The Myth About BCC Email

Once upon a time, people could respect others privacy when sending email to a number of recipients, by putting the addresses in a "BCC" field, which meant "blind courtesy copy," or "blind carbon copy." That was supposed to mean that the server or email client would remove the addresses of the "BCC" recipients before sending the email on to everyone in the "TO:", "CC:", and "BCC:" fields.

However, despite common belief, when we send email to someone as a "BCC" email, their address may be sent to all recipients, and is not necessarily privatized.

"Ah," my friend said, "that is not the way it is supposed to work. It must be a bug on your ISP's server." And I said, "Okay, I will test it at gmail."

And, I must sadly report that it is not just my ISP, but gmail as well, that sometimes merrily sends the full lists of recipients, including "BCC" recipients, on to all the other recipients.

To test the theory, I used SMTP to send an email from one of my gmail addresses to three other addresses. Then I downloaded the email that arrived at a "BCC" address at gmail, and when I looked at the raw file from the command line, instead of from inside my email client, I saw the other BCC address listed as well. I have changed the addresses and Message ID shown to protect myself from spam, but here is what I saw:

X-tkcMail-Send-Profile: myprofile
From: "sdjf" <sdjf@gmail.com>
To: "myself" <myself@myisp.com>
Bcc: address2@gmail.com, address3@gmail.com
Subject: testing bcc from gmail
User-Agent: tkcMail
Content-Type: Text/Plain;
Date: Wed, 28 May 2008 20:42:43 -0700 (PDT)
Message-ID: <583e2623.0514c00c.79f3.2555@mx.google.com>
okay this is just a test.

So, I did a little more reading, and found out that it is a known bug in SMTP. So, then I tested the BCC feature by sending email from gmail online, instead of by using SMTP in my email client. And, gmail passed the test for BCC email sent from online at gmail. The BCC recipient list was not sent to any of the recipient addresses.

I believe that most email client GUIs are set up to hide the BCC recipients from the viewer. However, those addresses mmay still be in the email and if you want to make sure you are protecting the BCC recipients, then do not use the BCC option, unless you have run careful tests to make sure that your BCC email truly removes the BCC addresses from the email header, no matter where the email is sent.

In most or all cases of SMTP, and possibly some email sent using online servers, you will find that the addresses will get sent on as a hidden portion of the email, and be available for harvesting for spam, just the same as if it was an address in the "TO:" field. While those of us on Linux may not be subject to viruses geared towards MS Windows computers, our email will in most cases be going to people who are not Linux users, and be subject to harvesting on those machines which do not have vigilant virus protection software.

So, what do you do? If you want to send email to multiple recipients and hide their addresses from each other, and be absolutely certain the BCC addresses are not compromised, I am not sure I would count on any email client or web-based email server to be infallible, even if I ran careful tests as I did above. I would instead suggest either sending the recipients their own private copies, or getting some kind of mailing list software or web mailing list service.


About.com has an excellent resource page for instructions on how to send CC and BCC email from various online servers


This next page is a discussion of the history, purpose and flaws in bcc email.