From name and email accurately identify the sender; not spoofed

ab-001242 · email-sms-compliance.sender-identity.accurate-from

Severity: criticalactive

Why it matters

CAN-SPAM §5(a)(1) prohibits falsified or misleading From, To, Reply-To, and routing headers. Sending from noreply@sendgrid.net instead of a verified company domain means recipients see an unfamiliar sender — a common spam signal — and the business has no ownership over the sending reputation. CASL Section 6 imposes the same requirement for Canadian recipients. CWE-290 (Authentication Bypass by Spoofing) covers the technical dimension: when the From domain doesn't match the actual sender, SPF/DKIM alignment fails, DMARC policies reject or quarantine the mail, and domain reputation cannot be established.

Severity rationale

Critical because inaccurate From identity simultaneously violates CAN-SPAM §5(a)(1) and CASL S6, fails DMARC alignment which causes bulk delivery failures, and constitutes sender spoofing under CWE-290.

Remediation

Configure a verified sending domain in your email provider and enforce it in code at startup.

// lib/email.ts — verified, brand-consistent sender
const FROM_EMAIL = process.env.FROM_EMAIL ?? 'hello@yourproduct.com'
const FROM_NAME  = process.env.FROM_NAME  ?? 'Your Product'

// Fail hard at startup if env is wrong — don't silently fall back
if (!FROM_EMAIL.includes('@yourproduct.com')) {
  throw new Error('FROM_EMAIL must use the verified sending domain')
}

export async function sendEmail({ to, subject, html }: EmailOptions) {
  return client.send({
    from: `${FROM_NAME} <${FROM_EMAIL}>`,
    to, subject, html,
  })
}

Verify domain ownership in your provider's dashboard before sending: SendGrid > Settings > Sender Authentication; Postmark > Sender Signatures; AWS SES > Verified Identities. Until DKIM is configured on your domain, bulk sends will fail Gmail/Yahoo's 2024 requirements.

Detection

ID: accurate-from
Severity: critical
What to look for: Enumerate every relevant item. CAN-SPAM Section 5(a)(1) prohibits falsified or misleading "From," "To," "Reply-To," and routing information. Examine every email-sending call in the codebase: what is the from address? Is it a verified domain that actually belongs to the organization? Common violations in AI-built apps: using a generic third-party sender domain (like noreply@sendgrid.net) without custom domain setup, hardcoding a from address that doesn't match the application's domain, or using a display name like "Customer Support" with a from address from a completely different company. Check whether the sending domain is verified in the email service (this is typically visible in env var patterns referencing verified domain credentials or in setup documentation — look for SENDGRID_VERIFIED_DOMAIN, FROM_EMAIL, or equivalent).
Pass criteria: At least 1 of the following conditions is met. All email is sent from an address on a domain that the organization owns and has verified with the email service provider. The from display name accurately represents the product or company. No use of misleading sender names designed to impersonate another brand.
Fail criteria: Email is sent from an unverified domain. The from address uses a domain not owned by the organization. Display name is deceptive or misrepresents the sender. Reply-To is set to an address at a different domain than From with no disclosure.
Skip (N/A) when: The application sends no email at all.
Detail on fail: Example: "All emails sent from noreply@mg.example.com but the application is branded as AcmeCorp — no custom domain configured in Mailgun. Users see an unfamiliar sender domain." or "From display name set to 'PayPal Support' in email template; application is not affiliated with PayPal.".

Remediation: Configure a verified sending domain and use it consistently:

// lib/email.ts — use a verified, brand-consistent from address
const FROM_EMAIL = process.env.FROM_EMAIL ?? 'hello@yourproduct.com'
const FROM_NAME = process.env.FROM_NAME ?? 'Your Product'

// Validate at startup that FROM_EMAIL is set and uses your domain
if (!FROM_EMAIL.endsWith('@yourproduct.com')) {
  throw new Error('FROM_EMAIL must use the verified sending domain')
}

export async function sendEmail({ to, subject, html }: EmailOptions) {
  return client.send({
    from: `${FROM_NAME} <${FROM_EMAIL}>`,  // accurate sender identity
    to,
    subject,
    html,
  })
}

Verify your sending domain in your email provider's dashboard (SendGrid: Settings > Sender Authentication; Postmark: Sender Signatures; AWS SES: Verified Identities). Until domain verification is complete, your emails may be flagged as spam.

External references

external · CAN-SPAM-§5(a)(1) — CAN-SPAM Act §5(a)(1) — Prohibition on false or misleading header information
cwe · CWE-290 — Authentication Bypass by Spoofing
external · CASL-S6 — CASL S.6 — Sender identification requirements

Taxons

regulatory-conformance content-integrity

History

2026-04-18·v1.0.0·Initial import from email-sms-compliance·automated

Why it matters

Remediation

Configure a verified sending domain in your email provider and enforce it in code at startup.

// lib/email.ts — verified, brand-consistent sender
const FROM_EMAIL = process.env.FROM_EMAIL ?? 'hello@yourproduct.com'
const FROM_NAME  = process.env.FROM_NAME  ?? 'Your Product'

// Fail hard at startup if env is wrong — don't silently fall back
if (!FROM_EMAIL.includes('@yourproduct.com')) {
  throw new Error('FROM_EMAIL must use the verified sending domain')
}

export async function sendEmail({ to, subject, html }: EmailOptions) {
  return client.send({
    from: `${FROM_NAME} <${FROM_EMAIL}>`,
    to, subject, html,
  })
}

Detection

ID: accurate-from
Severity: critical
What to look for: Enumerate every relevant item. CAN-SPAM Section 5(a)(1) prohibits falsified or misleading "From," "To," "Reply-To," and routing information. Examine every email-sending call in the codebase: what is the from address? Is it a verified domain that actually belongs to the organization? Common violations in AI-built apps: using a generic third-party sender domain (like noreply@sendgrid.net) without custom domain setup, hardcoding a from address that doesn't match the application's domain, or using a display name like "Customer Support" with a from address from a completely different company. Check whether the sending domain is verified in the email service (this is typically visible in env var patterns referencing verified domain credentials or in setup documentation — look for SENDGRID_VERIFIED_DOMAIN, FROM_EMAIL, or equivalent).
Pass criteria: At least 1 of the following conditions is met. All email is sent from an address on a domain that the organization owns and has verified with the email service provider. The from display name accurately represents the product or company. No use of misleading sender names designed to impersonate another brand.
Fail criteria: Email is sent from an unverified domain. The from address uses a domain not owned by the organization. Display name is deceptive or misrepresents the sender. Reply-To is set to an address at a different domain than From with no disclosure.
Skip (N/A) when: The application sends no email at all.
Detail on fail: Example: "All emails sent from noreply@mg.example.com but the application is branded as AcmeCorp — no custom domain configured in Mailgun. Users see an unfamiliar sender domain." or "From display name set to 'PayPal Support' in email template; application is not affiliated with PayPal.".

Remediation: Configure a verified sending domain and use it consistently:

// lib/email.ts — use a verified, brand-consistent from address
const FROM_EMAIL = process.env.FROM_EMAIL ?? 'hello@yourproduct.com'
const FROM_NAME = process.env.FROM_NAME ?? 'Your Product'

// Validate at startup that FROM_EMAIL is set and uses your domain
if (!FROM_EMAIL.endsWith('@yourproduct.com')) {
  throw new Error('FROM_EMAIL must use the verified sending domain')
}

export async function sendEmail({ to, subject, html }: EmailOptions) {
  return client.send({
    from: `${FROM_NAME} <${FROM_EMAIL}>`,  // accurate sender identity
    to,
    subject,
    html,
  })
}