Can a car rental company send emails directly from its own domain instead of using the customer's Gmail account?

Yes, a car rental company can send emails directly from its own domain using traditional email marketing platforms. This is suitable for mass marketing, newsletters, and transactional emails. However, these emails will appear to come from the company, not from the customer's personal email account, which is what the original question specified. This is where best practices for gaining new customers come into play.

What are the security implications for customers when they share their Gmail access with the car rental company?

When customers grant access via OAuth 2.0 , they are granting specific, limited permissions. The car rental company should only request the gmail.send scope to send emails, not access other data. Google 's security review process helps ensure applications handle user data responsibly. Customers can revoke access at any time through their Google account settings.

How does sending emails from a customer's Gmail account affect the car rental company's own email deliverability?

This specific approach of sending emails via a customer's Gmail account does not directly impact the car rental company's own domain reputation or deliverability, as the emails are sent from the customer's personal Gmail infrastructure. However, if the company's platform were to be associated with spamming or malicious activity through this feature, it could indirectly lead to API access being revoked, affecting the feature's availability.

Are there simpler alternatives to let customers share car availability with friends without direct Gmail API integration?

An alternative is to implement a referral program with shareable links. Customers could click a button to generate a unique link to the car's availability, which they can then copy and share through any channel they prefer, including a manual email from their Gmail account. This avoids the complexities of API integration but places the sending responsibility entirely on the customer.

Knowledge base

/

Email deliverability

/

Basics

What is the best way for a car rental company to let customers email their friends about car rental availability using the customer's Gmail account?

Matthew Whittaker

Co-founder & CTO, Suped

Published 6 Aug 2025

Updated 17 Aug 2025

7 min read

When a car rental company wants to enable its customers to email their friends about car availability using the customer's personal

Gmail account, it presents a unique challenge. This isn't a typical email marketing scenario where the company sends emails from its own domain. Instead, it involves leveraging individual user email accounts, which requires a specific technical and security-focused approach.

The primary method for achieving this is through deep integration with Google's APIs, specifically using OAuth 2.0 for user authentication and authorization. This approach transforms the car rental platform into, effectively, a temporary email client that sends messages on behalf of the customer, not the company.

Leveraging the Gmail API with OAuth 2.0

The core of this solution lies in OAuth 2.0. This is an authorization framework that allows a third-party application (the car rental platform) to gain limited access to a user's service (their Gmail account) without ever handling their actual password. The customer grants explicit permission for the platform to send emails on their behalf. The process involves several steps.

Initiate Authorization: When the customer decides to share car availability via email, the platform redirects them to Google's authentication server.
User Consent: The customer logs into their Gmail account and reviews the permissions requested by the car rental platform (e.g., to send emails on their behalf). They explicitly grant or deny this access.
Authorization Code: If consent is given, Google sends an authorization code back to the car rental platform.
Access Token: The platform exchanges this code for an access token and optionally a refresh token. The access token is what grants the platform temporary permission to interact with the Gmail API on the user's behalf.

With the access token, the car rental company's platform can then use the Gmail API to construct and send an email using the customer's Gmail account. The email will appear to friends as if it was sent directly by the customer, complete with their Gmail address as the sender. This method strictly adheres to Google's security protocols and avoids any form of email spoofing.

Conceptual Gmail API call to send a messageHTTP

POST /upload/gmail/v1/users/me/messages/send
Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: message/rfc822

To: friend@example.com
From: customer@gmail.com
Subject: Check out my car rental availability!

Hi [Friend's Name],

My car is now available for rent on [Car Rental Company Name]! Check it out here: [Link to Car Details]

Best,
[Customer's Name]

This approach is effective because it leverages the legitimate authentication flow established by Google. It ensures that emails are sent with proper authorization, maintaining trust and deliverability. Without OAuth 2.0, attempting to send emails from a user's account would be considered unauthorized and would likely result in messages being blocked or flagged as spam, potentially even leading to a blacklist (or blocklist) for the company's platform if attempted incorrectly or at scale.

Security and compliance with Google's policies

While the Gmail API offers a robust solution, there are crucial security and compliance considerations. Google has strict policies for applications requesting access to user data, especially sensitive scopes like sending emails. The car rental company will likely need to undergo a security review process with Google to ensure their application is trustworthy and handles user data responsibly.

Security best practices

Least privilege: Request only the minimum necessary Gmail API scopes. For sending emails, this is typically the gmail.send scope.
Secure storage: Handle and store access and refresh tokens securely, encrypting them at rest and in transit.
Consent transparency: Clearly communicate to the user exactly what permissions they are granting and why.
Revocation: Provide an easy way for customers to revoke the car rental company's access to their Gmail account permissions directly from the platform, in addition to Google's own security settings.

