[wp-trac] [WordPress Trac] #22837: WP Needs to Set "Sender" and "Reply-To" or DKIM/DMARC will not work using wp-mail (via PHPMailer)

WordPress Trac noreply at wordpress.org
Wed Aug 6 13:30:46 UTC 2025 

#22837: WP Needs to Set "Sender" and "Reply-To" or DKIM/DMARC will not work using
wp-mail (via PHPMailer)
-------------------------------+------------------------------
 Reporter:  kellogg9           |       Owner:  (none)
     Type:  defect (bug)       |      Status:  closed
 Priority:  high               |   Milestone:  Awaiting Review
Component:  Mail               |     Version:  3.4.2
 Severity:  major              |  Resolution:  worksforme
 Keywords:  close 2nd-opinion  |     Focuses:
-------------------------------+------------------------------
Changes (by SirLouen):

 * keywords:  needs-patch close 2nd-opinion => close 2nd-opinion
 * status:  new => closed
 * resolution:   => worksforme


Comment:

 == Reproduction Report
 === Description
 ❌ This report can't validates that the issue can be reproduced.

 === Environment
 - WordPress: 6.9-alpha-60609
 - PHP: 8.2.29
 - Server: Apache/2.4.62 (Debian)
 - Database: mysqli (Server: 8.0.43 / Client: mysqlnd 8.2.29)
 - Browser: Chrome 138.0.0.0
 - OS: Windows 10/11
 - Theme: Twenty Twenty-Five 1.3
 - MU Plugins: None activated
 - Plugins:
   * Test Reports 1.2.0

 === Testing Instructions
 1. Add a local server like Postfix with DKIM to your local wordpress site
 2. Send email to a Gmail address (which has full DKIM/SPF testing)
 3. ❌ Email is received without troubles.
 4. ❌ Also tested towards https://www.mail-tester.com/ with the Health
 Check plugin (Tools), Result: 10/10

 === Actual Results
 1. ❌ Error condition is not occurring

 === Additional Notes

 I've been testing with some Docker containers using WP and Postfix (I will
 be testing with other alternatives like sendmail and qmail onwards)

 With a fresh installation, both WP and Postfix, not explicitely
 specifiying a Sender envelope fully relying on the `mail` function "as-
 is", this is an example email, sent from my server to my gmail account

