|
|
|
Gmail's "Custom From" System Messed Up By "On Behalf Of" Headers
Earlier this month, I began using Gmail to both receive and send my email via POP. Previously, I'd just used it to receive mail. By also sending through Gmail, I get a more complete archive of all my mail over time. The problem is, despite setting everything to keep my actual Gmail address hidden, it's still getting revealed.
Here's the situation. I want people to email me at my longstanding danny @ calafia.com email address. I don't want them sending to my Gmail address. The reason is simple. If I decide to leave Gmail down the line, I can't take that address with me. I basically want no one in the world to know it exists. If they only know danny @ calafia.com, then my mail comes to me no matter where my mail server is located at, since I own that domain name. To help ensure this, I never give out my actual Gmail address. To further ensure my Gmail address doesn't get out, I make use of two options that should keep it hidden. As I'll explain, they don't. But first the options. In the Mail Settings area of Gmail, there's an Accounts section. Within that section, you can add other email addresses to use along with your Gmail account. In my case, I added my danny @ calafia.com address. I also make this my default setting. That means any email I send out from within Gmail should show as if it is coming from my danny @ calafia.com account. Indeed, here are a variety of help pages at Gmail about the topic that give you the impression that your Gmail address remains hidden, such as:
In addition to making this change at Gmail, you also have to make changes to your mail client. Info from Google on this is covered here. I use Outlook 2003, and specific instructions are covered here. However, those instructions do NOT cover the extra steps to take to disguise your Gmail account. After you follow the instructions, you should next got back in to edit your email account. Choose the More Settings button, then the General tab. You'll see an Other User Information option. Put an organization if you want, but most important, put the reply email address you'd like to have. This is supposed to help ensure that no matter what POP account you send out of, only the email address you put into that box will be shown. In other words, even though I send out through Gmail, changing this setting along with the other change made within Gmail is supposed to ensure that my danny @ calafia.com address is the only thing seen by those receiving my email. That's not what happens, but realizing this can be hard to see. One reasons is that I find that if you send something to yourself via Gmail from within Outlook, then Outlook won't download that from Gmail. I don't know why this happens, but it's pretty consistent. So if you try to send and receive a mail to check how it looks, it won't come back into Outlook. Now let's say you go to Gmail itself to look at what it shows there. You'll just see your name shown above the email you sent. Click More Options, and you'll see something like this:
Looks good, right? Even though I sent via Gmail, my Gmail address is hidden. Now try this. Email someone you know, then ask them to reply to your entire email. There's a good chance you'll see something like this:
OK, I've blanked out my Gmail address, but you can see the problem. The person who got my email was shown my Gmail address. Despite the fact that Gmail is supposed to keep that that hidden, the "On Behalf Of" modification still reveals it. Why does this happen? I've done a bit of poking around, and it seems mostly related to this:
That signing is interpreted by different mail programs in different ways. Outlook 2003, for example, tracks that the email has been signed and does the entire "on behalf of" thing itself. But Yahoo Mail does not. Over there, my mail just shows as being from Danny Sullivan, danny @ calafia.com. In Outlook, I can dig deep into the headers and see a trail like this:
You can see that my Gmail address is being passed along as part of this. On the plus side, anyone replying to a message that shows your Gmail address will still send to your other email address automatically, if you've set things up as above. The downside is that some people may email to your Gmail address manually. I've had a few people doing that now. Overall, I hope they make a change so this no longer happens soon, though it's apparently been an issue for several months. For myself, I may have to go back to using my own POP server to send email. That's a bummer, because it means I'll have to start BCCing anything I want to be archived at Gmail. By Danny Sullivan on Jan. 31, 2006 | PermalinkSee related posts in: Email
Next Post: Sky HD Arrives -- Well, Sky HD Channel Teasers Do Comments Comment by Mikael Christensen | March 14, 2006 10:01 PM Danny, If Outlook is the only one where this problem pops up - except for crafty eyes using the Sender: field - then are you sure it's GMail doing something wrong? Actually, according to the rules (RFC 2822:3.6.2), the Sender field *must* be used if the mailbox actually doing the sending is different from the one in the From: field. Technically, I'll bet this is VERY important for things like SPF and its ilk, and GMail's not doing anything wrong. Too, is Outlook? - bish Comment by Bishop | March 16, 2006 11:47 AM What you ask from Google would let spammers send out "trusted spam" from Gmail, or would make many sites mark Gmail as a spam-source (because messages would come from Gmail without proper signature - the signature of the email adress' domain in this case calafia.com). Maybe the solution would be some trust mechanism under which you sign your letters yourself. Comment by Andrisi | March 19, 2006 7:12 PM Bish, I suspect there are plenty of mail servers that don't follow the "rules" for reasons they decide make sense. If Google has verified your email address, there seems to be no good reason not to allow you to send as if you are using it. In fact, that's the reason why they supposedly have the Custom From feature. Andrisi, the spam concern is noted, but Gmail is hardly the only one in this situation. Heck, I can configure my own mail server to send mail as if it is coming from someone else. Again, since Google is only allowing these accounts to be created if you verify from a known email address, it seems a non-issue to then let you send as if you are using them. Comment by Danny Sullivan Two things: 1. If you're logged into a Gmail address, and sending from another Gmail address, there is no reason why they should include these headers. The mail is being sent from the Gmail servers regardless of what account you happen to be logged into. 2. If they allowed you to enter server information for your other accounts, like any normal email program, you could send from the correct servers and wouldn't need to include this header information, either. It's really bad of them to be sending your (possibly private) email addresses to people without your knowledge. For instance, say I have a real name address and a pseudonym address. I don't want people I interact with in real life to be able to google stuff under my pseudonym, and I don't want online people to be able to google my real life name and address. Comment by endolith | December 13, 2007 5:07 PM Gmail has messed up the mail consolidation feature by doing this. I switched over to Yahoo Mail, they have included the mail consolidation in the free mail service. It works great. Comment by hulki | March 21, 2008 10:06 AM Want to comment? If you are signed into TypeKey, you'll see a form below. No form? Click on the sign-in link below, and you can sign-in or sign-up for a free account. Sorry you have to use TypeKey, but I use it to avoid comment spam. All comments currently appear automatically after posting.
|
Subscribe!          Search
|
An easy way to see the headers of outgoing gmails is to mail to a non-existent adress (i.e. x@x.x).
Googles mail daemon will reply with an error message containing the email headers in the content.