[wp-trac] [WordPress Trac] #60420: Default wordpress at site.com sender address can be problematic
WordPress Trac
noreply at wordpress.org
Tue Dec 16 19:46:49 UTC 2025
#60420: Default wordpress at site.com sender address can be problematic
-----------------------------+------------------------------
Reporter: thinlinecz | Owner: (none)
Type: feature request | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Mail | Version: 1.5.1.2
Severity: normal | Resolution:
Keywords: close | Focuses:
-----------------------------+------------------------------
Comment (by michael.orlitzky):
Replying to [comment:43 dmsnell]:
> @michaelorlitzky in WordPress 6.9, mail started being sent with
wordpress at site.com as the envelope sender/return path/mail from address.
Oh, wow, thanks, this '''has''' affected us. Ever since the upgrade, we
are throwing away mail to every domain that checks SPF. But of course I'm
not getting the reports, because WP is overriding the Return-Path with an
address that doesn't exist.
> In the preparation for #49687 I sent test emails to
[https://aboutmy.email/a9f9d1e/session aboutmy.email] and that provided
helpful knowledge about what //actually// left WordPress and the shared
host it was on. Perhaps there is opportunity for a WordPress.org service
where we could report back on test email. I know that opens a can of worms
for security and spam and abuse, but perhaps we can find a way to create a
temporary service which can assert various information about the mail,
including SPF, DMARC, and DKIM verification, and even attempt delivery to
the sender address.
I think you will find certain common scenarios impossible to replicate,
like the spam filtering on the real mail server, or the fact that the real
mail server for example.com knows that wordpress at example.com does not
exist and will reject your mail based on that.
> I would have rather expected a host to override mail settings and send
something with a return path like `mail-info at cheap-vps.net` rather than
`cd16557 at n05-cluster2.local`.
That's what we do. We use postmaster@ specifically since it bypasses spam
filtering. (Or so I thought. Now I see that since 6.9 they are coming from
wordpress@$sitename and bouncing into the void.)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60420#comment:44>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list