Do email providers somehow validate/control "Send email as: " feature?



  • I have a domain for a website that I'm going to deploy soon. I've registered a gmail account, and let's say it is myWebsite@gmail.com. In order to look more professional, I decided to use gmail's "Send email as:" feature, and now I'm able to send emails as contact@myWebsite.com.

    What I was very surprised to learn that there wasn't any validation that I own myWebsite.com domain. As a result, a couple of questions popped up in my mind.

    1. I guess other email providers provide the same functionality "Send email as:". Therefore, even if gmail tracks addresses that are being used, I'd guess that someone using yahoo email can easily set it up to send emails as contact@myWebsite.com and pretend to be me. What do you do about it ? How do you protect yourself in this case?

    2. What if a scammer pretends to be a bank ? It looks like it's very much possible to send an email as support@someBank.com. There must be some sort of protection against this?

    3. Is it probably better/safer to just use myWebsite@gmail.com and forget about custom email?

    Thanks.



  • Let's start with, "What if a scammer pretends to be a bank ? It looks like it's very much possible to send an email as support@someBank.com. There must be some sort of protection against this?"

    This is why we have standards such as Sender Policy Framewark (SPF). SomeBank.com can (should) publish an SPF record in its DNS to specify the SMTP servers that are authorized to send mail from senders at SomeBank.com. If a spoofer tries to send a message appearing to be from *@SomeBank.com, he is unlikely to be able to relay the message through one of SomeBank.com's SMTP servers. If he tries to send the message through a SMTP server other than one that is designated in the SPF record for SomeBank.com, the recipient’s spam filter would likely detect this mismatch and determine that there is a high likelihood that this message was spoofed.


    So, how does Gmail provide its 'send email as:' feature, without breaking SPF?

    See https://support.google.com/mail/answer/22370/send-emails-from-a-different-address-or-alias?hl=en, where it explains how to use this service. Note where it reads,

    For school or work accounts, enter the SMTP server (for example, smtp.gmail.com or smtp.yourschool.edu) and the username and password on that account.

    As you can see, Gmail relays the message through the SMTP server that is already designated for that domain. This avoids breaking SPF.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2