Php mail()

software development


a question about php mail(). Does the “from” address need to be the same domain that it is being sent from? It seems like it should need to be…


The easiest way to understand from address and header address is to think about a mail letter.

The address in the header is the address on the envelope that determines where the mail goes.

The address in the “from” field is the address in the letter. The post man does not read that address but it is what you see in the letter.

For example, if the header address is and from address is The email will be sent to and display address in the message.

Most of the time, you should user same email address for them.

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


Nope - but you probably meant the From: address anyway.

It’s a good idea to code the recipient right into your script and not let others inject addresses through a form.

A bad idea would be a text field on the form where people can type any address they want to send mail to. That would probably stop working as soon as your account was shut down for spamming. :stuck_out_tongue:

Just about anything you need to know about the mail function is right here in the manual.

You can also do a search for code injection to learn about blocking unwanted characters, stopping people from adding headers, etc…

:stuck_out_tongue: Maximum savings promo code: MaxSavingsAtDH


My question is slightly different.

Can I use a From address from a domain different from the one that the mail is sent from? For example, the From address says while the domain I am sending from is I did a test and this works, but it seems like an invitation for abuse. Maybe the reason it works is related to the postal mail analogy mentioned above, since anyone can send a letter with a fake From address. But someone could send a message pretending to be a friend with malicious content. Thoughts?


If the From: field could only be your domain, it wouldn’t make much sense to have a mail form because no one could email you unless they already had access to your domain.

If that’s what you want, then there would be no reason to have a public mail form and only people that are supposed to use it should know where it is. If you want a private solution for some reason, you could put it in a password protected directory.

But if you only want email from people you already know, why would they be using a form instead of just emailing you?

You could add code to your form that only accepts email addresses from your domain… but unless it runs through a list of valid email addresses, someone could still enter a fake address like if they didn’t want you to know who sent it.

Another thing you could do if you only wanted people you know to use the form would be something like a fake anti-spam field. You know the ones that say something like, “What is 5 + 3?” or some other easy question? You could make it so if people don’t enter 123456 (or whatever you want) no matter what the question is, it tells them they go it wrong… even though it looks like they didn’t.

The To: field is what needs to be secured and what’s important to spammers, because you don’t want them to put a viagra add in the message field, then add something like this to the To: field:,,,,,, etc…

If you have someone that is stalking/harassing you, then the better solution would be to create a new email address and be careful with who you give it to.

If I’m not on the right track, then I must not understand what you’re asking. If you could keep people from claiming to be someone else, or forging headers… there’s be no more spam. :wink:

:stuck_out_tongue: Maximum savings promo code: MaxSavingsAtDH


Thanks for the reply. Here’s my situation. (There is no public form for entering email address or sending emails.)

I have members on a site whose email addresses I know and are legitimate (ie When certain conditions exist on my database driven site, php fires off an email using their address as the From address. (the mail goes an opt-in list that is owned by that member.) The mail is sent from This all works, but I just don’t understand why it is allowed, since I could just as well impersonate someone (ie in the From address. I guess the reason is that since it is sent from, that even my domain is different than the sending domain, so “they” have to let the mail go. I am trying to understand this, since I am developing processes that rely on the fact that I can send messages from the domains of my members, which could be aol, gmail, ibm, apple… My alternative is to create an email within my domain and forward it to their real address, but dreamhost doesn’t forward to aol, so that’s not perfect either. Or I could use a do-no-reply address and tell the recipients to respond directly to my member. That’s probably the most reliable. Thoughts appreciated.



It sounds like you’re worrying about something you don’t need to. And it still sounds like you’re mixing up To: and From: – To: is the recipient and that’s the field you really need to protect.

Basically, if you couldn’t define those variables, the mail function would be useless.

Anything beyond the basics of it, would be up to you. You can block any addresses you want in your script and should make it as secure as possible.

On the other hand, someone else needs to use that exact same function for a contact form and they need to be able to accept email from anywhere.

Just look at when you place an order online. At some point, there’s a good chance the script is using mail() to send an order from you to the merchant–even though you’re not using their domain as an email address.

Basically, the capabilities of the function itself aren’t a security problem. The security problem comes from poorly implementing it… but that’s pretty much true with any programming.

Some hosts even disable it, which to me, pretty much makes PHP (and the host) useless.

Like I said before, though… if there was a way to stop fake info or headers, there wouldn’t be any spam. The internet would also have a lot less 80 pound nerds pretending to be tough guys. :stuck_out_tongue:

I’d also just add that if this all relies on scripts doing the mailing, make sure you’re not breaking anything spam-related in the TOS. Especially since you mentioned an opt-in list. It’s better to make sure everything is being done right, then find out the hard way later that it wasn’t.

:stuck_out_tongue: Maximum savings promo code: MaxSavingsAtDH


The mail() function is something that just needs to be scraped from the function list in PHP. It ends up causing more confusion and problems than solving anything.

I recommend using PEARs Mail_SMTP library to send your emails to your users through a valid email address you own.

You can expand this slightly by using PEARs Mail_Queue system to generate large amounts of emails (newsletters, sales notices, invoices, etc) to be sent over a period of time.