Viewed   79 times

I've had this noted down on some of my code for a while:

 * Add a BCC.
 * Note that according to the conventions of the SMTP protocol all
 * addresses, including BCC addresses, are included in every email as it
 * is sent over the Internet. The BCC addresses are stripped off blind
 * copy email only at the destination email server.
 * @param string $email
 * @param string $name
 * @return object Email

I don't remember where I got it from (possible source) but that shouldn't be relevant to this question. Basically, whenever I try to send an email with BCCs via SMTP the BCC addresses are not hidden - I've read the whole RFC for the SMTP protocol (a couple ) and I don't think I'm missing anything.

The strange thing is, if I send an email with BCCs using the built-in mail() function everything works just right and I've no idea why - I would like to roll my own email sender but I fail to understand this.

Can someone please shed some light into this dark subject?



The BCC addresses are not stripped off at the destination email server. That's not how it works.

How SMTP actually works

  • The sender will send a list of RCPT TO commands to the SMTP server, one for each receiver email addresses, and this command does not distinguish whether the receiver is a normal To, CC or BCC type receiver.
  • Soon enough after calling the command that tells the SMTP server who's the sender, who's the server, and everything else, only then the sender will call the DATA command, in which will contain the content of the email - which consist of the email headers and body - the one that are received by email clients. Among these email headers are the usual from address, to address, CC address.
  • The BCC address is not shown to the receiver, simply because it's not printed out under the DATA command, not because the destination SMTP server stripped them away. The destination SMTP server will just refer to the RCPT TO for the list of email addresses that should receive the email content. It does not really care whether the receiver is in the To, CC or BCC list.
    Update (to clarify): BCC email addresses must be listed in the RCPT TO command list, but the BCC header should not be printed under the DATA command.

Quoting a part of the RFC that I think is relevant to your case:

Please note that the mail data includes the memo header items such as Date, Subject, To, Cc, From [2].

Rolling out your own email sender

A couple of years ago, I frankly think, is quite a long time back to assume that you still memorize end-to-end of RFC 821. :)

Monday, October 3, 2022

You have $headers .= '...'; followed by $headers = '...';; the second line is overwriting the first.

Just put the $headers .= "Bcc: $emailListrn"; say after the Content-type line and it should be fine.

On a side note, the To is generally required; mail servers might mark your message as spam otherwise.

$headers  = "From:" .
  "X-Mailer: phprn";
$headers .= "MIME-Version: 1.0rn";
$headers .= "Content-Type: text/html; charset=ISO-8859-1rn";
$headers .= "Bcc: $emailListrn";
Sunday, December 25, 2022

The difference between the prefixing the hostname with ssl:// and without it is whether or not the underlying stream will be wrapped through OpenSSL, or speak in plain text.

When you connect to Gmail on port 465, it expects the client will use TLS encryption. Most likely, the error message you were seeing was a general result of connecting to a service expecting an encrypted connection when it was just trying to write and read data in plain text.

PHP does magic for you when you use the ssl:// wrapper to connect to a service that supports TLS or SSL. It allows you to read and write on the stream (using say fread/fwrite) in the same manner you would on an unencrypted connection and all the handshaking, encryption, and decryption is done in the background having to do no more than prefix the host with the ssl wrapper.

As to the second question, it is most likely security related. In order to relay (send mail to another domain) you need to authenticate over SMTP which should NEVER be done in cleartext while you can connect on port 25 using an unencrypted connection and send mail to a Gmail user without authenticating (this is what most outside mail servers do when one of their users which to send mail to Gmail). But technologically, there's nothing preventing them from allowing you to send mail using an unencrypted connection, or even authenticating with Gmail credentials (this is called an open relay and is usually badly abused by spammers).

You can learn more about your first question by just reading about the SMTP protocol, the STARTTLS command, and TLS encryption in general. STARTTLS allows a client to connect to the mail server over an unencrypted connection and then negotiate (upgrade) the connection to use encryption, where on the other hand, connections to port 465 expect a TLS handshake to occur as soon as the connection is established and before any protocol (SMTP) communication occurs.

Tuesday, August 2, 2022

Most local boxes with Windows don't come with a SMTP server. You could use an external SMTP server and configure it in your php.ini file, but SMTP authentication is not possible.

I recommend you to use PHPMailer, is a simple and flexible PHP Class, that can use a SMTP server with authentication. It is also more secure than using bundled PHP mail() function.

Thursday, November 17, 2022

Yes, PHPMailer is a very good choice.

For example, if you want, you can use the googles free SMTP server (it's like sending from your gmail account.), or you can just skip the smtp part and send it as a typical mail() call, but with all the correct headers etc. It offers multipart e-mails, attachments.

Pretty easy to setup too.


$mail = new PHPMailer(true);

//Send mail using gmail
    $mail->IsSMTP(); // telling the class to use SMTP
    $mail->SMTPAuth = true; // enable SMTP authentication
    $mail->SMTPSecure = "ssl"; // sets the prefix to the servier
    $mail->Host = ""; // sets GMAIL as the SMTP server
    $mail->Port = 465; // set the SMTP port for the GMAIL server
    $mail->Username = ""; // GMAIL username
    $mail->Password = "your-gmail-password"; // GMAIL password

//Typical mail data
$mail->AddAddress($email, $name);
$mail->SetFrom($email_from, $name_from);
$mail->Subject = "My Subject";
$mail->Body = "Mail contents";

    echo "Success!";
} catch(Exception $e){
    //Something went bad
    echo "Fail - " . $mail->ErrorInfo;

Thursday, September 1, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :