How Scattergun sends emails on your behalf
posted by Ayush Newatia
30 November, 2021
Scattergun offers you two options for sending email. You can send from your own email address or from a Scattergun generated email address.
But, how can Scattergun send an email from someone’s personal email address without asking for their password or any kind of authorisation whatsoever? Before we can get into that, let’s backtrack and bit and go over how email actually works.
What is an email anyway?
Email’s been around since the 70s and initially, it wasn’t really designed to be secure. A raw email is just a plain text file and would look something like this:
From: John Doe <johndoe@example.com>
To: janedoe@example.com
Subject: Lorem ipsum
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14CC222D-A9F9-43D6-9580-8A62AFC87ECD@example.com>
Date: Thu, 1 Nov 2021 16:46:08 +0000
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
As you can see this file has a number of headers defining who an email is From
, who it’s To
and some other stuff followed by the actual content. This file is sent to something called an SMTP ( S imple M ail T ransfer P rotocol) server and that server sends the email to janedoe@example.com
from johndoe@example.com
.
In the email specification, there’s literally nothing preventing you from impersonating someone else by putting their email in the From
field and sending a forged email. Obviously this was a big issue and a number of security features have been tacked on top of the email specification to prevent this from happening.
Authenticating email senders
Preventing email spoofing means there needs to be some way to verify whether an email was actually sent by the person in the From
header. Two popular methods of doing this are DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework).
For the purpose of this post, I’m not going to get too deep into the details of how those methods actually work. At a high level, DKIM authenticates a signature embedded in the email with a signature stored in the Domain Name System (DNS). A signature match would indicate the email was actually sent by the person it claims to be From
. SPF denotes which mail servers are allowed to send email for a given domain name. This will validate if an email has arrived from a server that’s actually allowed to send email for the sender.
Between these two methods, it’s pretty hard to send an email pretending to be someone else. More to the point, it’s just plain wrong; and Scattergun has no intention to deceive or to break these security features. So how does it work?
Sending emails on behalf of others
The email specification has a header for this very use case. It’s the Sender
header. This is the exact wording of the specification for this header:
Specifies the mailbox of the agent responsible for the actual transmission of the message. Defined as standard by RFC 822.
This means DKIM and SPF validation will be done against the value in the Sender
header but in the recipient’s Inbox, the sender will show as the value in the From
header. However, some providers like Gmail will show the email was sent “via” another address as shown below.
In the context of a mailing list app and the fact that we’re not trying to do anything sneaky or to decieve the recipient, this behaviour is absolutely fine; I’d even say it’s desirable.
If you’ve chosen to send emails from your own address in Scattergun, we add in a Sender
header with a ml.scattergun.email
address unique to your mailing list. That’s how we send emails using your email address without breaking any security measures!
It’s important to note though, that the deliverability of these emails could be a bit inconsistent. Some email providers may not like the fact that the Sender
does not match the From
and flag the email as spam.
That’s why I recommend sending emails from a Scattergun generated email address. However, if you’re happy to take the chance and prefer sending from your own email address, you’ll always have the option!