Why does Google consider a request from my Django app to send an email via SMTP (smtp.gmail.com) to be insecure? Reading their security standards is not very helpful:
How more secure apps help protect your account When a third-party app meets our security standards, you can:
See what level of account access you’re giving the app before you connect your Google Account Let the app access only a relevant part of your Google Account, like your email or calendar Connect your Google Account to the app without exposing your password Disconnect your Google Account from the app at any time
This is a very common issue when emailing from Django. There are tutorials and stackoverflow question/answers (second answer) that 'solve' this by changing settings in your google account to allow less secure apps. I had this working and was OK with it until I read this from Control Access to Less Secure Sites:
Because Google is beginning to shut off Google Account access to less secure apps, the enforcement option is no longer available. We recommend turning off less secure apps access now. You should start using alternatives to less secure apps.
As Google gradually moves away from allowing less secure apps to access Google Accounts, you’ll receive email notifications about changes that affect you.
When I try searching 'How to make Django secure with Google' or 'Why does Django appear as an insecure app to Google' I see results that reflect more of the same guidance: just flip the switch to allow insecure apps on your Google account. I want to know why Django is considered insecure so that maybe I can configure it to be secure.
EDIT: I still haven't verified these steps make Django a 'more secure app'. Until then using an app password allowed me to keep 'Allow less secure apps' off. It was very simple to implement.
Less secure apps can make it easier for hackers to get in to your account, so blocking sign-ins from these apps helps keep your account safe. If "Less secure app access" is on for your account. Because less secure apps can make your account more vulnerable, Google will automatically turn this setting off if it’s not being used.
It's not that Django is insecure, it's probably the way you're sending email, using SMTP. Enabling TLS is the first thing to do, and also a requirement to even use Google's SMTP service: The port number depends on the SMTP service you're using. 587 is the standard, but it may be something else.
Less Secure Apps is a feature in Gmail that allows software and devices to sign in to your Gmail account with your main Google username and password. Up until now, it was possible to send emails through Gmail SMTP with this setting turned on. Now, Google has decided to begin phasing out Less Secure Apps from May 30th, 2022.
Google App Password is a 16-digit passcode that can be used to access less secure Google account capabilities on other devices and applications. Therefore, now you can consider App Password as Less Secure App alternative. How to Use Google App Password?
It's not that Django is insecure, it's probably the way you're sending email, using SMTP. Enabling TLS is the first thing to do, and also a requirement to even use Google's SMTP service:
EMAIL_USE_TLS = True
EMAIL_PORT = 587
The port number depends on the SMTP service you're using. 587 is the standard, but it may be something else.
Next is setting up SPF and DKIM.
Amazon's SES (Simple Email Service, not free) makes this almost transparent.
Additionally you could setup DMARC which provides feedback on the effectiveness of your setup.
There is a DKIM package for Django: https://pypi.org/project/django-dkim/ to help you set this up manually.
Addiotionally, there is a DMARC package for Django 2 and Python 3: https://pypi.org/project/django-dmarc2/ (I made some fixes to the original package to make it compatible with Django 2+)
SPF should be setup on your DNS.
Having this in place, should make your emails secure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With