Gmail’s “Custom From” System Messed Up By “On Behalf Of” Headers

Earlier this month, I began using Gmail to both receive and send my email via POP. Previously, I’d just used it to receive mail. By also sending through Gmail, I get a more complete archive of all my mail over time. The problem is, despite setting everything to keep my actual Gmail address hidden, it’s still getting revealed.

NOTE: GOOGLE’S NOW SOLVED THIS PROBLEM. SEE THEIR BLOG POST WITH A SOLUTION HERE. NO NEED TO READ FURTHER UNLESS YOU’RE CURIOUS ABOUT WHAT USED TO HAPPEN.

Here’s the situation. I want people to email me at my longstanding danny @ calafia.com email address. I don’t want them sending to my Gmail address. The reason is simple. If I decide to leave Gmail down the line, I can’t take that address with me. I basically want no one in the world to know it exists. If they only know danny @ calafia.com, then my mail comes to me no matter where my mail server is located at, since I own that domain name.

To help ensure this, I never give out my actual Gmail address. To further ensure my Gmail address doesn’t get out, I make use of two options that should keep it hidden. As I’ll explain, they don’t. But first the options.

In the Mail Settings area of Gmail, there’s an Accounts section. Within that section, you can add other email addresses to use along with your Gmail account. In my case, I added my danny @ calafia.com address. I also make this my default setting. That means any email I send out from within Gmail should show as if it is coming from my danny @ calafia.com account.

Indeed, here are a variety of help pages at Gmail about the topic that give you the impression that your Gmail address remains hidden, such as:

Keep in mind that each time someone replies to a message you send using a custom ‘From:’ address, the reply will be delivered to the ‘From:’ address rather than your Gmail address. If you’d like replies to be delivered to another account, you’ll need to enter a ‘reply-to’ address. Just click ‘Specify a different reply-to address’ to enter this information. (see here)

Once you’ve completed these steps, all messages you send will appear to be from the email address you’ve set as your default. (see here)

In addition to making this change at Gmail, you also have to make changes to your mail client. Info from Google on this is covered here. I use Outlook 2003, and specific instructions are covered here. However, those instructions do NOT cover the extra steps to take to disguise your Gmail account.

After you follow the instructions, you should next got back in to edit your email account. Choose the More Settings button, then the General tab. You’ll see an Other User Information option. Put an organization if you want, but most important, put the reply email address you’d like to have. This is supposed to help ensure that no matter what POP account you send out of, only the email address you put into that box will be shown.

In other words, even though I send out through Gmail, changing this setting along with the other change made within Gmail is supposed to ensure that my danny @ calafia.com address is the only thing seen by those receiving my email.

That’s not what happens, but realizing this can be hard to see. One reasons is that I find that if you send something to yourself via Gmail from within Outlook, then Outlook won’t download that from Gmail. I don’t know why this happens, but it’s pretty consistent. So if you try to send and receive a mail to check how it looks, it won’t come back into Outlook.

Now let’s say you go to Gmail itself to look at what it shows there. You’ll just see your name shown above the email you sent. Click More Options, and you’ll see something like this:

From: Danny Sullivan <danny @ calafia.com>
Reply-To: danny @ calafia.com
To: danny @ calafia.com
Date: Jan 31, 2006 1:18 PM

Looks good, right? Even though I sent via Gmail, my Gmail address is hidden.

Now try this. Email someone you know, then ask them to reply to your entire email. There’s a good chance you’ll see something like this:

From: Danny Sullivan [mailto:#########@gmail.com] On Behalf Of Danny Sullivan
Sent: Thursday, January 26, 2006 1:11 PM

OK, I’ve blanked out my Gmail address, but you can see the problem. The person who got my email was shown my Gmail address. Despite the fact that Gmail is supposed to keep that that hidden, the “On Behalf Of” modification still reveals it.

Why does this happen? I’ve done a bit of poking around, and it seems mostly related to this:

Will messages I send using a custom ‘From:’ address be marked as spam?

Most likely, no. Even though you’re using a different email address to send messages through your Gmail account, Gmail still ‘signs,’ or validates the messages. This way, other email services will know your message headers are not forged.

That signing is interpreted by different mail programs in different ways. Outlook 2003, for example, tracks that the email has been signed and does the entire “on behalf of” thing itself. But Yahoo Mail does not. Over there, my mail just shows as being from Danny Sullivan, danny @ calafia.com.

