Description
Issue Description
"from": ""[email protected]" [email protected]"
[email protected]), the display name includes the logged-in user's email ([email protected]). If this user's domain is different from the Mailgun domain, SPF validation fails and the email may not be delivered.
The issue appears to be that both the user’s domain and the authenticated Mailgun domain are being passed to Mailgun during the send operation. This violates standard SPF policy checks when the domains are mismatched.
Expected Behavior
Only the authenticated sender address (e.g., [email protected]) should be used in the From header, both in the actual email and in what is sent to Mailgun.
Current Behavior
Impact
High – Emails are not being delivered to recipients when domains mismatch, due to SPF failures.
Suggested Fix
Review the code responsible for email dispatching, identify where the From header is constructed, and ensure it only uses the authenticated Mailgun email address.
Steps to reproduce
Configure Mailgun with a domain (e.g., dominioconfiguradomailgun.com).
Log in as a user with an email on a different domain (e.g., [email protected]).
Trigger an email send.
Observe that the email fails SPF check due to the mismatch in From header.
Screenshots of the issue(optional)
Operating System [e.g. MacOS Sonoma 14.1, Windows 11]
Ubuntu 22.04
What browsers are you seeing the problem on?
Chrome
What version of OpenSign™ are you seeing this issue on? [e.g. 1.0.6]
0.1.0
What environment are you seeing the problem on?
Hosted (app.yourdomain.com)
Please check the boxes that apply to this issue report.
- I have searched the existing issues & discussions to make sure that this is not a duplicate.
Code of Conduct
- I agree to follow this project's Code of Conduct
- I have searched the existing issues & discussions to make sure that this is not a duplicate.