Why was an email delivered to my account even though I'm not listed in the To or Cc list of addresses?
The content of an email is actually completely independent of how the email is delivered between computers on the internet. Thus, the addresses you see on the
Cc lines of an email do not necessarily have any relation to who the email was actually delivered to. Similarly, the
From line of an email doesn't necessarily specify who sent the email. They have nothing to do with the delivery process.
All legitimate email software and systems do set the
From lines of email to correspond with who the email was sent from and to. Spam-sending software, however, will usually forge the values.
Unfortunately, the email system was designed back in the early days of the internet, when it was simply used to send messages between trusted university computers and no one had a need or reason to forge the headers.
How email is sent
If the actual content of the email doesn't control where the email goes, what does? This is done by a separate protocol called SMTP (Simple Mail Transfer Protocol). When email is handed over from one computer (the "SMTP client") to another computer (the "SMTP server"), the sending computer declares a sender address (the "envelope-from", which is the address that bounce messages will go to if delivery fails at a later stage) and one or more recipient addresses ("envelope-to"), which designate the destination to send the message to.
These addresses are not part of the email message itself, and normally they are just discarded once the message has been delivered. However, at Fastmail we add special headers called
X-Mail-from (for "envelope-from") and
X-Delivered-to (for "envelope-to") to the email so you can always see how the message ended up at your account.
We also add another header,
X-Resolved-to, that designates the final address that was used for internal delivery to your mailbox. This address is determined by the address in
X-Delivered-to using the resolving rules described in our documentation of the process email delivery goes through.
You can view these headers for an email by clicking the "Show Raw Message" option in the "More" menu at the top right of each message.
There is a legitimate case where the
Cc lines may not list your address. That's when someone sends to you via
Bcc. When someone Bcc's you in on an email, their email client uses your address in the "envelope-to" when delivering, but removes the Bcc header before sending. So if you see your address in the
X-Delivered-to header but not in
Cc in legitimate mail, it means that the sender put your address in the
Bcc field in their email client.