Hi I'm currently going through all of my sites and changing any contact form that uses php mail() over to smtp. I've had some server troubles recently and need to make it more secure. I've been looking at quite a few scripts to use, all of them seem very similar however there is a difference between them and as a result I can't tell which would be the most secure method.
Basically it concerns who should be sending the email or rather the $from variable.
Should I script it so that the email is sent from the person who is completing the form or should it be the server registered email address that I authenticate and just have their email address in the message body?
Usually the mail server requires that the "From:" header be a valid email account on that server. However, you can set a "Reply-To:" header with whatever email address you want, so that is where I usually set the (sanitized) user-supplied value, if that is the functionality I want for that use case.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Also note, while many SMTP servers will send mail from any address, some spam engines may put some weight on it, performing one of two checks:
Reverse DNS lookup on sending IP: must yield the domain on the email address. SPF records check: sending IP must be permitted to send from the domain on the email address according to domain's SPF/TXT record.
Not all engines perform these checks, of course. But, your deliverability may suffer, and your IP could be blacklisted if you routinely send on behalf of other domains.