 {{{
 Delivered-To: [REDACTED_EMAIL]
 Received: by 2002:a05:6359:6c93:b0:1ff:db44:3f60 with SMTP id
 td19csp77717rwb;
         Wed, 6 Aug 2025 06:05:48 -0700 (PDT)
 X-Google-Smtp-Source:
 AGHT+IHuqeZlSnkdrM0/F3klNm20amzDRETPIQrSfJOabE105QzLv0wAZut5j5aY3jWhSk+i4XGR
 X-Received: by 2001:a06:6512:ac2:b0:553:cf7d:72a0 with SMTP id
 2adb3069b0e04-55caf51e0f4mr1045577e87.5.1754485548059;
         Wed, 06 Aug 2025 06:05:48 -0700 (PDT)
 ARC-Seal: i=1; a=rsa-sha256; t=1754485548; cv=none;
         d=google.com; s=arc-20240605;
 b=eNclUcCzbSfNCdBtNo/99LU4elhYf05nti7DCra25Zq7ySU0lnh7aAqbzAiBVCv/VU
 05zv7j8gVWP9obXxKH8kuF0lh8dSpvk3/69pVO2hj+AY5pdM/m21wZpCsLSvQxnAWMev
 ZbVYgEoqASFSia9jEWxHsXvH/v1hKsKF3pVx1r52uQaCk8TvquHuf/Z/UwVwZ7IGiaRU
 FlYOP5HV9wmAGPjHQCmAakNK8afdff3cSbha6ydpWSuEuXoXUNJ1lSKXZRdBs1C8q18W
 7hIIgWj+QIaZoH9Tpj11WYSBKwjXoq0Xbc4XAYrUrDRLLBZ2lqE6pStFnxugsgq3tXxZ
          66pQ==
 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
         h=mime-version:message-id:from:date:subject:to:dkim-signature;
         bh=PVNFHtbm7C0KnKg1qneS9ozOqv1xDi0783HTk5AXZgM=;
         fh=LnWiZB+0qsThBew1oCwmWb63UJ40SUAv5hSa6DrXbks=;
 b=FH2iYY9G42wmantVhhqI2QtyQvFwWE65CWWSNHHCHdjlIatKcxDRWIpj/pz0sfKqyW
 vkG2G7RANuUqXhT+SifGICbbFd/d+yLQoE4NhxrREr2pjIzBMmekPDGh1qVMq7UQ72Ju
 KOIx48rUzKrp80EKuL2ZiLLjHifGUKgSJAXQ95SiuPOEIbkeGr6V24OTw3U+9KOe1vVV
 0+HRoZepT7sjx1iQV1P1CNoij+VYPElBd6rzFB6jKqNrsQM26a6S4U8CdeyOpoPVd6cb
 o6LmbfnMggOyoudva/6hG/CP+Sxsk/X8BE8/vSPxhMxipW+NvDd2npaIZTbKRdnaAVKD
          ckOw==;
         dara=google.com
 ARC-Authentication-Results: i=1; mx.google.com;
        dkim=pass header.i=@[REDACTED_SERVER] header.s=mail
 header.b=jPKZXw5o;
        spf=pass (google.com: domain of www-data@[REDACTED_SERVER]
 designates [REDACTED_SERVER_IP] as permitted sender) smtp.mailfrom=www-
 data@[REDACTED_SERVER];
        dmarc=pass (p=REJECT sp=REJECT dis=NONE)
 header.from=[REDACTED_SERVER]
 Return-Path: <www-data@[REDACTED_SERVER]>
 Received: from [REDACTED_SERVER] ([REDACTED_REVERSE_HOST].
 [[REDACTED_SERVER_IP]])
         by mx.google.com with ESMTPS id
 2adb3069b0e04-55b889ce3ddsi4183363e87.634.2025.08.06.06.05.47
         for <[REDACTED_EMAIL]>
         (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
         Wed, 06 Aug 2025 06:05:47 -0700 (PDT)
 Received-SPF: pass (google.com: domain of www-data@[REDACTED_SERVER]
 designates [REDACTED_SERVER_IP] as permitted sender) client-
 ip=[REDACTED_SERVER_IP];
 Authentication-Results: mx.google.com;
        dkim=pass header.i=@[REDACTED_SERVER] header.s=mail
 header.b=jPKZXw5o;
        spf=pass (google.com: domain of www-data@[REDACTED_SERVER]
 designates [REDACTED_SERVER_IP] as permitted sender) smtp.mailfrom=www-
 data@[REDACTED_SERVER];
        dmarc=pass (p=REJECT sp=REJECT dis=NONE)
 header.from=[REDACTED_SERVER]
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=[REDACTED_SERVER];
 s=mail; t=1754485547; bh=PVNFHtbm7C0KnKg1qneS9ozOqv1xDi0783HTk5AXZgM=;
 h=To:Subject:Date:From:From;
 b=jPKZXw5oug02Vb8SUz6gARY3DIvxpfyeYQ9WrBNCJzFPM5j+w/IXeq07HRp7tGp4S
 Rbjux3ukwRSySmCaHJquXDemblwAiuYg8O92cdA6nJCPRxR1Xem5GAyCRfKgxm3id/
          kJJvr1sIxKB8qD0FuZkIolZ7PBBzceTRHuerOlMk=
 Received: by [REDACTED_SERVER] (Postfix, from userid 33) id 4BF5E21C00;
 Wed,
   6 Aug 2025 13:05:47 +0000 (UTC)
 To: [REDACTED_EMAIL]
 Subject: New WordPress Site
 Date: Wed, 6 Aug 2025 13:05:47 +0000
 From: WordPress <wordpress@[REDACTED_SERVER]>
 Message-ID:
 <JDwgW5Y3fXqkMKrRaj7tfaCsvGdzntxFxMknqoTVHyE@[REDACTED_SERVER]>
 X-Mailer: PHPMailer 6.9.3 (https://github.com/PHPMailer/PHPMailer)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8

 Your new WordPress site has been successfully set up at:

 https://[REDACTED_SERVER]

 You can log in to the administrator account with the following
 information:

 Username: admin
 Password: The password you chose during installation.
 Log in here: https://[REDACTED_SERVER]/wp-login.php

 We hope you enjoy your new site. Thanks!

 --The WordPress Team
 https://wordpress.org/
 }}}

 As we can clearly see here, all DKIM and SPF tests are passing without
 troubles.

 Why so?

 Because PHP's `mail` function uses the `-t` parameter which takes `From:`
 for the sender envelop in the headers. At the same time, `PHPMailer`
 current version (6.9.3), takes the default from `wordpress at site_hostname`
 and sets is as a `From:` header. This is why everything can be perfectly
 identified, and the `Reply-To` is not really needed for DKIM/SPF
 authentication/confirmation.

 Although not having the `-f` in `mail` could be a consequence for some old
 versions of `sendmail` and certain secondary SMTP servers (like `msmtp`),
 could be causing to fail because they cannot correctly parse the `headers`
 for the `Sender` hence resulting in an invalid sender envelope.

 I'm closing this ticket as `worksforme`. But this will be further tested
 in the following ticket #49687, because any further testing here could
 duplicating efforts instead of having all concentrated in a single one.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/22837#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list