Skip to content

Gmail’s custom ‘From’ address: all ur ID R belong to us

Gmail provides the most-appreciated possibility to “forge” your e-mail address when sending an e-mail: providing that you own the e-mail address “” (verified by receiving a confirmation e-mail there), you can send an e-mail from your Gmail mailbox pretending to come from
This is much useful to handle several e-mail addresses from a central box, for instance I can use my account to centralize my e-mail activities, but modify the from field as appropriate (keep the default for friends and family, but switch to something more serious like for work, and to for site-related e-mails).

Unfortunately, Gmail doesn’t really hide your “real” e-mail address behind the “not as real” one: you can find the real e-mail in the e-mail headers, in the sender field. Here is an example header (modified to hide e-mails and stuff, of course ;)):

MIME-Version: 1.0
Received: by with HTTP; Tue, 30 Jan 2011 07:32:45 -0800 (PST)
Date: Tue, 30 Jan 2011 16:32:45 +0100
X-Google-Sender-Auth: sm8dg5Gdqs84gqswcxfzDFpS9s6
Message-ID: <>
Subject: =?ISO-8859-1?Test_email?=
From: The name I want to show <>
Content-Type: multipart/mixed; boundary=001365494266e56a1f6198741347

Now, this doesn’t really seem to be a big issue since, unless you’re sending spam big time, noone will ever check the headers of the e-mails you send them. This becomes a problem, however, once you consider that some (many?) e-mail providers will display your “hidden” e-mail as the sender of the e-mail… voiding all your precious forging efforts.

At this point, I guess that you’ll want names 😀 Well, here is a short list:

  • Hotmail, of course. They display forged sender as: “ from Your forged name”
  • Yahoo! Just the same as Hotmail.
  • Outlook. I don’t remember precisely what they display, plus maybe this depends on the configuration (I observed that at a company where I worked), but they do display the unforged e-mail.

In case you’re wondering (and too lazy to test :P), Gmail on the other hand behaves properly and display the forged e-mail (granted that the contrary would be quite shocking though).

So, in conclusion, when you really need to spoof your e-mail address, you’d better really write from the box from which you want it to appear to come. Or at least check if the recipient’s e-mail provider doesn’t bust forged e-mails.

Posted in Google, privacy, Yahoo.

5 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Seth Stahlman says

    I noticed this, when trying to figure out why texting a friend’s cell from one gmail account (with the reply to of another) ended back up at the original. So, this is an additional consequence; if you often text people from email, and have your home account set up to display the ‘from’ as a work name, and text, it’ll not go to that account. Annoying.

  2. patheticcockroach says

    It’s funny you post about that just today: I just noticed too a strange behavior which is more than likely a consequence of this “from” transparency: I e-mailed (from my personal e-mail, sending as my work e-mail) someone who had auto-response on (he’s on vacation), and the auto-response was sent, of course, straight to… my personal e-mail…
    This forging feature is so broken that it’s useless; it creates more problems (accidentally disclosing your personal e-mail) than it solves (fixing the laziness to actually log into your work e-mail).

  3. Seth Stahlman says

    I stumbled on your blog entry trying to find a way to fix it. 😉 Gmail’s really sweet for consolidating, but it’s likely I’ll have to actually go back to using an actual MUA, since for some of the more ‘official’ emails I send, it’s important to have only the proper, professional addresses shown. Unfortunately, in my case, I’m wearing many hats, so it’s not just as simple as logging into a single work email. Frankly, I’m shocked this is a ‘working as intended’ thing on Google’s part.

  4. patheticcockroach says

    I think probably they don’t want to take the responsibility of allowing us to completely forge the sender… even though they do verify that you own the e-mail you’re sending from. For instance you could create an e-mail at Hotmail, verify this e-mail for Google, then send spam from Google’s server “from” your Hotmail address. People would then send abuse reports to Hotmail instead of Gmail, this would take (much) more time to reach and shut down the real spam source.

  5. patheticcockroach says

    Interesting news: Yahoo Mail! has the same feature to “forge” the From e-mail address, but unlike Gmail it conceals your real Yahoo address pretty well… So now you know where to go, if this feature is a must have for you…

    It’s a bit hard to find though: Options -> Mail Options -> Advanced Options -> Mail Accounts -> Add. The help is actually well done, it’s easy to find this through Duckduckgo:

Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA