"On Behalf Of"

Dear Lazyweb, can anyone explain to me the conditions under which Outlook corrupts the "From" field by putting "On Behalf Of" into it?

Does it always copy Sender into there? Or Return-Path? Or is it doing something even more stupid?

E.g., an outgoing message, as received at Google, looks like this:

Return-Path: <A@gmail.com>
Received: from ... by mx.google.com ... TLSv1
Sender: A@gmail.com
From: Full Name <A@dnalounge.com>
X-Mailer: Apple Mail (2.2070.6)

And then when some schmuck who has the poor taste to be using Outlook hits reply, this is what comes back:

Delivered-To: A@gmail.com
Return-Path: <B@example.com>
Received: ... by mx.google.com ... for <A@gmail.com> ... TLSv1.2
Received-SPF: neutral ... neither permitted nor denied
Authentication-Results: ... spf=neutral
Received: ... TLSv1 for <A@dnalounge.com>
From: "Other Guy" <B@example.com>
To: "'Full Name'" <A@dnalounge.com>
X-Mailer: Microsoft Office Outlook 12.0

Herp derp I top-reply

-----Original Message-----
From: Full Name [mailto:A@gmail.com] On Behalf Of Full Name
Sent: Wednesday, March 04, 2015 9:01 PM
To: Other Guy

Herp derp I quote the entire message

Now I'm just an unfrozen caveman, your modern MICROS~1 ways frighten and confuse me, but one thing that I DO know is that presenting a mailto: link pointing at the contents of the Sender: header is complete insanity and I would like it to stop.


Tags: , , ,

14 Responses:

  1. Injector says:

    It definitely copies Sender: there. Dropping that header on my servers kept Outlook from showing that text.

    • Tony Finch says:

      Yep, it is just the Sender: header that is to blame.

    • Ryan Steele says:

      In case you needed further confirmation, Google's help page about sending mail from a different address or alias mentions this:

      If the address you’re adding is hosted by Google (either a Google Apps account or a @gmail.com address), your original address will still be included in your email header's sender field to help prevent your mail from being marked as spam. Most email clients don't display the sender field, though some versions of Microsoft Outlook may display "From yourusername@gmail.com on behalf of customaddress@mydomain.com."

      • Ryan Steele says:

        Upon re-reading that quote, I'm pretty sure there's a typo on their help page and it should say "If the address you're adding isn't hosted by Google".

      • jwz says:

        So I can only stop this by getting the Sender header to be a copy of the From header, and I can't do that because Google.


        • Ryan Steele says:

          I know a couple folks suggested SRS in the other thread. If I'm understanding correctly, it would fix this issue too, at least in the case where a staff member is replying to a message.

          If they're composing a new message, you could have some type of scheme where they address the message to forwarder=b=example.com@dnalounge.com and have your server forward it along (after verifying that a@gmail.com is on your list of authorized senders, of course).

          I'm pretty sure that forcing your employees to use your IMAP server is the less terrible of these two options, though.

  2. jrrs says:

    A colleague always referred to that piece of software as "Lookout" mostly because he disliked/distrusted the GUI.

    • jwb says:

      We used to call it Outbreak on account of its alacrity in spreading of viruses.

  3. Viqsi says:

    Outlook and Exchange have this thing in which you can "delegate" usage of your mail (and calendar, and contact, and etc.) account to some other account (with various possible privilege restrictions as well), and when that other account sends mail using your account it does that "on behalf of" stuff. It's meant for things like secretaries answering mail for their bosses and other similar Proper Orgchart Management scenarios. It wouldn't totally shock me, tho, if some well-intentioned but misguided type tried to use it as a means of good old fashioned email address aliasing. I've certainly never seen it Used As Intended in the wild myself - in my experience, the folks who know about it don't bother to use such a silly thing and the folks who would gleefully make use of it don't have the knowhow to set it up properly and consistently.

    • That's roughly accurate. Exchange/Outlook track shared access to an account (for exactly the executive assistant "delegation" use, which many organizations do use). That'd be sorta okay, but then when they hand things off to the outside world via SMTP the abuse Sender, From, and Return-Path fields to mean specific things internally so that they expand for their definition of properly in another Exchange island. And, apparently, now they assume that mismatches between those headers mean that you're speaking their form of steganography too, and write that into the headers of recipients.

      See also https://github.com/PHPMailer/PHPMailer/issues/144 (but I lost patience about halfway through that, so I'm not sure it actually gets anywhere useful).

      Since nothing dnalounge.com actually manages is involved in the outgoing path, there's not much to do about this. (I think setting Reply-To makes Outlook at least ask to do the right thing, but that "fix" for the core problem here, where someone sends an email from A@dnalounge.com to somebody, then somebody's MUA causes them to respond to A@gmail.com, is a game of whack-a-mole telling all the @dnalounge.com to set their outgoing Reply-To headers.)

      • jwz says:

        Is there perhaps some magic Exchange-specific header I can inject into these messages, pre-Google, that tells Exchange "don't fucking do this"?

        I apparently do not have the search fu to answer the question "what Exchange-specific headers are there and what do they do?"

        • Ryan Steele says:

          @jwz: I don't think Exchange has anything to do with it. Outlook displays the "on behalf of" when the Sender: header is present, no matter what type of server the Outlook user's mailbox is on.

          @Viqsui and Gabriel: Yes, if user A on an Exchange server is a delegate of user B, and A sends a message with B's address in the From: field, the recipient will see "From: A on behalf of B", but Exchange is just adding the Sender: header, just like Gmail is doing when you specify an alternate From: address.

          As you can see from the headers jwz supplied, Outlook is already doing the right thing as far as addressing the reply:

          To: "'Full Name'" <A@dnalounge.com>

          The only problem jwz wants to fix is that the sender's Gmail address winds up in the quoted text.

          • flodadolf says:

            @ryan, @jwz, [...]

            I gather that the problem here is that employees are using Gmail as their interface for Teh Official DNA Mailserver (see also: H. Clinton), with forwarding and such. And that the issue reported is not the addressing, per se, but the reporting of that addressing by a particular Windows client from Redmond.

            I do that, too, with my prior-but-still-contracting-for employer and a free currently-hosted GApps for Domains...domain, that I've had for most of a decade or so. Never had a complaint, but never asked.

            Is there magic introduced in Gmail's settings when you define an outgoing mail server for a particular? Because that may (in theory) allow Gmail to act like a regular SMTP sender, without any of this nonsense.

            Most of the clients I deal with are in government, and are therefore force-fed Outlook, and I handle all of them using forwarding and a Gmail alias.

            (But I do have the outgoing SMTP server properly defined with GOOGL, and it does have proper password authentication happening -- as verified by Postfix logs, when I still had easy access to Postfix logs.)

    • hattifattener says:

      That is the original purpose of the Sender: header (From: Big Shot; Sender: Big Shot's Secretary), from what I remember of the early RFCs. It sounds like, bizarrely, Microsoft is doing an almost-reasonable thing here.