Is BCCing e-mails guaranteed to be reliable?

security email bcc

In other words is it a safe assumption that no-one of recipients will ever see e-mails in BCC? What if the recipient is an administrator of his (but not sender's) mail server and can do any modifications to his server?


No. SMTP is a plaintext protocol, using store-and-forward methods.

What this means:

  • Plaintext: Every server that relays this message sees it in its entirety, including all header information. Although each recipient in the BCC field typically gets their own e-mail (so the server sends out a customized e-mail where all the other BCC recipients should be stripped out (emphasis on should!), as opposed to CC, where the data is retained), that one single e-mail is still stored in the headers, in plaintext (no encryption, no obfuscation, nothing).
  • Store-and-forward: The e-mail doesn't necessarily go to the recipient's mail server directly, but could be (and usually is) forwarded over a series of intermediate e-mail servers; it is stored on each one (for an indefinite amount of time) and then forwarded to the next hop (again, not necessarily the final destination).
  • consider that the e-mail is sent to a non-existent, full, blocked, or otherwise non-functional address - the copy of the mail, along with diagnostic data, can end up in multiple places, not all of them necessarily mailboxes (e.g. error logs or the postmaster mailbox)
  • (this before your e-mail ends up at the destination's mailservers, who could store it forever and readily hand it to whomever comes along with a subpoena, but that's a slightly different story)

In other words, your assumption is unsafe. If you want privacy and security, use digital signatures and encryption, e.g. GPG; vanilla e-mail is a Wrong tool for such job.


Any mail transfer agent (MTA) that fully complies with RFC 2822 (specifically, section 3.6.3, Destination address fields) will remove the Bcc: field from the header before attempting delivery, making it impossible for the non-blind recipients to determine the blind recipients' identities.

There are a couple of catches:

  • Unless you have control over the very first MTA that your outbound emails reach, you cannot guarantee that the software on that MTA will do as RFC 2822 instructs.

  • The fact that an email from you to a recipient who may have been blind-copied traversed one or more MTAs may survive in the logs of those MTAs.

Related

How to add text/caption to a line/arrow in PowerPoint 2010?
Binding Super+C Super+V to Copy and Paste
Why do we need a boot loader?
How to replace all duplicate files with hard links?
Save identities added by ssh-add so they persist
How to read email received on a Debian server
How to get results from Memory Diagnostics Tool?
Viewing table of contents in Word while editing
How to configure PuTTY to display these characters?
How do I make sshfs work in Debian? (I get /dev/fuse: Permission denied )
Convert symlinks to hard links
rsync recursive on same mount only