How to Use Gmail to Send Emails From an SMTP Server That You Do Not Own

by duykham

I would like to share with you one way to set up Gmail to send emails so that they could appear as if they were sent by an SMTP server that you do not actually own, e.g. your company email.  (Normally, many employers do not want you to check and send emails with your own computer so they do not give you the setting.)

In fact, the emails are sent by Google servers.  I'm not talking about the services like Google 360 which allows you to achieve the same thing, but you have to pay for it.  Also, Google 360 often requires you have ownership of the domain itself.  What if you are trying to send emails as your company's email addresses?  You do not own the company's domain.

This is a bug of Gmail; I don't think they meant to set up Gmail like this.  However, when I informed them about this bug, they didn't seem to understand what the problem was and said it's intentional.  Anyway, since I couldn't make the Google employees fix the bug, it is still there.  Now I'm sharing it with you.

A Quick Introduction of the Bug

Gmail lets us "Send email as" external email addresses (in Settings --> Accounts and Import), e.g. someone@company.com so that you can send emails using the Gmail web interface, but the recipient will have no idea the emails were sent via Gmail.  They will look as if they were sent by an independent SMTP server (such as the one belonging to your company).  This is a cool feature.  But, there are two big problems:

Firstly, when setting up the account, Google does not require you to enter the exact credential for that account from company.com, but any account from any (I really mean any) other domain could work.  That's very strange, isn't it?!  You are trying to add someone@yourcompany.com to your Gmail, but instead of providing username and password to show that you have legitimate access to that account, you can use any username/password from any other accounts that you personally own (e.g. someoneelse@yourdomain1.com, whoever@yourdomain2.net, ...).

Secondly, the confirmation of authentication to that SMTP account happens only once, at the time of setting up.  That means, every time you send emails ("Send email as" from Gmail), it will not verify your username and password again.  It just sends emails as if the account is still valid.

Thirdly, Google makes it worse by falsely affirming that the email was sent by company.com's SMTP server (via TLS, even).  (You can check this info by showing the detail information of the email on the recipient's email client.)  This is a white lie!  They are all sent via Google's servers.  All the emails are still sent perfectly even if the username/password has changed or either company.com or yourdomain1.com or yourdomain2.com does not exist (at the time of sending the emails) anymore.

Consequences?  Suppose later on, you lose the access to the account (either you are unsubscribed from the service, you are fired from or quit the company you worked for, etc.), you still can perfectly send emails from Gmail as if you still own that company's email.  Imagine, once you quit the company and one day you decide to scare all of your former customers with some fake and shocking news.  They will believe you because they think you were still working for the company.  All thanks to Gmail.

Of course, there are also other good uses to take advantage of this bug; it doesn't have to be all malicious.  I will let you decide and choose what suits you best.

I will just provide some technical insight.  The rest all depends on your creativity.

So here we go.  This is how to setup Gmail to send emails as if they are sent from an SMTP server that you do not own.

Goal

Use your Gmail to send emails as if they are sent by someone@company.com.  (This someone@company.com can be either your own company's email that you currently have access to or it's just from one of your careless colleagues that happen to leave their laptop screen on, I don't know...)

Prerequisite

You can read the emails of someone@company.com at the moment of setting up (only that moment is enough).

Setup

  1. First, log in to your Gmail.

  2. Go to "Settings", and then click to "Accounts and Import" tab.

  3. Under "Send mail as:", click "Add another email address".

  4. A pop-up window will appear.  You fill in with your Name (e.g. "Someone") and the Email address (e.g. someone@company.com).  The click "Next Step".

  5. In the next screen, you will need to fill in SMTP server, Username and Password.  Here comes the interesting part, you don't have to use the setting of the email you entered in the previous step.  Instead, you can use any of the SMTP account settings that you know, even some free ones on the Internet.

  6. Make sure to check "Secured connection using TLS".  Yeah, why not?!  And click "Add Account".

  7. Next, Gmail will check if the SMTP setting you entered is correct.  Note that, Gmail does not check if this setting comes from the same domain as the email address you are trying to add (which is company.com).  Since you own the SMTP account, I suppose you entered the correct info and that there will be no problem with the username and password.

  8. Next, after verifying the SMTP setting Gmail will send an email notification to someone@company.com with the "Confirmation code".  This is when you need to check someone@company.com and read the email from "Gmail Team" and get the code.  Normally it's nine digits.  Fill that in at "Enter and verify the confirmation code" in the next screen.

  9. Click "Verify".

  10. If you follow exactly what I said, you should be done by now.  You can verify it by going to "Settings" and "Account and Import" again.  You will see that someone@company.com has been added to "Send mail as".

How to Use

It's straightforward: every time you want to send an email with someone@company.com address via Gmail, just select it from the "From" drop down menu in the "Compose" window.

Happy "cheating" - I meant, hacking!
Return to $2600 Index