Make WordPress Core

Opened 11 years ago

Last modified 4 months ago

#22837 new defect (bug)

WP Needs to Set "Sender" and "Reply-To" or DKIM/DMARC will not work using wp-mail (via PHPMailer)

Reported by: kellogg9's profile kellogg9 Owned by:
Milestone: Awaiting Review Priority: high
Severity: major Version: 3.4.2
Component: Mail Keywords: needs-patch close 2nd-opinion
Focuses: Cc:

Description (last modified by scribu)

I notice that for DKIM to function (while using DMARC) correctly for outgoing mail the PHPMailer object needs to make sure the Sender and Reply-To fields match the "From" field otherwise the "Return-Path" header uses the server it is sending from causing a mismatch. When this happens DKIM fails authentication on the receiver side because it is not added to outgoing mail.

I tried adding the reply-to and sender header manually to wp_mail() but it did not work. One had to do the following:

Right now i have to manually modify the /wp-includes/pluggable.php file in the wp_mail() function to include:

	if (strlen($phpmailer->Sender)==0)
	{
		$phpmailer->Sender = $phpmailer->From;
		$phpmailer->AddReplyTo($phpmailer->From);
	}

This resolves the problem and DKIM works again.

Change History (15)

#1 @scribu
11 years ago

  • Description modified (diff)
  • Severity changed from critical to normal

Note that functions in pluggable.php are called pluggable because you can re-define them in a plugin, so that you don't have to hack Core.

#2 @kellogg9
11 years ago

Yes, understandable and i was already aware of pluggable being able to be re-defined in a plugin but i figured having those few extra lines in the pluggable.php in future releases could improve security out of the box instead of having users scrambling around in hopes of a patch plugin existing (or needing to be made) to do such a simple thing so DKIM support can function normally.

Notice the new lines dont affect WP at all it just now makes all outgoing mail "properly formatted" so that the server can include a valid DKIM signature (if they so choose).

#3 @scribu
11 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

Sure, makes sense.

#4 @dd32
11 years ago

See also, #5007 #5279 #5294 #5869 + others for the last time we added the Sender header
Also: #14888

#5 @DeanMarkTaylor
11 years ago

  • Cc DeanMarkTaylor added

#6 @Kirin_Lin
11 years ago

The bug, '#21659 - wp_mail() problem with Reply-To header', is also related with this one.

I found something wrong when I click the 'Reply' button on the email sent from Grunion Contact Form module of Jetpack plugin in GMail. The reason is wp_mail() doesn't deal with 'Reply-To' header.

Last edited 11 years ago by Kirin_Lin (previous) (diff)

#7 @preda.vlad
10 years ago

This is no longer a minor or cosmetic bug since Gmail changed their spam filters (~1 month ago).

If using EXIM mail server (the default mail server for cPanel), all emails sent to Gmail will either be silently discarded, or sent as spam. Postfix works fine as it automatically sets the Sender header, and the issue may also occur with other mail servers as well.

#8 @preda.vlad
10 years ago

  • Cc preda.vlad added
  • Severity changed from normal to major

#9 @simonyump
10 years ago

Is this a Google-specific thing regarding the Sender header? Or for any receiving MTAs that are using DKIM + DMARC?

And is it relevant only when the sending MTA applies DKIM to the message? What if DKIM is not used by the sender?

If anyone could supply links to official methods of handling this issue, that would be useful.

#10 @chriscct7
8 years ago

  • Priority changed from normal to high

#11 follow-ups: @cbutlerjr
8 years ago

I can see the possibility of changing this so that in the default everything matches. However, there's not a need to modify the function (pluggable or otherwise) as @kellogg9 mentioned. The phpmailer settings can be handled with the phpmailer_init action.

phpmailer_init fires after PHPMailer is initialized. So the action can be used to cleanup any settings as needed. I believe that until a full fix is in place, the following would patch it:

add_action( 'phpmailer_init', 'my_phpmailer_dkim_cleanup' );
function my_phpmailer_dkim_cleanup( $phpmailer ) {
    if ( '' == $phpmailer->Sender ) {
        $phpmailer->Sender = $phpmailer->From;
        $phpmailer->AddReplyTo( $phpmailer->From );
    }
}

#12 in reply to: ↑ 11 @cybmeta
8 years ago

I've been using a similar snippet for a while but without the Reply-To header; adding it makes DKIM to fail for me.

Replying to cbutlerjr:

I can see the possibility of changing this so that in the default everything matches. However, there's not a need to modify the function (pluggable or otherwise) as @kellogg9 mentioned. The phpmailer settings can be handled with the phpmailer_init action.

phpmailer_init fires after PHPMailer is initialized. So the action can be used to cleanup any settings as needed. I believe that until a full fix is in place, the following would patch it:

add_action( 'phpmailer_init', 'my_phpmailer_dkim_cleanup' );
function my_phpmailer_dkim_cleanup( $phpmailer ) {
    if ( '' == $phpmailer->Sender ) {
        $phpmailer->Sender = $phpmailer->From;
        $phpmailer->AddReplyTo( $phpmailer->From );
    }
}

#13 in reply to: ↑ 11 @kellogg9
8 years ago

Hi @cbutlerjr ... thanks for the reply. A few years back, about a year after i opened this bug ticket, i stumbled upon the phpmailer_init() action and implemented a virtual identical version that you wrote (shown below). It has been working ever since. Thanks for adding this to my ticket. I guess i should have added an update here a few years back. Here is hoping though that the core team finally adds the fix into their official build.

~Kimberly

add_action( 'phpmailer_init', 'my_phpmailer_dkim_cleanup' );
function my_phpmailer_dkim_cleanup( $phpmailer ) {
    if ( '' == $phpmailer->Sender ) {
        $phpmailer->Sender = $phpmailer->From;
        $phpmailer->AddReplyTo( $phpmailer->From );
    }
}

#14 @desrosj
21 months ago

  • Keywords close 2nd-opinion added
  • Milestone set to Awaiting Review

I came across this one going through a list of tickets that have lost their milestone at some point. Re-adding one to help surface this one in reports.

I'm not sure how I'd go about testing this issue locally, but here are a few thoughts.

PHPMailer has undergone some big changes since this ticket was created, and WordPress is now on the latest version of the library (6.x) after the work in #41750. It would be great if someone could test for this issue using the latest version of WordPress (6.0 at the time of this comment) to see if this problem still exists.

DKIM is not something configured or used by default for WordPress sites. The wp_mail() function tries to be as generic as possible to work on as many sites as possible, and as far as I can tell, wp_mail() does not have any considerations for any specific authentication type.

All this said, I'm leaning towards closing this out as something that should be handled by a plugin, or the custom code configuring DKIM in PHPMailer.

This ticket was mentioned in Slack in #core by abhanonstopnews. View the logs.


4 months ago

Note: See TracTickets for help on using tickets.