[evgen]

No mail provider is going to be stupid enough to let a client application relay mail without the user inputing a username/password combo, and I would hope that most users these days are not dumb enough to blindly hand their mail authentication credentials to some random website. This leaves two options, forging the From: header or sending from your own domain. The former will get marked as spam by anything honoring/using SPF, so that is not really a smart move. The best option is to send it from your own site but include the inviters name at the start of the subject line (e.g. Subject: bob.jones@gmail.com invites you to try foo.com)

[ojbyrne]

I used two pretty big sites (kayak.com and nytimes.com) in the last couple of days that put my email in the From: header. Admittedly as a result of my specific action, but that's a user contract issue rather than getting through spam filters - which they didn't seem to have a problem with.

[natrius]

"I would hope that most users these days are not dumb enough to blindly hand their mail authentication credentials to some random website."

That's exactly what most sites that let you import contacts ask their users to do.