Is BCCing e-mails guaranteed to be reliable?

Question

In other words is it a safe assumption that no-one of recipients will ever see e-mails in BCC? What if the recipient is an administrator of his (but not sender's) mail server and can do any modifications to his server?

Answer 1

No. SMTP is a plaintext protocol, using store-and-forward methods.

What this means:

• Plaintext: Every server that relays this message sees it in its entirety, including all header information. Although each recipient in the BCC field typically gets their own e-mail (so the server sends out a customized e-mail where all the other BCC recipients should be stripped out (emphasis on should!), as opposed to CC, where the data is retained), that one single e-mail is still stored in the headers, in plaintext (no encryption, no obfuscation, nothing).
• Store-and-forward: The e-mail doesn't necessarily go to the recipient's mail server directly, but could be (and usually is) forwarded over a series of intermediate e-mail servers; it is stored on each one (for an indefinite amount of time) and then forwarded to the next hop (again, not necessarily the final destination).
• consider that the e-mail is sent to a non-existent, full, blocked, or otherwise non-functional address - the copy of the mail, along with diagnostic data, can end up in multiple places, not all of them necessarily mailboxes (e.g. error logs or the postmaster mailbox)
• (this before your e-mail ends up at the destination's mailservers, who could store it forever and readily hand it to whomever comes along with a subpoena, but that's a slightly different story)

In other words, your assumption is unsafe. If you want privacy and security, use digital signatures and encryption, e.g. GPG; vanilla e-mail is a Wrong tool for such job.

Answer 2

Any mail transfer agent (MTA) that fully complies with RFC 2822 (specifically, section 3.6.3, Destination address fields) will remove the Bcc: field from the header before attempting delivery, making it impossible for the non-blind recipients to determine the blind recipients' identities.

There are a couple of catches:

• Unless you have control over the very first MTA that your outbound emails reach, you cannot guarantee that the software on that MTA will do as RFC 2822 instructs.

• The fact that an email from you to a recipient who may have been blind-copied traversed one or more MTAs may survive in the logs of those MTAs.

Answer 3

You should never assume that the recipients won't become aware of the BCC recipient. I've had BCCed recipients hit "Reply All" in their mail program, and announce to everyone their receipt of a mail before, in a stunning lack of understanding of what being BCCed actually meant. If you really need it to be private, forward the message from your Sent folder after you send it to the original recipients, so the only other address in the message headers is yours.

That said, even if you used BCC, as long as the BCCed recipient's server is separate from the original recipient, the recipient's server would not have access to the BCC information, as it would have been stripped out (or more likely never included in the message body) by your provider's mail server.

On a side note: SMTP is neither reliable, not particularly private. Some posters claim that SMTP "chains" of servers exist, but in general, SMTP sends from your computer, to your ISP, to the recipients ISP. (and however many servers they have internally) In general, your mail will NOT be routed to a third party's mail server, and in fact such attempts are generally disallowed for anti-spam reasons. (There are exceptions, as small providers and home networks will forward to their provider, but this is the exception not the rule)

That said, email in transit is not guaranteed to be encrypted, and anything potentially sensitive really shouldn't be trusted unencrypted to the internet via ANY method, including email, as it's trivial for any large provider, or telco to tap the fibers running through their facilities, or log packets traveling across their routers.

The FBI regularly does so through the Carnivore and other programs, and rogue elements have been documented doing so in the past as well.

Answer 4

Your email client or server (don't know which) should strip out BCC information before sending a message. If you BCC yourself on a message and then view the source, you shouldn't find your email address anywhere except in the From line (verified this with my own mail).

Answer 5

It all depends on the server. Most servers will take the BCC line and basically send the message once per address. basically putting the bcc address into cc line send, next address into cc line and send type thing. But it all depends on the MAIL server setup. BCC should never go further than your outgoing mail server.

Answer 6

Everything travelling on the net without digital signature or encryption can be easily modified. If you need end-to-end integrity for email, use PGP/GPG signing.

Also you will need to transfer your public PGP/GPG key to recipients somehow (so they can verify your email messages are really yours). Its kind of chicken-and-egg problem: this is to establish safe comm channel, but it already requires safe comm channel. Sending it via email is OK, but you need to verify PGP/GPG key fingerprint by phone or by other means. Publishing it on https-enabled website is also a good idea, as SSL provides necessary transport integrity guarantees.