«« Sarcastic Dictionary (Part 1 of Many) [email protected] no more »»
blog header image
Forging Email Headers: Good, Bad or Ugly?

My new Ruby on Rails project Hey! Heads Up (H! for short) sends quite a bit of email to notify people about updates from others. Should those updates appear to come from H! or from the person that triggered the notification? I don't know enough about email to answer that question but I'll outline the problem and you can let me know what you think.

Hey! Heads up lets you manage "temporary" links. They are temporary because you don't know if you want to keep them yet or not. Maybe someone sent you an article/video/website but you don't have time to check it out. You'll still want to keep track of it until you do read it but do you really want to bookmark it in the browser or on a site like del.icio.us? H! is a "TODO" list of these temporary links, so you can prioritize them.

Once you do check out the article, H! lets you send it to other people that use H! (and soon to anyone by email). When H! "sends" the item the other people are notified by email that there's a new item in their H! incoming list. Right now this email appears to be from Hey! Heads Up <[email protected]>. Replies to this email address get forwarded to me, the website administrator.

But there are all sorts of problems with this approach to notifying by email, primarily spam filters. Many people are now filtering email by their contact list and/or a whitelist to reduce spam. Unless [email protected] is on their whitelist, people don't get H! notifications.

So my question is: would it be better to "forge" these notification emails to appear as though they are coming from the sender of the item? Presumably these people are already in the contact lists of the people they are sending H! items to, so the notification has a much better chance of making it through the spam filters.

As well, seeing a notification coming from a specific person instead of [email protected] for everyone could make it easier to sort and prioritize these notification emails in a person's email inbox.

Why is forging emails bad? Some spam filters could flag emails sent by mail software from one domain (like heyheadsup.com) and forged with a "from" with another (like gmail.com). But I've seen the technique used in a lot of places, so it's hard to say how much it is frowned upon. As a website creator, forging emails would essentially be sending emails on a person's behalf.

How about the industry leaders? Facebook's notification emails have a from text that looks like: Facebook <[email protected]>. The strange reply address could be used to sort feedback but otherwise it's a little confusing. To top it off, using a similar-but-not-quite-the-same-domain (facebookmail.com instead of facebook.com) for emails is a common phishing technique.

Are there more precedents? Is there any consensus? Opinions are appreciated. Would you want a site to send notification emails in your name?

BTW, if you want to give H! a try it is in alpha testing. Fire me an email at blog[at]ryanlowe[dot]ca to join the alpha test group.

Posted at October 19, 2007 at 12:22 PM EST
Last updated October 19, 2007 at 12:22 PM EST

I dunno.. seems a lot like a solved problem to me.

Google Toolbar has an email this page feature
There are dead-simple delicious extensions like http://www.monsur.com/projects/readeroo/

Tumblr makes for a very quick bookmarking service as well http://engtech.tumblr.com

People use TwitThis to bookmark links to twitter all the time

My guess is the value add from HeadsUp is that the people you're sending links to don't have to use the service as well? If they do, then how does it differentiate itself from this stupidly crowded social bookmarking niche?

» Posted by: engtech at October 20, 2007 08:27 PM

I agree: the bookmark niche is getting full.

I went with a general "TODO list" first, not just bookmarks. Then I allowed "sending" to other people that use the service. Then I'm going to let people send items by email to those that don't use the service.

Many of my TODO items on H! are private and not published like other bookmarking (delicious) or mini-blogging (twitter) services. When I want to share on my H! mini-blog (like after I read an article) I just click publish and it's put up for the Internet to see.

I'm really scratching my own itch here, and my main thing is prioritization. I find at least a dozen things a day I want to check out, I just don't have time *right then*. Some items are articles I find on news sites, other items are links that people send me. Some are albums or movies I see somewhere and want to check out later. H! lets me keep them all together and once I've checked them out I can do something with them: publish on my mini-blog and comment on, send to a friend, bookmark permanently, etc.

I'd like H! be in the middle of people's workflow for managing items to check out later. I could even make an API for both incoming and outgoing parts of the workflow.

» Posted by: Ryan at October 21, 2007 02:23 PM
Search scope: Web ryanlowe.ca