PM

Expand comment: Stephen Gramm added a comment - 17/Sep/2013 8:43 PM

People

Dates