When a comment gets posted to my blog, the server sends me an email to let me know. In most cases it lands in my spam folder, and with good reason. WordPress is doing something dumb.

The email is using the “From” address which the commenter provided. With modern SPF, DMARC, and DKIM protocols, which are almost mandatory today, the owner of an email account indicates which servers are authorized to use its address. The receiving IMAP or POP server will check if it came from an authorized IP address. If it didn’t, the server may mark it as spam or block it completely. Failure to do authentication properly is one of the biggest reasons legitimate mail gets flagged.

People posting comments on my blog aren’t going to authorize my WordPress server to send email for them. When my personal email server gets a message with a “From” address that belongs to the commenter but a received-mail path that comes from the website server, it looks exactly like impersonation. Technically, it is.

I don’t know why WordPress does it this way. It could use a “From” address on garymcgath.com for comment notifications, and the mail would almost certainly get through.

This means I usually don’t see comment notifications, so it may take longer for me to reply. Sorry.