Back to Community Threads
Gmail reveals addresses in BCC field
Question asked by Robert Mathias - 11/22/2021 at 10:50 AM
Unanswered
R
If you send an email and list recipients in the BCC field then only the sender should be able to see the BCC recipients.

If the BCC recipients are a mixture of Gmail accounts and non-Gmail then the non-Gmail accounts do not see the BCC lists, which is correct. However any recipient that is a Gmail account can see the full BCC list. 

This is not only wrong, but a breach of GDPR as private email addresses are shared with people who are not entitled to see them. This little known “feature” of Gmail appears to go back to at least 2014.

Is there any way SmarterMail could handle this other than using a mailing list?
Matt Petty Replied
11/22/2021 at 10:56 AM
Employee Post
We do this stripping of BCC while its in the spool before its sent, are you sure these messages came from us?

It's the responsibility of the sender to strip the BCC header right before it is transmitted to the recipient SMTP server. Our spool does this however seeing messages in a GMAIL account with this problem could mean they came from a source that wasn't us or used a mechanism of ours that would bypass the BCC removal-logic. If SmarterMail transmitted the emails your seeing in the GMAIL account then it might be need to be looked into as a bug, is this your case?
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
R
Robert Mathias Replied
11/22/2021 at 12:21 PM
Hi Matt - I see what you mean. However I have tested this on two separate SM servers by sending emails to myself and including both my GMail and Outlook accounts in the BCC. When I view the email in my GMail account the addresses are shown in the BCC. Not so in Outlook or SM. 

One of our clients brought this too our attention as a (GMAil) recipient of one of their emails could see all the recipients in the BCC field. 
Matt Petty Replied
11/22/2021 at 12:33 PM
Employee Post
I just did a test from SM webmail where I composed an email TO "example@gmail.com" with BCC  "example@hotmail.com" and "example@example.com". When viewing the message in Gmail I do not see the BCC. I'd try to figure out how these messages are getting to your user. It's not the software's responsibility to hide BCC its the senders servers responsibility to not even include it. The fact your able to see it in Google means whoever sent to TO google is NOT stripping BCC.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
R
Robert Mathias Replied
11/22/2021 at 1:07 PM
Hi Matt - I'll open a support ticket so I can send you details. I also need to run some more tests here.
Thanks for your input!
Kyle Kerst Replied
11/22/2021 at 1:43 PM
Employee Post
I tested this as well following a scenario similar to Robert's, but was not able to replicate. As part of the ticket handling I'm seeking access to logs/configuration so we can take another look. Will report back once we narrow it down. Thanks Robert!
Kyle Kerst Lead Internal Network/System Administrator SmarterTools Inc. smartertools.com
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Use LDAP with OutlookSmarterMail > Desktop and Mobile Synchronization
Copy Mail Sent To or From a MailboxSmarterMail > Domain/User Configuration and Management
Configure an EAS Account in the Gmail App on AndroidSmarterMail > Desktop and Mobile Synchronization
Subscribing to Your Gmail Calendar in WebmailSmarterMail > Desktop and Mobile Synchronization
Subscribing to a Webmail Calendar in GmailSmarterMail > Desktop and Mobile Synchronization