

Ask HN: Why is resending email from an invalid server allowed? - ezequiel-garzon

Greetings! If I save an email from john@example.com on my VPS and then pipe it into `sendmail peter@example.net` Peter will receive the original message as if John had sent it. I&#x27;m even more surprised that you can do this between Google accounts (Gmail and Google for domains). Why is this practice allowed? Clearly Google knows the message is fake in the sense that John didn&#x27;t send it to Peter. I haven&#x27;t tried to abuse this feature, and that&#x27;s probably why it works under my tests, but I wonder why Google lets these messages through at all. Any ideas? What would be a legitimate use for this?
======
jlgaddis
In general, SMTP isn't authenticated. RFC733[0], for example, the first
network mail RFC (AFAIK), is dated 1977 when the Internet was a much more
friendly and trusting place.

This lack of authentication is what allows for all the spam with forged From:
headers. You can, for example, send an e-mail from the command-line using
telnet[1] and have it appear to be from any e-mail address you wish.

In the last several years there have been several attempts to address this
such as DomainKeys[2], DKIM[3], SPF[4], and DMARC[5].

As for why Google allows the message through, well, you'd have to ask them.

[0]:
[https://www.ietf.org/rfc/rfc733.txt](https://www.ietf.org/rfc/rfc733.txt)

[1]: [https://workaround.org/ispmail/lenny/test-mail-through-
telne...](https://workaround.org/ispmail/lenny/test-mail-through-telnet)

[2]:
[https://en.wikipedia.org/wiki/DomainKeys](https://en.wikipedia.org/wiki/DomainKeys)

[3]:
[https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail)

[4]:
[https://en.wikipedia.org/wiki/Sender_Policy_Framework](https://en.wikipedia.org/wiki/Sender_Policy_Framework)

[5]:
[https://en.wikipedia.org/wiki/DMARC](https://en.wikipedia.org/wiki/DMARC)

~~~
ezequiel-garzon
Thanks for your thorough reply. Yes, SMTP was designed when "everybody knew
everybody" on the Interne. My major doubt is why, in the age of DKIM, SPF et
al these practices are allowed. I just found out this is the easiest way to
resend a message if you have a very primitive MUA, so maybe that's the reason?
I doubt Google will answer me this question :)

