Level 63
Is it possible via a third party service like Brevo ?
Jul 14, 2025
17
Level 63
How can users send email ?
Hello,
I'd like logged in users able to send emails via the Laravel application.
That's not a problem using an SMTP server, I already do that using a gmail address for the application. But in this case, the sender SMTP gmail address appears inside the email.
I need that the sender SMTP address doesn't appear inside the email.
The email has to be sent exactly if the user had used its own email address.
How to do that ?
Thanks for your help.
V
Level 11
Use Your Domain for Sending + User Email in Reply-To
Send emails using your verified domain (e.g., [email protected]) but set the Reply-To as the user’s real email address.
How It Works
From: → Your App [email protected] (verified, trusted sender)
Reply-To: → [email protected]
So when the recipient replies, it goes to the user — but the sending is 100% deliverable and secure.
then in your mailable class have something of this structure
public function envelope()
{
return new Envelope(
from: new Address('[email protected]', 'Your App'),
replyTo: [
new Address($this->user->email, $this->user->name),
],
subject: 'User Inquiry',
);
}
Level 11
Domain Verification Tip
If you're using a service like Resend or Brevo, make sure to:
Add SPF + DKIM DNS records to your domain
Verify your domain inside the mail provider dashboard
Enable DMARC if possible
Always ensure that you;
Use your own mail domain for sending
Use replyTo() to point replies to the actual user
Show the user's name in the From name
Level 31
No, this is not possible. Imagine huge volumes of spam and fake emails we would have if such a thing is possible.
Any sort of sender faking is prohibited by any email service.
Maybe you can put user's name in From field, but the address still must belong to your email server's domain. In this case a recipient will see a message with From: John Doe <[email protected]> instead of From: John Doe <[email protected]>
This may be suitable for your case.
upd: of course, you can connect all user's mailboxes to Laravel using SMTP + their personal accounts, but it's is a mess...
1 like
Level 50
You can't send email with any old sender address. Or you can, but any proper email server will reject the email if the domain's SPF records don't match the sending server. If they blindly accepted all emails, anyone could spoof anyone's email address.
If your customers have their own domain names, they'd have to update their DNS to whitelist whatever SMTP server you're using to send emails. That's a hard sell. And if they have something like a gmail.com address, you're out of luck.
1 like
Level 63
@JussiMannisto @glukinho So it seems to be possible if the application knows the SMTP credentials of each user ?
Level 31
@vincent15000 technically yes, but:
- not all personal mailboxes services support SMTP access at all,
- users will have to either share their passwords with you, or set up some dedicated app password just for your app, you will have to explain it to users and persuade them to do it,
- this is huge pain to set up and support further, this is just bad solution.
1 like
Level 63
@Glukinho When you set up your email credentials on Gmail on your smartphone, you share your credentials with Gmail.
I could do the same with the Laravel application : the users could save their email credentials and I will encrypt them in the database.
Level 20
@vincent15000 Don't do that! No-one is going to share their email credentials with your "random app" and hope you don't decrypt them for nefarious purposes. If you can encrypt them, you can decrypt them, unless you're planning some GPG-style integration.. but trust me, with the questions being asked here, you don't want to be supporting that either!
1 like
Level 63
Level 63
@JussiMannisto I just wanted to be sure that it's not possible and that there weren't any other solution about which I didn't think.
Level 20
Thinking about this further.. Vincent, please, work with a senior dev/mentor before creating something like you're attempting to right now.
A lot of the posts you've created recently, really feels like whatever app you're building has been built by the community here. This in itself isn't bad, OSS is exactly this, however, it's clear from the questions and direction you're thinking regarding credentials, that you could do with a hand in regards to building secure software for consumption from others.
We all need to learn. Back in 2000, I built a forum as my second ever PHP project. When I look back at the code and see stuff like:
"select * from users where user_id = {$_GET['user_id']};"
I cringe and am thankful that I didn't have my entire DB and/or application compromised (would likely be very different in today's landscape)... and also thankful that over the years, I have learned a lot and recognise just how bad the code is.
I'm sincerely not trying to dishearten you, or criticise you etc etc, but I would strongly advise thinking about what you're trying to achieve with the current knowledge that you have. By all means, build and experiment.. this is how we learn.. but please don't publish this stuff on the open (or closed in a company) network.
1 like
Level 63
@ian_h Hey I'm not creazy, I just want to find a solution.
