Support Start > E-Mail > Advanced E-Mail Questions > "Spoofed" E-Mail Addresses

Customers occasionally ask if it’s okay to send outgoing e-mail through our servers using an e-mail address that isn’t hosted with us.

For example, we’ve been asked if it’s okay to send e-mail from a “harvard.edu” address through our servers, because Harvard University doesn’t provide their alumni with an outgoing e-mail server.

Unfortunately, you can’t do that. While that sort of thing was commonly allowed before spam became a problem, it’s neither secure nor reliable on today’s Internet.

Security

E-mail forgery is a big problem. When you get a message falsely claiming to be from Citibank, Harvard, or another institution, that happened because another e-mail company incorrectly allowed one of their users to send mail claiming to be from citibank.com, harvard.edu, and so on.

If every mail company prevented their users from sending mail from unrelated domain names, most e-mail forgery would stop immediately.

For that reason, the Internet Engineering Task Force has published “Best Practice” recommendations that say that e-mail servers “MUST perform authentication on the identity asserted during all mail transactions”.

In other words, if you’re sending mail claiming to be from “something@harvard.edu”, then our mail server needs to make sure that you’re authorized to do that — if we don’t, you could be forging a stranger’s Harvard address. But of course, only Harvard can check that (they could make sure you’re using the password they’ve assigned you). We have no way of checking it. Allowing it would allow any of our customers to send malicious forged mail.

So the bad news is that you can’t send mail claiming to be from other domain names we don’t handle mail for. The good news is that since we don’t allow hackers and spammers to open accounts with us and do that, our servers are almost never blacklisted because they’ve sent forged e-mail messages. Your outgoing e-mail delivery is much more reliable as a result.

Reliability

Even if we allowed this, it wouldn’t work reliably anyway.

E-mail forgery is such a problem nowadays that many receiving mail servers try to detect mail that was sent from an unauthorized server for a given domain name, then filter such messages as “spam”.

There’s a system called SPF that allows organizations to “publish” information about what IP addresses they legitimately send mail from, and it’s becoming more and more widely used.

And there’s another system called DKIM that allows outgoing servers to “digitally sign” mail to indicate that it's not a forgery, and to publish information saying that unsigned mail shouldn’t be trusted.

If you sent mail claiming to be “from” harvard.edu through our servers, and Harvard added SPF or DKIM information saying that mail from unspecified servers or unsigned mail is forged (which is increasingly likely), you’ll have big problems. The mail you send will start being rejected, filtered, or even just deleted by receiving mail servers.

In short, sending mail like this doesn’t work well. If an organization gives you an e-mail address that’s supposed to work for outgoing mail, they should also give you a properly configured outgoing mail server to use that handles SPF and DKIM. If they refuse to give you that, that means they don’t want you sending mail using that address. That unfortunately isn’t a problem we can solve (it’s a policy issue between you and them, not a technical problem).