Host Header Poisoning

However, in some scenarios the web-server does need to know what domain it is running on. For instance, when a web application generates transactional emails, any links in those emails will be opened from an external source (the email client), so they need to be absolute URLs - containing the domain.

A Hyperlink in an Email
 <!-- Links in emails DO need the domain specified. -->
<a href="https://www.website.com/reset/318ae962fe1">
  Click here reset your password
</a>