[wp-trac] [WordPress Trac] #60420: Default wordpress at site.com sender address can be problematic
WordPress Trac
noreply at wordpress.org
Tue Dec 16 16:13:34 UTC 2025
#60420: Default wordpress at site.com sender address can be problematic
-----------------------------+------------------------------
Reporter: thinlinecz | Owner: (none)
Type: feature request | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Mail | Version: 1.5.1.2
Severity: normal | Resolution:
Keywords: close | Focuses:
-----------------------------+------------------------------
Comment (by michael.orlitzky):
Replying to [comment:39 dmsnell]:
> - Do any of us we have real metrics from 6.9 to indicate if the change
to adding a default Envelope Return-Path to `wordpress at host()` was a net
help or hindrance for deliverability?
What changed in 6.9? I haven't noticed any new problems, but the Return-
Path was never a problem for us to begin with:
1. It can be set in php.ini by using "sendmail -f" as your sendmail_path
2. The recipient doesn't see the Return-Path, so you can set it to
anything you want to get SPF to pass
Conversely, the "From" address can not be changed, and the recipient sees
it, so it is more important and harder to fudge. If I want to send "From"
a domain, I need to obtain secret keys or DNS access from the owner.
> - If you are a host dealing with this issue, what technically makes it
easier to work with WordPress emails that are sent with
`systemuser at local.system.hostname` than `wordpress at public.hostname()`?
You may not be authorized to send mail as `public.hostname()`, and you may
not be in a position to change that. (The same is true for
local.system.hostname, it really needs to be configurable.)
> - If you are a host dealing with this issue, do you send all bounce
emails to the same address for all hosted sites? Are there any potential
privacy issues with this practice? How does receipt of bounce messages and
DMARC notices get relayed to the site owner?
The system admin gets the bounces, and rarely the site owner or web
developer does as well. There are a few reasons for this,
1. Usually, the bounces indicate a problem with the server and not with
the site (blacklisting, spam attack, etc.)
2. When that's not the case, it's some problem that the site owner can't
fix, like the fact that WordPress insists on using the wrong sender
address :)
3. There's no (additional) privacy issue because anything your site does
can be seen by the server admin
4. Most of our customers are non-technical and just don't care unless
there's a problem; and when there's a problem, they're going to call us
about it anyway
> in the case that email is setup appropriately, would it be difficult to
positively identify a proper return-path address? in which cases would an
attempt be misleading? in other words, I would imagine that a failure to
detect delivery might not say anything, but a confirmation of delivery
//would//. I have no idea how to detect deliverability so maybe you are
saying WordPress doesn’t have an avenue to do so?
Yes, it's "impossible" to tell whether or not an external address is
deliverable. Particularly if all you are doing is handing the message off
to `/usr/bin/sendmail`, since sendmail will succeed immediately and the
MTA will attempt delivery later. (And if you try to use something other
than sendmail on a server that usually uses sendmail, you are testing the
wrong thing.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60420#comment:41>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list