You are currently viewing the new Beta Editor Docs.
Switch to the Classic Editor Docs
You are currently viewing the Classic Editor Docs.
Switch to the Beta Editor Docs

Trusting Incoming Email

Email is easy to spoof - to give it an inaccurate From address. Therefore, it’s important not to do drastic things (eg release sensitive data) just because you got an email claiming to be from someone.

Use a secret address

One way to verify that a message is genuine is to have a secret email address (for example This functions like a password - only genuine users would know to send an email to that address!

A variation is to send an email from a secret address, and tell the user to reply to it. The real user’s replies will go to the secret address, but nobody else knows the secret address.

Verify the sender with DKIM

Anvil has built-in support for DKIM, which lets the sending domain prove that an email is genuine. For example, every mail from is signed by GMail, so you can prove it’s genuine.

If you specify, then you will only allow messages with valid DKIM signatures for the domain in msg.envelope.from. So, if msg.envelope.from is "", the email must have been signed by
def handle_message(msg):
  print(f"This message is definitely from {msg.envelope.from}")
You can also check this by hand. is a list of all the domains that have signed this email (sometimes there can be more than one, but usually there are none or one).
def handle_message(msg):
  if is not None and 
      "" in
    print("This message was signed by GMail")

  elif == []:
    print("This message wasn't signed at all")

msg.dkim.valid_from_sender is True if one of those domains is the domain of the sending address (msg.envelope.sender).

Technical notes for experts

Anvil’s DKIM support accepts only signatures that cover the entire message (no l= parameter). is a list of the d= fields of all acceptable DKIM signatures.

msg.dkim.valid_from_sender is True only if the SMTP envelope from address ends in @<domain>, where domain is the d= field in an acceptable DKIM signature.