diff --git a/email_handler.py b/email_handler.py
index a2e7519d..fd1397b2 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -1010,6 +1010,7 @@ def handle_unknown_mailbox(
authorize_address_link = (
f"{URL}/dashboard/mailbox/{alias.mailbox_id}/#authorized-address"
)
+ mailbox_emails = [mailbox.email for mailbox in alias.mailboxes]
send_email_with_rate_control(
user,
ALERT_REVERSE_ALIAS_UNKNOWN_MAILBOX,
@@ -1021,6 +1022,7 @@ def handle_unknown_mailbox(
alias=alias,
sender=envelope.mail_from,
authorize_address_link=authorize_address_link,
+ mailbox_emails=mailbox_emails
),
render(
"transactional/reply-must-use-personal-email.html",
@@ -1028,6 +1030,7 @@ def handle_unknown_mailbox(
alias=alias,
sender=envelope.mail_from,
authorize_address_link=authorize_address_link,
+ mailbox_emails=mailbox_emails
),
)
diff --git a/templates/emails/transactional/reply-must-use-personal-email.html b/templates/emails/transactional/reply-must-use-personal-email.html
index ce01c603..29e84e32 100644
--- a/templates/emails/transactional/reply-must-use-personal-email.html
+++ b/templates/emails/transactional/reply-must-use-personal-email.html
@@ -8,10 +8,8 @@
{% endcall %}
{% call text() %}
- Please note that sending from this alias only works from one of these mailboxes:
- {% for mailbox in alias.mailboxes %}
- - {{ mailbox.email }}
- {% endfor %}
+ Please note that sending from this alias only works from alias's owning mailboxes, that are
+ {{ mailbox_emails|join(", ") }}
{% endcall %}
{% call text() %}
diff --git a/templates/emails/transactional/reply-must-use-personal-email.txt b/templates/emails/transactional/reply-must-use-personal-email.txt
index 3f64d520..bd863c94 100644
--- a/templates/emails/transactional/reply-must-use-personal-email.txt
+++ b/templates/emails/transactional/reply-must-use-personal-email.txt
@@ -2,11 +2,8 @@ Hi {{name}}
We have recorded an attempt to send an email from your alias {{ alias.email }} using {{ sender }}.
-Please note that sending from this alias only works from one of these mailboxes:
-
-{% for mailbox in alias.mailboxes %}
-- {{mailbox.email}}
-{% endfor %}
+Please note that sending from this alias only works from alias's owning mailboxes, that are
+ {{ mailbox_emails|join(", ") }}
This is to protect against "email spoofing", i.e. someone else sending emails from your mailbox.
If {{ sender }} can indeed send emails from your alias, you can add it to the allow list on {{authorize_address_link}}