Trying to spoof an email address

Question

I'm sure this has been asked, but I can't find anything to get mine to work.

I'm trying to send follow up emails to clients, but I want to spoof the email address so the from address is for my coworker. I read somewhere online that the from address in the header is simply a text field that can be edited, but I still cannot send the email.

import smtplib

email_to = '*****@gmail.com'
username = '*******@outlook.com'
password = '*********'
other_email = '*******@outlook.com'

mail = smtplib.SMTP('Outlook.com', 25)
mail.ehlo()
mail.starttls()
mail.login(username,password)

header = ('To:' + email_to + '\n' +'From: ' + other_email + '\n'
          + 'Subject: Python Project Test\n')
message = (header +
           '\n\n This is a test message generated from a Python script. \n\n')

mail.sendmail(username, email_to, message)
mail.close()
print("Email sent successfully.")

I know this can be done, but can someone point me in the right direction? Is there any way for me to disguise my name in the from field as that of the email that is supposed to get this?

===================================

Also, for the sake of completion, here is the error I got:

Traceback (most recent call last):
  File "C:\Users\*****\Desktop\email outlook.py", line 16, in <module>
    mail.sendmail(username, email_to, message)
  File "C:\Users\*****\AppData\Local\Programs\Python\Python36-32\lib\smtplib.py", line 887, in sendmail
    raise SMTPDataError(code, resp)
smtplib.SMTPDataError: (550, b'5.7.60 SMTP; Client does not have permissions to send as this sender')

I was hoping if there was a way to make the other_name an alias of the username.

Answer 1

The very short version: This isn't going to work.

---

Once upon a time, it was reasonably possible to do what you are asking to do. In the old days, when the internet was small and spam did not exist, the receiving server would just trust you. You could just connect to mail.example.com and say you were sending on behalf of [email protected], and example.com would just believe you.

But those days are over and done with. Nowadays, SMTP servers are a lot less trusting. So let's go through the problems with your approach:

1. You are trying to route your email through outlook.com. outlook.com knows perfectly well that you are username and not other_email. If you want to send email as other_email, you need to authenticate as other_email.
2. You could connect directly to gmail.com, claim to be outlook.com, and try to send the email that way. But Gmail knows you're not outlook.com, because you're missing these things. So it will likely flag your message as spam, bounce it, or even* accept it and then discard it entirely.

You could fix (1) by changing your code, but because of (2), there's little point.

* I do not work on the Gmail team. I am guessing how Gmail would respond to this based solely on public information about how modern email servers are typically configured. YMMV.