Failing to adhere to these security measures and Google's policies can lead to the application being flagged, restricted, or even banned from using the Gmail API. This would severely impact the car rental company's ability to offer this specific feature to its customers.

It's also worth noting that Googleimposes sending limits on individual accounts. While unlikely to be an issue for casual sharing among friends, if a customer attempts to send a very large number of emails through this feature, they might hit Gmail's daily sending thresholds, potentially leading to a bounce or temporary block on their account.

User experience and trust

Even with the technical framework in place, the user experience for both the car owner and their friends is paramount. The email template provided by the company should be designed for clarity and impact, making it easy for friends to understand the offer and take action. Consider what makes effective follow-up emails in a business context, adapted for a personal tone.

Since the email is coming from a friend, it inherently carries more trust than a typical marketing email from an unknown sender. This can significantly improve the chances of the email being opened and the offer being considered. However, the company should provide a template that feels personal yet professional, reflecting both the friend's recommendation and the car rental brand.

User consent flow

The process requires the car owner to actively grant permission. This adds a step, but ensures legal compliance and builds trust by keeping the user in control.

Email appearance

Emails are sent directly from the customer's

Gmail account, complete with their name and photo, increasing authenticity.

Deliverability impact

Email deliverability is managed by Google for the user's account, relying on their individual sender reputation rather than the company's domain. However, abuse could lead to IP blocklisting.

Scalability considerations

While effective for individual shares, this method isn't suitable for mass marketing campaigns due to Gmail's sending limits and API rate limits.

The design of the in-app experience for the customer is also important. It should be intuitive, clearly explain the benefit of sharing, and make the process of selecting friends and sending the email seamless. Minimizing friction at each step will encourage greater adoption of this sharing feature.

While allowing customers to send emails from their own Gmail accounts is a specific request, it's beneficial to consider broader email marketing strategies for car rental companies. General email marketing best practices, such as segmenting email lists for personalized messages, are still crucial for the company's direct outreach.

For the company's own marketing emails, it's essential to maintain excellent email deliverability to ensure messages reach the inbox. This includes properly configuring authentication records like SPF, DKIM, and DMARC, monitoring sender reputation, and avoiding spam traps. Improving email deliverability directly impacts the success of promotional and transactional emails.

Consider implementing a referral program where customers can share a unique link, rather than directly emailing. This approach often simplifies the process, provides trackable metrics, and keeps the company's email marketing separate from personal communications, adhering to email marketing compliance standards. If customers want to email, they can copy the link and send it themselves, using their own Gmail account organically.

Views from the trenches

Best practices

Always prioritize user consent and transparency in any integration with personal email accounts.

Thoroughly review and comply with Google's API security and access policies to avoid service disruptions.

Design email templates that balance brand messaging with a personal, friend-to-friend tone.

Offer clear instructions to customers on how to use the sharing feature and what to expect.

Common pitfalls

Attempting to send emails from customer accounts without explicit OAuth 2.0 authorization, leading to blocks.

Requesting excessive Gmail API scopes, which can trigger Google security reviews and user mistrust.

Not accounting for Gmail's daily sending limits on individual accounts, causing delivery issues for users.

Ignoring Google's security review process for applications accessing user data, risking API access suspension.

Expert tips

For large-scale sharing or marketing, consider using trackable referral links that customers can copy and share.

Provide an in-app prompt encouraging users to forward company-generated emails directly from their inbox.

Implement robust error handling and user feedback if a customer's email fails to send due to API limits.

Regularly monitor your application's API usage and adherence to Google's terms of service.

Expert view

Expert from Email Geeks says you cannot send emails using a user's consumer email address via third-party platforms unless you obtain explicit consent and necessary credentials, likely through OAuth 2.0, to send mail on their behalf via the proper SMTP servers.

September 20, 2024 - Email Geeks

Marketer view

Marketer from Email Geeks says attempting to spoof someone's email address is problematic, and it is better to provide details for the user to forward to their friends directly to avoid issues with processing data without consent.

September 20, 2024 - Email Geeks

Final considerations

For a car rental company to enable customers to email friends about car availability using their personal Gmail accounts, the Gmail API with OAuth 2.0 is the most legitimate and secure approach. This method prioritizes user consent and aligns with Google's stringent security requirements, ensuring emails are delivered reliably and without being flagged as spam. This avoids issues that could arise from unauthorized sending.

Implementing this feature requires careful attention to security, user experience, and compliance with Google's API policies. While complex, it empowers customers to act as authentic brand advocates, facilitating trusted referrals. Companies must also continue to prioritize their own email deliverability for direct communications, ensuring all their email efforts yield the best possible results.