If you have multiple email accounts in Microsoft Outlook, you can change the “From” address in a new email. This is quicker than swapping to a different inbox, and lets you send emails from different addresses, even if they aren’t your own. Here’s how—with some caveats.
Outlook lets you send emails from any account you’ve set up in the email client, but also from any other email address, even if you haven’t set it up. That sounds worrying—and in some circumstances it is—but there are legitimate reasons to use this functionality as well as nefarious ones.
We’ll go through how this works, and how email providers prevent people from using it for harmful purposes.
Quickly Switch between Email Addresses
First, let’s go through the entirely legitimate process. To change the “From” address, you need to make the “From” field visible. Open a new email in Microsoft Outlook and then click Options > From. This will make the “From” field visible.
To change the “From” address, click the “From” button and select one of the email addresses you’ve added to Outlook.
The email address in the “From” field will change, and when you send an email, it will be sent from that address.
If all you want to do is quickly switch between your email accounts when you’re sending emails, that’s all there is to it.
But, what if you want to send an email from an account that you haven’t added to Outlook? Well, Outlook will let you do that, too, under certain circumstances.
Compose a new email and then click on the “From” button again. From there, select the “Other Email Address” option.
In the panel that opens, type in the address you want to send an email from and click “OK.”
Now send the message as normal. Will the email send, or will you get a delivery failure notification? And if it does send, will the recipient see it as coming from the email address you used, even if it’s not yours?
Both of those answers are dependent on who your email provider is.
How Email Providers Handle Messages Sent From a Different “From” Address
Microsoft Outlook itself, and other email clients like Thunderbird or Apple Mail, don’t do any checking on the email address from which you send. The client simply sends the email to your provider’s SMTP server (Simple Mail Transfer Protocol server, often called a mail server), and lets the SMTP server decide what to do with your email.
What will happen with your email is entirely dependent on how your email provider’s SMTP server is configured.
The big email providers, such as Google, Microsoft, Apple, and Yahoo, use something called SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and DKIM (Domain Keys Identified Mail) to prevent (among other things) people from sending emails from addresses (spoofing) that aren’t theirs. How each provider handles this situation is a bit different.
Google simply ignores the new email address you’ve used, and the recipient will see your Gmail address. In our example in the screenshots, Outlook sent the email to Gmail’s SMTP server, which worked out that the email address we were sending from—SomeoneElse@gmail.com—doesn’t belong to us, and so instead the recipient received an email from our original Gmail address.
Microsoft-hosted email accounts do things a bit differently. If you try to send an email from an address that you don’t have permission to access, a Microsoft email server (commonly referred to as an Exchange server) will not send the email. You’ll receive a Delivery Failure Notification instead.
However, if your company uses a Microsoft Exchange server to handle its email, it’s normally configured to allow you to send an email from any account you have access to, even if that account has not been added to your Outlook.
For example, if you have permission to send emails from “email@example.com,” Outlook will send the email to the Exchange server and check that you have permission to send emails from the address. The server will then send the email to the recipient, regardless of whether you’ve added the “firstname.lastname@example.org” account to Outlook.
Other email providers will usually handle emails with the “wrong” address in a similar way to either Google or Microsoft. The easiest way to find out is to try it in Outlook and see what happens. Check your provider’s terms first though, as some might have a provision against doing this.
How Do Scammers Use Fake “From” Addresses?
Large email providers have all kinds of checks and protocols to try to find spam and phishing emails, including emails sent from a fake address. Scammers and phishers don’t use the big providers—they set up their own SMTP servers and send emails through those instead.
Scammers set up their SMTP servers to allow all of their emails though, forcing large providers like Google and Microsoft into a constant arms race to detect and stop scam and phishing emails from getting into your inbox.
Your email provider, be that Microsoft, Google, Apple, Yahoo, or any other provider, scans the email headers of every email you receive. One of the things these companies look for is that the “From” address matches the “Sender” address. If they don’t match, especially if they’re from completely different domains, that’s a red flag. It’s not the only thing that email providers use to determine if an email is suspicious, but it’s one of the more important checks they do.