Thursday, July 11, 2013

Google Apps 'From' Address Spoofing / 'From' Address Override [Update]

Please be sure to read the important update at the end of this article

Alright, so I was just working on a client's project that has a very typical request that always seems to be an issue when using GMail / Google Apps as an integration piece.

And I stumbled upon a solution that although doesn't solve all cases - I'm sure will help a couple of people out.

So here's the dilemma.

Let's say you have a integration solution that includes an e-mail gateway, in this kind of setup.

(Application A) <----> (SMTP/POP/IMAP Server) <---> (E-mail Gateway) <----> (Application B)

So this situation is that you have an application (Application A) which ultimately wants to get a message to another application (Application B). And a lot of the times, the way they do this is through a E-mail Gateway (in other words an application that is able to receive and send e-mail on behalf of Application B). Further to this, perhaps Application B is really a multitude of destinations differentiated by the "To:" e-mailing address in the original message.

Here's an example

(Application A) - is an e-mail generator.
(SMTP/POP/IMAP Server) -
(E-mail Gateway) - is an application that maps the "To:" e-mailing address to a smartphone app user.id
(Application B) - is a smartphone app, where each user has a user.id

So the series of steps would go this way:

- User of (Application A) generates an e-mail to Johnny@hello.com
- (SMTP/POP/IMAP Server) is setup with a catchall@hello.com and will catch all the e-mails that don't have real addresses like Johnny@hello.com. So the original e-mail ends up in the catchall@hello.com inbox.
- (E-mail Gateway) periodically checks the (SMTP/POP/IMAP Server) for e-mails and finds the e-mail meant for Johnny@hello.com. The (E-mail Gateway) maps the "Johnny" part of Johnny@hello.com to a user.id "Johnny" and send a message to (Application B) running on Johnny's smartphone.
- Johnny on his smartphone replies to the message.
- (E-mail Gateway) gets Johnny's reply, and sends the e-mail using the catchall@hello.com account back to the originator (Application A).

Alright so this seems all good except for one piece. No matter who (Application A) sends the e-mail to, even though it will get to the right smartphone, the replies will always come from catchall@hello.com. Well, I shouldn't say that - if you use a GMail or Google Apps for Business GMail account - the from address will always be from catchall@hello.com.

This is because the e-mail gateway can only hook up to the one account and GMail and Google Apps for business (rightly so) prevents overriding/spoofing of the From address.

Now in some instances, this may be fine - the from address won't matter. But in the particular case that I was dealing with, (Application A) would reject the response if it didn't match the original e-mail. So if (Application A) sent out an e-mail to "Johnny@hello.com", it would only accept responses that came back from "Johnny@hello.com".

And the main issue here is that GMail / Google Apps for Business don't allow you to override the From address. So if your E-mail Gateway tries to set From address - GMail will prevent it.

Solution

Well here's the thing - yes, in most cases, if you adopt this kind of solution, GMail and Google Apps for Business will prevent setting the from address.

But there is a way around it if you

  1. legitimately own the addresses you are sending to (or the domain of those e-mail addresses) and 
  2. are willing to pay for Google Apps (which if it's for a client, hopefully $50/year is not bad)


This situation will actually allow you to use just one e-mail account - but have multiple "From" addresses.

So this situation is:

- (Application A) wants to generate e-mails for Johnny@hello.com, Max@hello.com, Tiffany@hello.com, and Kelly@hello.com.
- And, it will only accept responses from those e-mail addresses.

Here are the 4 key things you need to do:


  1. Use Google Apps for Business (yes, yes, it's always annoying when you come across a post that requires you pay money, but again - this may help out some peeps)
  2. Create a default account
  3. Add nicknames (or aliases)
  4. Setup "Send mail as..." for those aliases


So let's say you own hello.com.

1) Setup Google Apps for Business with this domain and

2) create a default account like receiver@hello.com.

Please refer to the update as step 3 is not really valid if you need more than 30 nicknames.
3) Thirdly, from the Admin of your Google Apps (admin.google.com), where you setup your receiver@hello.com account, add your nicknames to the receiver@hello.com

  • Johnny@hello.com
  • Max@hello.com
  • Tiffany@hello.com
  • Kelly@hello.com


Alright - so that's the first step. What that step does is allow for incoming mail to all end up in the same box so that your (E-mail Gateway) can poll that single inbox to get all the e-mail.

Alright - so that's not the trick to this solution - because that part usually people have figured out how it works. Do note though - that I'm not really using a receiver@hello.com as a catchall account - catchall accounts usually trap all e-mail that does not have an associated account with it. Rather, I'm using aliases - for an account. This is one of the keys to the success.

4) And here we go - the clincher that makes all this work -

SETUP YOUR "SEND MAIL AS..." e-mail addresses.

So log into the regular Mail with receiver@hello.com and go to your mail account settings (click on the little Gear and go to settings.) Make sure you're in your Mail settings, not your overall google account settings.

Then, hit up the "Accounts" tab and you'll see a section called "Send mail as...". This will be a little bit of a tedious process - but add each of the nicknames to this list:

  • Johnny@hello.com
  • Max@hello.com
  • Tiffany@hello.com
  • Kelly@hello.com


You'll have to verify each one with a code. When you add one of those e-mail addresses, Google will send you an e-mail (which will end up in the receiver@hello.com inbox) with a verification code. Just verify that code and leave the rest of the settings as is.

And that's it.

This is the key - you can "spoof" - not really spoof - "override" the "From" e-mail address from a piece of software with addresses that appear in the "Send mail as..." list.

Usually the issue that programmers run into is no matter what they set the "From" address to, if they use a Google Mail account - it will always be from that account.

This way it opens up a bit to a set number of addresses.

With this setup up, from the single receiver@hello.com account, I can send e-mails (programmatically and from Gmail itself) from

  • Johnny@teldio.com
  • Max@teldio.com
  • Tiffany@hello.com
  • Kelly@hello.com



So again - I know it's not as open as being able to send from absolutely any address - but it does open up the door for a lot of integrations. I myself have dealt with a lot of integrations that are looking for this exact solution.

Hope this helps out some peeps - if it's confusing at all, feel free to leave a comment and I'll get back to you asap.

[Update]

Alright - so there is an important update to this solution. It turns out that Google Apps / GMail actually puts a cap of 30 nicknames / aliases on each account. And our problem is that we had more than that.

So what's the solution - well it's to half do what I explained above and half not.


  1. Setup a single account to be your catch-all account for Incoming E-mail (rather than using nicknames and aliases)
  2. Still setup the "Send mail as..." accounts on that catch-all account.
The key here is that there seems to be no limit on the "Send mail as..." - so you can still send on behalf of all those accounts.

And instead of using nicknames / aliases - just use a catch-all account so that all your e-mails will end up in that account.



1 comment:

Unknown said...

Very informative and well written post! Quite interesting and nice topic chosen for the post.
CyberPowerPC Laptops