39

Email clients like Spark for macOS have a feature where a user can send an email later, at any given time, even when the computer is turned off. An SMTP server needs a password based authentication, though.

Does that mean that if I use Spark to send an email later, my password gets sent over to Spark servers in plaintext, so that they can authorize on the SMTP server later? Or is there a different method?

NikxDa
  • 773
  • 1
  • 5
  • 12
  • 21
    I [dispute your premise](https://stackoverflow.com/q/7484492/1227469) that "an SMTP server needs a password based authentication", albeit that it is common for them to be set up that way. – Jon Bentley Sep 10 '19 at 11:38
  • 4
    This could also be implemented using the [Future Message Release](https://tools.ietf.org/html/rfc4865) extension for SMTP, though apparently that’s not what Spark is doing. – caw Sep 10 '19 at 16:58
  • 2
    I dont know how Spark works but you dont need the password in order to send an email. Its basically [how graylist works](https://en.wikipedia.org/wiki/Greylisting) – vx3r Sep 10 '19 at 04:11
  • "even when the computer is turned off" - then who will send the email (later)? – i486 Sep 13 '19 at 10:49
  • @caw FMR sounds like good feature but I think the question is not for this. "Later" is later, not specific moment. – i486 Sep 13 '19 at 11:17

2 Answers2

63

Sparks stores your account credentials on their systems. This is also described in their privacy policy:

  1. INFORMATION WE COLLECT AND HOW WE USE THIS INFORMATION

Auth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • But does it work the same with other services like Gmail or Outlook ? – Deunis Sep 10 '19 at 08:57
  • 23
    @Deunis: It works for all mail providers you use with Spark. As for other providers which have this feature: on the one side providers like Google (Gmail) or Outlook (Microsoft) already have your credentials which you use for their own service. On the other side they have already authenticated that this mails comes from you and thus can send it later. – Steffen Ullrich Sep 10 '19 at 11:29
  • 11
    @SteffenUllrich I hope Google (GMail) doesn't have my credentials but just a hash of my password. For something like „send later“ via other providers you really need the password. – BlackJack Sep 10 '19 at 15:54
  • 8
    For platforms like Gmail such features can be implemented without actually storing your password. Gmail has OAuth authentication for 3rd party access. So the client just needs your permission (you will be redirected to Google account page for this) and then Gmail will send a cryptographic token that the client needs to store. The advantage of this is that at any time you can open your Google account page and revoke any token you no longer trust/need – slebetman Sep 11 '19 at 09:02
  • 1
    Your credentials towards google are basically just for identifying you to google anyhow. Google could send anything they want in your name, anytime. if you don't sign your messages yourself with a key that google doesn't have there's no getting around that. – Lassi Kinnunen Sep 12 '19 at 08:47
12

Any online service that acts on your behalf with other network services will normally need to store the credentials needed for those other services. While there are other ways to implement authenticate between services, such as OAuth2, in practice very few services implement such mechanisms. So when an online application needs to perform on your behalf, it mimics a client application like a web browser or mail client.

For example, personal finance applications (e.g. Mint) often provide a way to view all your financial accounts (bank accounts, credit cards, brokerages, mortgages, etc.) in one place. They require you to enter the username and password (and maybe even security questions) for each of those services, so that they can login and download the information.

Barmar
  • 584
  • 3
  • 9
  • To be clear, keychain password's isn't stored in plaintext. – Alexander Sep 10 '19 at 23:12
  • 1
    The question is about a service (spark) that sends emails on behalf of the OP when he has his computer off, using a third party mail provider. You are describing the process without taking into account the middleman. – Ángel Sep 11 '19 at 00:47
  • @Ángel I didn't know what Spark is, the question says it's an email client, so I assumed it was a local application like Mail or Thunderbird. – Barmar Sep 11 '19 at 14:39
  • 1
    But "even when the computer is turned off" should have been a clue :) – Barmar Sep 11 '19 at 14:40
  • This is not necessarily true. Online services acting as a middleman could store an authorization token without storing the credentials themselves. – jamesdlin Sep 11 '19 at 16:42
  • @jamesdlin In an ideal world where all these sites provide APIs that could be true, and I think it was a "Web 2.0" dream. But in practice, almost everyone is just web-scraping. – Barmar Sep 11 '19 at 16:45
  • Oh, I definitely agree that in practice almost everything is going want your credentials. I'm just refuting that it's *necessarily* that way. – jamesdlin Sep 11 '19 at 16:51
  • True, I've updated the answer to explain that this is the normal method rather than the necessary method. – Barmar Sep 11 '19 at 17:07