How to verify sender of incoming email address in Google App Engine?
Question
I'm trying to write a heavily email-based application in the Python SDK of Google App Engine. I've noticed that Google allows you to receive email via its API , and that it easily gives you access to the standard fields like From, To, Body, etc. However, if I'm trying to verify that an email address came from who it said it came from (kind of in the way that Posterous does it for you), how can I? I don't have access to any of the email headers, so I can't check the MX record of the sending server's IP address or anything fancy like that.
Any ideas?
5 answers
solution1
2 ACCPTED 2009-12-03 16:18:28
Actually, while not well documented, the sources here suggest that the original mime message from which the handy objects you get are shaped is available as the .original property of the handy object -- that's an instance of email.message.Message , so you should be able to get email headers from there. I'm not sure that takes you much further in your quest for validation, though.
solution2
1 2009-12-03 16:05:44
E-mail isn't generally a verifyable medium, unless you sign it with PGP or S/MIME. If you don't have headers, you haven't got anything to verify.
The only thing you can do is e-mail the address and ask the person to confirm that they really sent the message. That's a lot harder for the fraudulent e-mail sender to fake (but not impossible).
Or you could possibly ask the user to put a password in every message.
solution3
1 2009-12-04 14:42:23
亚历克斯是正确的访问标题,但这不允许您验证电子邮件的实际发件人:任何人都可以发送他们希望的任何“发件人”地址的电子邮件,所以不要依赖来自地址作为权威证据谁送了它。
solution4
0 2012-08-18 01:40:18
You can verify the sender only using DKIM. GAE automatically signs the google accounts emails with DKIM but you need an external service(which should be accessed through http/https) to query the DNS and provide you the txt DNS fields.
solution5
0 2009-12-03 16:01:36
If this is part of a registration process or alike, then why don't you send back a "challenge" (eg URL to go for continuing registration or whatever, with a unique & time-bound key) to the (supposedly) originator? This way you can verify if the email address isn't forged.
The "big guys" (eg Google) use this process a lot, there must be a reason.
Disregard my suggestion if that doesn't fit your use-case.
Updated : you could have the emails transit through another Web Service (To be determined) before reaching your GAE application? This way, you could still leverage GAE whilst having a low processing overhead job such as email verification done someplace else?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.