DEV Community

Cover image for Sending emails from your web app using your customers' email addresses
Ayush Newatia
Ayush Newatia

Posted on • Updated on • Originally published at blog.scattergun.email

Sending emails from your web app using your customers' email addresses

Almost every web app needs to send email. In some cases, it might be desireable to send emails using your customers' email address. For example, if you're building a mailing list or newsletter app.

But, how can one send an email from someone's personal email address without asking for their password or accessing their account? Before we can get into that, let's backtrack and bit and go over how email actually works.

What is an email anyway?

Email's been around since the 70s and initially, it wasn't really designed to be secure. A raw email is just a plain text file and would look something like this:

From: John Doe <johndoe@example.com>
To: janedoe@example.com
Subject: Lorem ipsum
Content-Type: text/plain;
  charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14CC222D-A9F9-43D6-9580-8A62AFC87ECD@example.com>
Date: Thu, 1 Nov 2021 16:46:08 +0000

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Enter fullscreen mode Exit fullscreen mode

As you can see this file has a number of headers defining who an email is From, who it's To and some other stuff followed by the actual content. This file is sent to something called an SMTP ( Simple Mail Transfer Protocol) server and that server sends the email to janedoe@example.com from johndoe@example.com.

In the email specification, there's literally nothing preventing you from impersonating someone else by putting their email in the From field and sending a forged email. Obviously this was a big issue and a number of security features have been tacked on top of the email specification to prevent this from happening.

Authenticating email senders

Preventing email spoofing means there needs to be some way to verify whether an email was actually sent by the person in the From header. Two popular methods of doing this are DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework).

For the purpose of this post, I'm not going to get too deep into the details of how those methods actually work. At a high level, DKIM authenticates a signature embedded in the email with a signature stored in the Domain Name System (DNS). A signature match would indicate the email was actually sent by the person it claims to be From. SPF denotes which mail servers are allowed to send email for a given domain name. This will validate if an email has arrived from a server that's actually allowed to send email for the sender.

Between these two methods, it's pretty hard to send an email pretending to be someone else. More to the point, our intention is not to deceive or to break these security features. So how do we go about it?

Sending emails on behalf of others

The email specification has a header for this very use case. It's the Sender header. This is the exact wording of the specification for this header:

Specifies the mailbox of the agent responsible for the actual transmission of the message. Defined as standard by RFC 822.
Enter fullscreen mode Exit fullscreen mode

This means DKIM and SPF validation will be done against the value in the Sender header but in the recipient's Inbox, the sender will show as the value in the From header. However, some providers like Gmail will show the email was sent "via" another address as shown below.



How Gmail surfaces the "Sender" header

In the context of a mailing list or newsletter app, and the fact that we're not trying to do anything sneaky or to decieve the recipient, this behaviour is absolutely fine; I'd even say it's desirable.

This is exactly how my app, Scattergun can send emails using your email address. If you've choose to do so, we add in a Sender header with a ml.scattergun.email address unique to your mailing list. That's how we send emails using your email address without breaking any security measures!

It's important to note though, that the deliverability of these emails could be a bit inconsistent. Some email providers may not like the fact that the Sender does not match the From and flag the email as spam.

At the end of the day, I think it's important to let the customer make that choice!

Scattergun is the easiest way to collect email addresses on your landing page and send emails to your mailing list. Get started for free!

Top comments (0)