How does Mail PHP work?

Question

I stumbled on the following script today for sending an e-mail using PHPMail.

<?php
    $to = "some_address@domain.com";
    $subject = "Test mail";
    $message = "Hello! This is a simple email message.";
    $from = "my_address@domain.com";
    $headers = "From:" . $from;
    mail($to, $subject, $message, $headers);
    echo "Mail Sent.";
?>

Above can be runnable through php mail.php and instantly you'll get an e-mail sent to $to from $from despite not needing to set outgoing/ingoing servers out.

It really intrigued me, since my CMS uses an SMTP outgoing server (well, same way Mail PHP does), which I need to set up with my Outlook SMTP username and password - some sort of verification.

However, about Mail PHP just.. sends an e-mail. To the address you set it as. From the address you set it as.

Looking at PHP docs it does not really reveal how it works. Does Mail PHP not have any issues with spamming since anyone can send anyone anything anytime programmatically without verification of the from identity?

EDIT:

It's rather funny the people in the comments were talking about the POTUS, since I had the exact thing in mind:

enter image description here

It did land in my junk folder, but I'm sure it isn't hard to make this look convincing enough and still be considered "oh damn spam filter lost my e-mail!"

if the From is overwritten, and it's not as what your provider gives you, those mails are usually will lands in spam folder. — vaso123, Nov 13 '14 at 15:20
The last part of your question answers it. That's one of the many reasons you shouldn't rely on PHP's mail function — baao, Nov 13 '14 at 15:20
Try looking at http://stackoverflow.com/a/14456761/1857053 and using PHPmailer — RichardBernards, Nov 13 '14 at 15:21
This has nothing to do with PHP, or mail. That's just the way SMTP works. I can trivially forge an email to anyone with `From: president@whitehouse.gov`. Whether the receiving server will accept it is another matter, but SENDING forged emails has never been "hard" — Marc B, Nov 13 '14 at 15:23
Proper headers are very important to many mail servers or clients in order to avoid ending up as "spam" or at "junk" folder... And as mentioned before, try PHPMailer... its a very helpful class in many cases... https://github.com/PHPMailer/PHPMailer — Theo Orphanos, Nov 13 '14 at 15:36
@captaintheo oh I know about PHPMailer. I just found the prospecting of being able to forge "from" quite intriguing. Are you telling me if.. Not that I will do it or anything.. But if my headers are well-crafted (though I still unfortunately don't have access to the whitehouse.gov's SMTP credentials) enough, I could land on the non-junk folder? — theGreenCabbage, Nov 13 '14 at 15:53
@MarcB I've seen much less convincing emails from official domains land in my junk folder before (that I had to say it wasn't junk). — theGreenCabbage, Nov 13 '14 at 15:55
@theGreenCabbage: youdon't have to involve whitehouse.gov's mail servers AT ALL to forge an email. you can use your own ISP or your own isntalled-at-home smtp server. The only difference between a real presidential email and the one you forge would be the smtp server path that shows up in the mail's headers. (ignoring DKIM and other anti-spam systems) — Marc B, Nov 13 '14 at 15:57
@theGreenCabbage I am telling you that the better the headers are, the more chances you get to achieve a successful delivery. Of course headers is NOT the only factor to that. (otherwise companies offering smtp services would be bankrupt by now!) And yes, you could try to fake a third party domain name, but is up to the recipient server to drop your message since (for example) your IP will not have a legit spf record bound to the NS record of that domain. Lastly, please note that in my previous comment, I did not refer at all to forging the "from" header. — Theo Orphanos, Nov 13 '14 at 16:26

score 4 · Accepted Answer · edited Apr 13 '17 at 12:13

The mail function uses the settings from php.ini. The details of this configuration can be found in Mail Runtime Configuration.

The defaults can be set in php.ini, although you can override them using ini_set.

I bet you sent the mail from a PHP script on a hosted server. That server probably has SMTP settings configured beforehand. If you would try this locally on a WAMP/LAMP server, you would have to do this configuration yourself, since PHP cannot read your Outlook/WhateverMailclient settings.

As stated in the comments, you can specify the sender/from address yourself. SMTP doesn't require this to be the actual sender domain, so that's why this works. The missing link is the pre-configured SMTP server of your host.

Some relay servers do check for this, and your mail might be blocked or sent to a junk mail folder. You can however configure this in your DNS to indicate that <Your server's IP> is indeed allowed to send email for <yourdomain>. For more information about that subject, you might want to read this question on ServerFault.

I simply ran my script via `php mail.php`. Does having Apache installed make a difference? — theGreenCabbage, Nov 13 '14 at 15:28
I think not. The configuration is in php.ini, and should also work when PHP is called from the command line. — GolezTrol, Nov 13 '14 at 15:30

score 0 · Answer 2 · answered Nov 13 '14 at 15:20

0

It uses the smtp protocol or send_mail, you can even configure what php should use to send mails in php.ini. It can send e-mail but the e-mail will end-up in your spam filter take a look to DKIM and SPF records for more information

answered Nov 13 '14 at 15:20

Sander Visser

3,797
1
27
41

How does Mail PHP work?

2 Answers2