Why does SendGrid allow me to send emails from any

2019-03-06 16:41发布

问题:

I have a local python file that I'm using to send emails through sendgrid's SMTP:

gmail_sender = "example@gmail.com"
server_username = "apikey"
server_password = prod.CONFIG['sendgrid_SMTP']

server = smtplib.SMTP_SSL('smtp.sendgrid.net', 465)
server.login(server_username, server_password)

email_information['From'] = gmail_sender

server.sendmail(email_information['From'], email_information['To'], 
    email_information.as_string())

I'm confused about who is sending the email. I replaced gmail_sender with multiple different emails, and without having to give the password to those emails, I could send an email through sendgrid's SMTP. In the from section of the email I sent, it says the email I put as the gmail_sender plus "via sendgrid.net." I can make it seem like anyone sent the email, isn't this a security concern?

Any guidance is appreciated :)

回答1:

The alternative is rather daunting. You would have to technically prove to them that every address you want to send from is actually yours.

Some services require you to prove that a domain is yours by giving you a unique cookie and telling you to publish it in the domain's DNS records. If you have control over the DNS for a domain, you have the control over the domain. But there is no similar mechanism for email - you could simply forge the sender on the email which is supposed to prove that you own the address.

Anyway, going through this ordeal for every domain you want to use is already a chore. Imagine what it would mean for clients who want to use dozens, hundreds, or even thousands of different sender addresses.

The Sendgrid terms of service have some general language about network abuse, which probably apply to using somebody else's email address. I could find nothing specific about address forgery in their ToS. Having a legal restriction in a contract (and enforcing it!) relieves them from the need to implement a technical restriction.