When you've configured Odoo to send or receive emails, maybe you'll notice when a notification email containing the customer's reply has the customer's email address as the sender. This behaviour called "Email Spoofing".

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked [1].

To avoid that problem, make sure all emails use a “From” address from the same authorized domain. In the earlier Odoo version, we can use one of these system parameters [2]:

• mail.force.smtp.from
• mail.dynamic.smtp.from

But, in Odoo 16.0 those system parameters is removed and a new mechanism is introduced in PR#61853. Then, how we can configure the "No Spoofing" approach in Odoo 16?

You'll need to go to "Settings/General Settings" menu. In "Discuss" section, please check on "Custom Email Servers" option. Please fill in your alias domain, for example is tammam.id. Then click on Save button.

Then, open the outgoing mail server record to add value in the "FROM Filtering" field. You can fill it in with the email address that is treated as the sender address of the notification email, e.g. [email protected] or [email protected]. Then click on Save button.

If you've configured it properly when a customer with the email address [email protected] responds to a message, and then Odoo will try to redistribute that same email to the other subscribers in the thread with the sender address formatted like this: "Mary" <[email protected]> or maybe "Mary ([email protected])" <[email protected]>.

Cover image by Hiroshi Kimura on Unsplash.

References:

1. Email spoofing
2. Use a default “From” email address