And sure ... share the email credentials with the application is not the solution. Email credentials are sensitive data and with all hacking, it's not a good idea to ask for these data.
I just said that, according to what you all said, this would be the only solution, but not applyable.
So I have to think about another solution.
And for the moment this solution is to open a mail client from a simple link. So sending an email exactly like I need and directly from the application doesn't seem possible.
Unless I create a custom email address specific for the application and use it with its SMTP server.
And thank you for your help, but I don't need help to build secure applications ;). It's because I'm aware about security, that I'm asking here. Otherwise I would ask and I would sometimes write unsecure code.
Level 3
To send emails in Laravel using the user's own email address as the sender without revealing the SMTP address, you'll need to adjust the way the email is sent.
Here’s how you can do that:
1. Use SMTP for the email but with the user's email address as the "from" address.
Instead of sending the email with your Gmail SMTP credentials and having the email show the Gmail address, you can configure the email to send on behalf of the user, like they are sending the email from their own address.
2. Update the .env file to allow dynamic "From" address configuration:
Your .env configuration for SMTP should look like this (using Gmail as an example):
MAIL_MAILER=smtp
MAIL_HOST=smtp.gmail.com
MAIL_PORT=587
[email protected]
MAIL_PASSWORD=your-email-password
MAIL_ENCRYPTION=tls
[email protected]
MAIL_FROM_NAME="${APP_NAME}"
Here, MAIL_USERNAME and MAIL_PASSWORD are the credentials for your Gmail account, which will be used to send the email, but we will modify the "From" address dynamically in the code.
3. Dynamically set the "From" address when sending the email:
When sending an email, you can set the sender address dynamically to match the user’s email address. For example:
use Illuminate\Support\Facades\Mail;
$user = Auth::user(); // or any method to get the logged-in user
Mail::send('emails.example', ['data' => $data], function($message) use ($user) {
$message->from($user->email, $user->name); // User's email address
$message->to('[email protected]');
$message->subject('Your Subject');
});
This way, the from email address will be the user’s own email, not your Gmail SMTP address.
4. Ensure the SMTP server allows sending from different addresses:
For Gmail, by default, Gmail will allow you to send emails from other email addresses (like the one the user is using), but the user must have the email address verified in their Gmail account.
If you are using Gmail, the user’s email address must be added as a "Send mail as" alias in the Gmail account associated with your MAIL_USERNAME.
5. Optional: Verify DKIM and SPF for your domain:
If you're using a custom domain for sending email, it's recommended to configure DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) records to prevent your emails from being marked as spam. For more information on how to verify DKIM for your domain, you can follow the steps outlined in this Verify DKIM.
6. Ensure your SMTP provider allows sending as different users:
Some email service providers might restrict the ability to send emails on behalf of others. Be sure that your SMTP provider (like Gmail, SendGrid, etc.) allows this. With Gmail, you'll need to make sure the user has configured the "Send mail as" feature.
Conclusion:
- The key here is to ensure that you're dynamically setting the "From" address in the mail send method, so it uses the user’s email rather than your Gmail address.
- You'll also need to verify that the SMTP server you're using allows sending as other email addresses (Gmail can do this with "Send mail as" configuration).
This should give the effect that the user is sending the email as though they are sending it from their own account.
1 like
Level 63
@sayanz That's interesting.
I think that I have already tested this some months ago and it didn't work.
Have you checked if it works ?
I will try again by following exactly what you suggest me.
Level 50
Have you checked if it works ?
It's just a chat bot reply. You can't do steps 4-7 on behalf of the users.
Level 1
To add a real-world example: in a Laravel project we worked on for an airport taxi booking service, we faced a similar challenge. Customers needed to receive booking confirmations that appeared to come directly from their driver or from a generic service email, without exposing the actual SMTP details.
In our case, we ended up using a verified domain via a transactional email service (like Brevo or Mailgun), which allowed us to dynamically change the From name while keeping emails DMARC/SPF compliant.
The actual app was built for this taxi service called Jewel Cars, and we learned that trying to impersonate user emails directly isn't practical — deliverability drops, and you're likely to hit spam filters hard unless you go through the proper domain whitelisting.
If the goal is to make it “look” like it came from the user, your safest bet is still to send from your own domain and clearly show their name in the From field, as others have pointed out.
Please or to participate in this conversation.