Tag Archives: bcc

Caution: Email BCC (Blind Carbon Copy) Not Always Blind

I’m Back!

I enjoyed a nice couple weeks in Quartzsite – a week of fun at Quartzfest followed by another week of peace and quiet on the desert to recover. Now it’s time to get back to blogging. Some of you are probably eagerly awaiting the next installment of Exploring RV Living. That will be coming soon, but today’s topic is very important and can’t wait.

Blind Carbon Copy

Many of us use BCC, or Blind Carbon Copy, when we send email. The BCC field is where we can add recipients that those in the TO and CC fields will not see. There are a few reasons it is commonly used. When sending an email to a large list of unrelated recipients, BCC protects the privacy of your list members, shields them from possible spam sources, and avoids cluttering up each recipient’s header with unnecessary addresses. It might be used to send an archive copy of a message to another email address you control. It is also used to send a surreptitious copy of a private email to a third party.

How BCC Works

When you compose and send an email, only one physical message is created and sent out from your computer, no matter how many recipients are listed in the TO, CC and even BCC fields. It is the job of the email server to parse the headers and send the individual copies to each listed recipient. The TO and CC fields should remain intact on each copy that is sent, so all recipients see the contents of those two fields. The BCC field should be stripped, so that no recipient sees the list of who gets a “blind” copy.

When BCC Fails

The process is not perfect. While it is rare, it is possible for the BCC field and its complete contents to be revealed to the parties which they were intended to be hidden from.  Unfortunately, there is not a strict protocol for handling BCC. Most sending servers will ether strip the BCC field completely, or will include it only in the copy to each BCC recipients, and then only containing that recipient’s address. Most receiving servers will provide additional filtering of the BCC field and strip or edit as necessary before delivering the message to the recipient’s mailbox.

Occasionally, however, header parsing fails and the BCC field appears. I recently experienced this. It involved mail sent FROM escapees.com, and recipients with yahoo.com, gmail.com, and mindspring.com addresses were able to see the complete BCC field. In fact, this was more than a freak error. Once discovered, a friend and I tried it repeatedly, with the same results each time.

This would suggest a bug or misconfiguration in the server at escapees.com — as the sending server, it should be primarily responsible for ensuring privacy of the BCC addressees. It also shows us that several popular email providers are happy to pass that field on to its clients unfiltered.

What You Can Do

BCC works as intended most of the time. If you are using it for cosmetic purposes to avoid header clutter or for sending yourself an archival copy, I wouldn’t worry about it.  In the instance of a failure, it’s doubtful it would cause anything more than mild embarrassment.

On the other hand, if you are using it to send surreptitious third-party copies, or in instances where one recipient seeing another’s email address would create a real security risk, then you are better off composing and sending individual copies to each person.

What About You?

Have you ever experienced BCC failure? Tell us what happened in the comments. What steps do you take to ensure the privacy of your email and its recipients?