Securely Send Mail from Code with Python

Securely send mail from code: Sending mail with Python is very easy. just a few lines of code. But what that password that you are writing in your source code?

Let’s talk about sending emails with Python first.

Send mail in 4 Lines of Code with Python

I cover this in my free course on Monitoring Online Store Prices. You can sign-up and see how to send mail along with topics like web scrapping and CSV. Here is the simple code:

with smtplib.SMTP("",587) as smtp:
    smtp.login(USER, PASS)
    smtp.sendmail(from_address, to_address, message_text)

Note that I have not used ehlo()— read as “Hello”. This is optional here as it is sent anyway in the background. Your code would work without it but include if you get errors. See my free course for the working example.

The above will not send a subject. If you want to send Subjet too, create a string with this syntax where xxx is your subject line yyy is your mail body – Subject:xxx\n\nyyy

subject_and_message = f"Subject:{subject}\n\n{body}"
smtp.sendmail(from_address, to_address, subject_and_message)

Wait! This code will not work until you turn on this setting in Google account

Turn on Less Secure Apps

Note that for this code to work, you would need to turn on Less Secure Apps in Google Account settings. More on this later. Let’s talk about the security loopholes here.

Security Loophole – Password in your code!

The biggest loophole in this code is that USER and PASS need to be stored in the code somewhere. This obviously is a huge security loophole.

You can remove it from the code by:

  • Save it in a separate file and add to .gitignore so that it is not saved in the code repository
  • Better yet, create an environment variable on the machine where the code is running and in the source code, just read this.
import os

# Print all variables as key-value pairs

# Returns value of variable PASS. Raises KeyError if not found

# Returns value of variable PASS. Returns None if not found

# Returns value of variable PASS. Returns DEFAULT if not found

This should take care of the loophole one.

Now about to Less secure apps. Without turning it on, Google will not allow you to send mail programmatically without it and turning it on will “make it easier for hackers to get into your account.”

So what is the best way to secure your account? The answer is two-factor authentication. So you would need your password AND a second temporary password, like a code from SMS, to log into your account.

The problem is that if you can’t use two-factor authentication programmatically.

Does it sound like catch-22? Actually, Google has an answer:

Meet App Passwords

Securely send mail from code is possible with App Passwords.

These are special 16 character passwords, generated by Google to be used by apps only. These will bypass two-factor authentication, but cannot be used to login to your Google account directly.

Go to to create one and use that for your programming needs!

5 2 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
3 years ago

interesting , love it and loved your master course

3 years ago
Reply to  nasser.b

Thank you @nasser.b

You May Also be Interested In These Blogs