How to verify sender of incoming email address in Google App Engine?
https://stackoverflow.com/questions/1840858
-
12-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to write a heavily email-based application in the Python SDK of Google App Engine. I've noticed that Google allows you to receive email via its API, and that it easily gives you access to the standard fields like From, To, Body, etc. However, if I'm trying to verify that an email address came from who it said it came from (kind of in the way that Posterous does it for you), how can I? I don't have access to any of the email headers, so I can't check the MX record of the sending server's IP address or anything fancy like that.
Any ideas?
Solution
Actually, while not well documented, the sources here suggest that the original mime message from which the handy objects you get are shaped is available as the .original property of the handy object -- that's an instance of email.message.Message, so you should be able to get email headers from there. I'm not sure that takes you much further in your quest for validation, though.
OTHER TIPS
E-mail isn't generally a verifyable medium, unless you sign it with PGP or S/MIME. If you don't have headers, you haven't got anything to verify.
The only thing you can do is e-mail the address and ask the person to confirm that they really sent the message. That's a lot harder for the fraudulent e-mail sender to fake (but not impossible).
Or you could possibly ask the user to put a password in every message.
Alex is right about accessing the headers, but this doesn't allow you to verify the actual sender of the email: anyone can send an email with any 'from' address they wish, so don't rely on the from address as authoritative proof of who sent it.
If this is part of a registration process or alike, then why don't you send back a "challenge" (e.g. URL to go for continuing registration or whatever, with a unique & time-bound key) to the (supposedly) originator? This way you can verify if the email address isn't forged.
The "big guys" (e.g. Google) use this process a lot, there must be a reason.
Disregard my suggestion if that doesn't fit your use-case.
Updated: you could have the emails transit through another Web Service (To be determined) before reaching your GAE application? This way, you could still leverage GAE whilst having a low processing overhead job such as email verification done someplace else?
You can verify the sender only using DKIM. GAE automatically signs the google accounts emails with DKIM but you need an external service(which should be accessed through http/https) to query the DNS and provide you the txt DNS fields.
