Currently the From: address on notifications and user messages is the user's own primary email address. This may be unexpected exposure of their email address. It is also invalid/forged and causes SPF and DKIM failures, thus making mails be classified as spam sometimes.
We should make an option to have the from be a different address, like noreply@ or the artifact id, or an alias for the user somehow, etc.
Why not use the Sender?
Sender: tickets@allura.p.forge-allura.apache.org
Or indeed set From to tickets@ and drop Sender.
It does not make sense for the From header value to be the recipient address