If you have multiple e-mail accounts in Microsoft Outlook, you can change the sender address in a new e-mail. It’s faster than switching to a different inbox and allows you to send email from different addresses even if they aren̵
With Outlook, you can send emails from any account you set up in the email client, but also from any other email address, even if you haven’t set it up. That sounds worrying – and it may be – but there are legitimate reasons to use this functionality and nefarious reasons.
We’ll go over how this works, and how email providers prevent users from using it for malicious purposes.
CONNECTED: How to set up a POP3 or IMAP account in Microsoft Outlook
Quickly switch between email addresses
First, let’s go through the completely legitimate process. To change the sender address, you must make the sender field visible. Open a new email in Microsoft Outlook, then click Options> From. This makes the “From” field visible.
To change the return address, click the From button and select one of the email addresses you added to Outlook.
The e-mail address in the “From” field changes. When you send an email, it will be sent from this address.
If you just want to quickly switch between your email accounts while sending email, this is it.
But what if you want to send an email from an account that you haven’t added to Outlook? With Outlook, you can also do this under certain circumstances.
Compose a new email and click the “From” button again. There select the option “Other E-Mail Address”.
In the window that appears, enter the address you want to send an email from and click OK.
Now send the message as usual. Will the email be sent or will you receive a delivery failure notification? And when it sends, will the recipient see it as coming from the email address you used, even if it’s not yours?
Both answers depend on who your email provider is.
How e-mail providers handle messages sent from a different sender address
Microsoft Outlook itself and other email clients like Thunderbird or Apple Mail do not check the email address you are sending from. The client simply sends the email to your provider’s SMTP server (Simple Mail Transfer Protocol server, often referred to as a mail server) and lets the SMTP server decide what to do with your email.
What happens to your email depends entirely on how your email provider’s SMTP server is configured.
The big email providers like Google, Microsoft, Apple and Yahoo use SPF (Sender Policy Framework), DMARC (Domain-Based Message Authentication, Reporting and Compliance) and DKIM (Domain Keys Identified Mail) to prevent this (among others ) People who don’t send emails (spoofing) from addresses they don’t own. How each provider deals with this situation is slightly different.
CONNECTED: Why am I getting spam from my own email address?
Google will simply ignore the new email address you used and the recipient will see your Gmail address. In our example in the screenshots, Outlook sent the email to Gmail’s SMTP server. It turned out that the email address we sent – JemandElse@gmail.com – does not belong to us. Instead, the recipient received an email from our original Gmail address.
Microsoft hosted email accounts do things a little differently. If you try to send e-mail from an address that you are not allowed to access, a Microsoft e-mail server (commonly known as an Exchange server) will not send the e-mail. Instead, you will receive a notification of delivery errors.
However, if your company uses a Microsoft Exchange server to process its email, it is usually configured so that you can send email from any account you have access to, even if that account is not added to Outlook has been.
For example, if you have permission to send e-mail from “firstname.lastname@example.org”, Outlook will send the e-mail to the Exchange server and verify that you have permission to send e-mail from the address have out. The server then sends the email to the recipient regardless of whether you added the email@example.com account to Outlook.
Other e-mail providers usually treat e-mail with the “wrong” address in a similar way to Google or Microsoft. The easiest way to find out is to try Outlook and see what happens. However, be sure to check your provider’s terms and conditions first as some may have a provision against it.
How do scammers use fake “From” addresses?
Large email providers have all kinds of checks and logs to find spam and phishing emails, including emails sent from a spoofed address. Scammers and phishers don’t use the big ones – they set up their own SMTP servers and send email through them instead.
Scammers set up their SMTP servers to allow all of their emails, forcing large vendors like Google and Microsoft into a constant arms race to prevent fraud and phishing emails from getting into your inbox.
CONNECTED: How Scammers Forge Email Addresses And How To Find Out
Your email provider, be it Microsoft, Google, Apple, Yahoo or any other provider, will scan the email headers of every email you receive. Among other things, these companies search for the sender address to match the sender address. If they don’t match, especially if they’re from completely different domains, that’s a red flag. It’s not the only thing email providers use to determine if an email is suspicious, but it’s one of the more important checks they do.