[wp-trac] [WordPress Trac] #60420: Default wordpress at site.com sender address can be problematic

WordPress Trac noreply at wordpress.org
Wed Dec 3 15:32:12 UTC 2025 

#60420: Default wordpress at site.com sender address can be problematic
-----------------------------+------------------------------
 Reporter:  thinlinecz       |       Owner:  (none)
     Type:  feature request  |      Status:  reopened
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Mail             |     Version:  1.5.1.2
 Severity:  normal           |  Resolution:
 Keywords:  close            |     Focuses:
-----------------------------+------------------------------

Comment (by mvl22):

 As someone who runs a fair number of WordPress installations across
 multiple organisations, I continually run into this problem. I do think
 this really has to be addressed.

 Mail handling is nothing like it was 20 years ago when
 https://core.trac.wordpress.org/changeset/3214 was created. No credible
 mail system will now just blindly accept a randomised webmaster@[domain]
 address without the relevant DNS set up for it.

 I have plenty of installations whose domain does not have an associated MX
 record, and will not have for security as we do not want to be processing
 incoming e-mail. Instead, we want to be able to set a general address used
 by the server administrator who is responsible for security, since it is
 they who are responsible for patching etc and so need to see
 notifications.

 I do not think forcing the requirement to create a plugin and define a
 `wp_mail_from` value is acceptable. Update notifications are a security
 matter. The from address should therefore be settable by an administrator
 easily, just as any other setting is.

 To me the solution is straightforward and simple, and can be implemented
 in a backwards-compatible way.

 Currently there is a hard-coded use of webmaster@[domain] set by this:
 https://github.com/WordPress/WordPress/blob/550376599471c7f7b0560766a06980ba3fe15acc
 /wp-includes/pluggable.php#L407-L426

 **There should simply be an optional `mail_from` admin setting added, and
 that isSet() block at the start set the mail_from value if it is non-
 empty.**

 wp cli should then be able to set the `mail_from` admin setting, so that
 we can then add this to existing scripts. The inability to script this at
 present is a major pain.

 **This does not break BC** because only those who care about this problem
 need to set the mail_from. Everyone else will continue to get spam-
 filtered notifications if they don't have MX set up or whatever and suffer
 the downsides of that. But they now have a simple setting to change it if
 they want.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60420#comment:35>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list