In Outlook, I can dig deep into the headers and see a trail like this:

Date: Tue, 31 Jan 2006 13:11:44 +0000
From: Danny Sullivan <danny @ calafia.com>
Sender: #########@gmail.com
To: danny @ calafia.com
Subject: test
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Delivered-To:  #########@gmail.com

You can see that my Gmail address is being passed along as part of this.

On the plus side, anyone replying to a message that shows your Gmail address will still send to your other email address automatically, if you’ve set things up as above. The downside is that some people may email to your Gmail address manually. I’ve had a few people doing that now.

Overall, I hope they make a change so this no longer happens soon, though it’s apparently been an issue for several months. For myself, I may have to go back to using my own POP server to send email. That’s a bummer, because it means I’ll have to start BCCing anything I want to be archived at Gmail.


Comments

  1. Mikael Christensen says

    An easy way to see the headers of outgoing gmails is to mail to a non-existent adress (i.e. x@x.x).
    Googles mail daemon will reply with an error message containing the email headers in the content.

  2. Bishop says

    Danny,
    If Outlook is the only one where this problem pops up – except for crafty eyes using the Sender: field – then are you sure it’s GMail doing something wrong?
    Actually, according to the rules (RFC 2822:3.6.2), the Sender field *must* be used if the mailbox actually doing the sending is different from the one in the From: field. Technically, I’ll bet this is VERY important for things like SPF and its ilk, and GMail’s not doing anything wrong.
    Too, is Outlook?
    - bish

  3. Andrisi says

    What you ask from Google would let spammers send out “trusted spam” from Gmail, or would make many sites mark Gmail as a spam-source (because messages would come from Gmail without proper signature – the signature of the email adress’ domain in this case calafia.com). Maybe the solution would be some trust mechanism under which you sign your letters yourself.

  4. says

    Bish, I suspect there are plenty of mail servers that don’t follow the “rules” for reasons they decide make sense. If Google has verified your email address, there seems to be no good reason not to allow you to send as if you are using it. In fact, that’s the reason why they supposedly have the Custom From feature.
    Andrisi, the spam concern is noted, but Gmail is hardly the only one in this situation. Heck, I can configure my own mail server to send mail as if it is coming from someone else. Again, since Google is only allowing these accounts to be created if you verify from a known email address, it seems a non-issue to then let you send as if you are using them.

  5. endolith says

    Two things:
    1. If you’re logged into a Gmail address, and sending from another Gmail address, there is no reason why they should include these headers. The mail is being sent from the Gmail servers regardless of what account you happen to be logged into.
    2. If they allowed you to enter server information for your other accounts, like any normal email program, you could send from the correct servers and wouldn’t need to include this header information, either. It’s really bad of them to be sending your (possibly private) email addresses to people without your knowledge. For instance, say I have a real name address and a pseudonym address. I don’t want people I interact with in real life to be able to google stuff under my pseudonym, and I don’t want online people to be able to google my real life name and address.

  6. hulki says

    Gmail has messed up the mail consolidation feature by doing this. I switched over to Yahoo Mail, they have included the mail consolidation in the free mail service. It works great.

  7. ab says

    I also find this quite annoying. I use sneakemail to create multiple aliases, and I can’t send emails from gmail without exposing my real address.

  8. Mark says

    yeah this IS stupid especially if your other email address is a Google Apps account which is coming from the same server anyway

  9. Maksym Taran says

    Except they haven’t solved the problem. When your alternate address is a *Gmail* address, you still can’t apply the fix as in the blog post. This is completely idiotic and I’ve tried to badger Google about it to no avail so far.

  10. Marty Houston says

    Unfortenatly Google hasn’t solved anything. They advise to “Use your other email provider’s SMTP servers.”. Ok, I don’t have another email provider with smtp server. I only got a domain name that I bought.

  11. says

    the solution is brilliant for the gmail sender issue. i was having problems with my emails being marked as spam but hope this will help

  12. Tim says

    I know this is an old post, but I just had to respond:

    This *ONLY* works if Google’s mail servers can connect to your SMTP server.

    I have tried every combination of SMTP settings and can not get Gmail’s servers to connect to my SMTP servers – so I still get the ‘on behalf of’ crud on every mail I send.

    This is a showstopper for me, so I have stopped using Gmail altogether.