Search code examples
pythonemailsmtpsmtplibspoofing

How to spoof 'to' and 'from' fields from actual email recipient and sender addresses


For my use case, I would like to manually set the displayed email addresses in the "to" and "from" field headers of the email, separate from the actual email recipient and sender. I am currently using the smtplib library in python and have managed to accomplish the desired effect with the "to" field and was looking to replicate it for the "from" field as well.

What I have so far:

EMAIL_ADDRESS_G = '[email protected]'
from email.message import EmailMessage
with smtplib.SMTP_SSL('smtp.gmail.com', 465) as smtp:
    smtp.login(EMAIL_ADDRESS_G, EMAIL_PASSWORD_G)
    
    # What I would like to be displayed in the email
    msg = EmailMessage()
    msg["Subject"] = "Test"
    msg["To"] = '[email protected]' # shows up
    msg['From'] = '[email protected]' # does not show up
    msg.set_content("Test body")
    
    # Where I would like to be setting the actual email sender and recipient
    smtp.send_message(msg, from_addr=EMAIL_ADDRESS_G, to_addrs=EMAIL_ADDRESS_G)

The above code produces the following:

enter image description here

As shown, the "to" field displays the desired set address, while the "from" field displays my actual email instead of "[email protected]". I believe it is being set when I call login with the account, but I am unsure if I can override it. Also happy to use another python email library, if it is not possible with smtplib.

Current --> Desired

To: [email protected]
From: [email protected] --> [email protected]
Actual Sender: [email protected]
Actual Reciever: [email protected]

Note that this would be used for archiving purposes, where a designated email client might actually be sending the emails, however, I would like the email to use the to and from fields of the message it is trying to document. So the desired displayed "from" field is separate from the actual sender.


Solution

  • Authenticated Gmail SMTP prevents you from spoofing the From header, presumably to prevent abuse.

    For archiving purposes, using IMAP’s APPEND command will allow you to place whatever you like in your own mailbox (as it doesn’t count as sending email) and may be a better solution. (You will need to use an App Specific Password or OAUTH to login though).