Email is easy to spoof - to give it an inaccurate
From address. Therefore, it’s important not to do drastic things (eg release sensitive data) just because you got an email claiming to be from someone.
One way to verify that a message is genuine is to have a secret email address (for example
firstname.lastname@example.org). This functions like a password - only genuine users would know to send an email to that address!
A variation is to send an email from a secret address, and tell the user to reply to it. The real user’s replies will go to the secret address, but nobody else knows the secret address.
Anvil has built-in support for DKIM, which lets the sending domain prove that an email is genuine. For example, every mail from
email@example.com is signed by GMail, so you can prove it’s genuine.
If you specify
@anvil.email.handle_message(require_dkim=True), then you will only allow messages with valid DKIM signatures for the domain in
msg.envelope.from. So, if
"firstname.lastname@example.org", the email must have been signed by
@anvil.email.handle_message(require_dkim=True) def handle_message(msg): print("This message is definitely from %s" % msg.envelope.from)
msg.dkim.domainsis a list of all the domains that have signed this email (sometimes there can be more than one, but usually there are none or one).
@anvil.email.handle_message def handle_message(msg): if msg.dkim.domains is not None and "gmail.com" in msg.dkim.domains: print("This message was signed by GMail") elif msg.dkim.domains == : print("This message wasn't signed at all")
True if one of those domains is the domain of the sending address (
Technical notes for experts
Anvil’s DKIM support accepts only signatures that cover the entire message (no
msg.dkim.domains is a list of the
d= fields of all acceptable DKIM signatures.
True only if the SMTP envelope
from address ends in
domain is the
d= field in an acceptable DKIM signature.