Hacker News new | ask | show | jobs
How can you send email from users' email accounts?
1 points by doradoblank 1033 days ago
If you were to create a service that emailed on behalf of users, using their own personal emails, how would you go about that?

Is it as simple as using a service like AWS SES, and just having the end-users verify/authorize their emails via a verification flow? (So it is pretty much up to end-users to exercise due caution when allowing such services to access?)
3 comments
db48x 1033 days ago
It is trivial to connect to the mail server for the recipient and start a message using someone else’s address as the envelope “From” address. The email delivery protocol offers zero protection against forgery.

However, for the last decade or so most people’s email servers have been configured to look for DKIM headers on the email itself and then verify them against a public key published via DNS. Since you don’t have the corresponding secret key, you won’t be able to add a DKIM header to the email that can be verified and your email will be rejected. Leaving off the DKIM header will also get you rejected by most recipients.

It is useless to try to forge the sender address these days. SES won’t even let you try; it will simply not send any email which is “from” an address you don’t control.

Don’t try to create a service which sends email on behalf of other people; it won’t work.

<https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail>

link
beardyw 1032 days ago
It is easy to use someone's name against an email address you control, as spammers do. You can also add a reply-to with anyone's email address so far as I know. Probably not what you want, though maybe the best you can expect.
link
tamimio 1033 days ago
> behalf of users, using their own personal emails,

You can’t, if I’m understanding it correctly, otherwise you are spoofing it and mostly it will end up in spam black lists. You can create an alias (and do all the usuals like SPF, DMARC, DKIM, TLS, etc to ensure the security part) and then forward it to users emails, and make it seamless so users don’t see it.

link
LeonM 1032 days ago
> You can’t

You can, but as long as the user owns the domain they are sending with.

If the domain owner authorizes you as a delegated sender using SPF and DKIM, then you can send email as anyone@domain.tld.

However, I recommend the OP learns about how email works before diving into such venture.

link
tamimio 1032 days ago
If you own the domain you can pretty much do anything, from hosting your own email to having unlimited aliases, but I believe OP question is a bigger scope as said “personal emails”, so that also includes emails from other providers like gmail etc., so I stand corrected (if I understand OP requirement correctly anyway), you can’t unless you are spoofing it, which is useless as it will end up in the black list anyway.
link