How to prevent Connections from spoofing mails

Posted on by

Here’s a quick tip about a lesser-known feature in HCL Connections — one that even I only discovered yesterday.

The Problem: Spoofed Emails from Connections

When you add or remove a user from a community in HCL Connections, the system automatically sends them an email. By default, this email appears to come from the user who performed the action — i.e., their name and email address are used as the sender. This behavior applies to various other user-triggered events as well.

While this may seem harmless, it essentially means that Connections is spoofing the sender’s email address. This becomes particularly problematic when the sender’s domain is external (e.g., from a partner organization). Your mail server then appears to be sending messages on behalf of another domain — a practice that can trigger spam filters and damage your mail server’s reputation.

The Solution: Global Sender Configuration

Fortunately, starting with Connections 6 CR4, IBM introduced a fix — though it’s easy to miss because it’s not included in the default notification-config.xml. There are two key properties you can add to mitigate the spoofing issue:

Relevant Properties

<!-- Use the global sender address for all notifications -->
<property name="alwaysUseGlobalSender">true</property>

<!-- Include the original sender as the Reply-To address -->
<property name="includeOriginalSenderAsReplyTo">true</property>

Here’s what each one does:

  • alwaysUseGlobalSender (true/false):
    When set to true, all system emails (like community add/remove notifications) are sent from the global sender address defined by the globalSenderEmailAddress property. When false, emails are sent from the user who triggered the event.
  • includeOriginalSenderAsReplyTo (true/false):
    When true (which is also the default), the original sender’s email address is still included in the email’s Reply-To field. This lets recipients respond directly to the user, even though the email was sent from the global address.

How to Configure It

Edit your notification-config.xml file and add the properties shown above near the top of the <properties> section. Here’s an example of how it might look:

<properties>
    <property name="globalSenderEmailAddress">global-admin@example.com</property>
    <!-- If true a link to Connections Mobile service will be included in
         Notifications (where applicable) -->
    <property name="includeMobileLinksInNotifications">false</property>
    <!-- If true no embedded experience mime parts will be included in notifications -->
    <property name="disableEmbeddedAppsInNotifications">false</property>
    <!-- Name of template theme directory in LotusConnections-config -->
    <property name="globalNotificationTemplateTheme">notifications_v2</property>
    <!-- If true enable themed notification email templates, default: false -->
    <property name="globalNotificationTemplateThemeEnable">false</property>

    <!-- Use the global sender address for all notifications -->
    <property name="alwaysUseGlobalSender">true</property>

    <!-- Include the original sender as the Reply-To address -->
    <property name="includeOriginalSenderAsReplyTo">true</property>
</properties>

Don’t forget to replace the placeholder email address in globalSenderEmailAddress with a valid address from your own domain.