Archived Forum Post

Index of archived forum posts


BCC Emais Sent via Microsoft Accounts arriving with email addresses exposed?

Jul 28 '16 at 14:30

Just a heads up:

Bcc mail messages sent via Microsoft accounts (,,, etc.) are arriving to the recipients with all email addresses exposed. The Bcc flag is being ignored completely. We reported this to Microsoft a month ago but they have not acknowledge any server-related issues on their part.

Bcc is working properly when sending messages via Gmail and Yahoo so it is likely a Microsoft server issue but you should look into this to be sure it is not related to your ActiveX plugin. If you are aware of this issue and have a work-around, please email us ASAP.

Thanks for the great products.


Chilkat explicitly keeps the BCC email addresses outside the MIME of the email. In other words, with Chilkat, there is no BCC email header that is added to the MIME. This is often a point of irritation to users because they expect the BCC addresses to be present, but if they were, then they could be exposed. Chilkat takes the safe route to avoid exposing BCC addresses.

When a BCC recipient is added to an email (such as via the email.AddBcc method), it used in the "RCPT TO" part of the SMTP protocol. For example, a sample SMTP protocol session looks like this:

Server Response: 220 ESMTP Postfix
Client Sending : HELO
Server Response: 250 Hello
Client Sending : MAIL FROM: <>
Server Response: 250 Ok
Client Sending : RCPT TO: <>
Server Response: 250 Ok
Client Sending : DATA
Server Response: 354 End data with <cr><lf>.<cr><lf>
Client Sending : Subject: Example Message
Client Sending : From:
Client Sending : To:
Client Sending :
Client Sending : Yo,
Client Sending :
Client Sending :   Sending a test message.
Client Sending :
Client Sending :   Later,
Client Sending : Carl
Client Sending : .
Server Response: 250 Ok: queued as 45334
Client Sending : QUIT
Server Response: 221 Bye

The BCC addresses are passed in RCPT TO commands, but are NOT part of the MIME. Therefore, if BCC addresses are getting exposed, it must be that the application code is somehow explicitly adding them to the MIME headers, or the Microsoft SMTP servers are doing something extra to add them to the MIME.