Bcc email and privacy

Could someone explain to me how bcc on email works. Does the initial sending server send the bcc’ed emails separately from the other recipients or does the receiving server simply not show the bcc’d email recipients?

BCC addresses are not stored in the message body, just used for the destination. Each recipient gets the same message body, just those in BCC are not in there.

Understood but where is the bcc’d email filtered out? At the sender’s or the receiver’s server? Let me give a few more details: at work we have a cms that picks up emails sent to staff members from organizations whose emails are registered with the cms. One of my colleagues noticed that email was being picked up for a recipient whose email does show up in the email (as far as I can see looking at headers, etc) but this recipient is actually associated with the sending organization and the only way we can think of this happening is the recipient is bcc’d. We don’t see it but the cms grabs the email before the receiving server strips off bcc’s.

In other words, are you wondering if a recipient of a BCC’d email could look in the email headers/metadata and see other recipient’s email addresses?

It’s filtered out by the sender’s client. See “Sending an email” here: https://www.atmail.com/blog/smtp-101-manual-smtp-sessions/ and notice how addresses appear twice.

But what you’re describing does not match this model, so maybe I’m wrong.


In fact, this is what I thought! but I can’t think of any other way that this could happen. Our recipient server is outlook exchange server. The sending server is on an amazon cloud server (so I would assume it is being sent from a cms hosted in the cloud).

In case there is still some lack of clarity … here’s how SMTP works in respect of Bcc.

For simplicity let’s assume that you as the client are not sending out any email as such but instead just handing it to your nearby mail server and that mail server will do the heavy lifting.

The entire set of destination email addresses is sent out twice.

  1. As part of the SMTP interaction between client and server.
  2. As part of the email, which is the data payload as far as SMTP is concerned. (The email itself comprises the headers, a blank line, then the content of the email.)

If you are not using Bcc then that’s all there is to it.

If you are using Bcc then there is a difference between the two sets of destination email addresses. The Bcc addresses are omitted from the second set i.e. omitted from the email.

The sending mail client has exclusive responsibility to construct the email. So when it is constructing the headers for the email, it will omit Bcc destination addresses.

One wrinkle with this is that some receiving mail clients will detect the situation that you have received an email even though you are not listed as a recipient in the email (which is how it looks to someone who is a Bcc recipient) and just wedge your email address in to the display of the email, showing you as a Bcc recipient, or indicate that there are undisclosed recipients. However no other specific Bcc recipients can or will show up to you.

Obviously all bets are off once you wander into the proprietary MS world. If Microsoft Exchange is interacting with the non-proprietary world then it will use standard protocols (like SMTP). If Microsoft Exchange is interacting with proprietary clients or other proprietary servers then it could be that none of the above is correct.

1 Like