Google is toughening up Gmail’s safeguards to make email just a little bit safer. Soon, you’ll be seeing more warnings about potentially dangerous messages… though what you do about those warnings continues to be entirely up to you.
A bit of background is in order. Google’s Gmail attempts to validate inbound messages using one of two systems.
The first, Sender Policy Framework (SPF), attempts to protect against sender address forgery (what’s commonly called spoofing) by allowing a domain’s owner to publish the IP addresses of the mail servers it uses.
Not all domain owners are willing or able to publish definitive SPF records (for example if they regularly allow third-party email marketing companies to send email for them), but properly-maintined SPF records can help receiving servers like Google’s to check for spoofed email.
The second verification system, DomainKeys Identified Mail (DKIM), allows a sending organization to include a digital signature of the message that a recipient can validate. If the email fails the DKIM check, then it was probably sent by an imposter who didn’t have the necessary signing key to pass the test, or was modified along the way.
Now, if a message can’t be validated by SPF or DKIM, you’ll see a question mark in place of the sender’s profile photo, corporate logo, or avatar.
Unfortunately, a message that can’t be validated isn’t necessarily trouble. But it certainly ought to raise your antennae. Especially if the sender’s asking you for something – like, say, a payment, your bank details or your social security number.
The question mark’s still a bit subtle, but at least you won’t have to click any tiny down-arrows most folks never even knew existed, which is what you had to do before.
There’s nothing subtle at all about Gmail’s second new warning:
If you receive a message with a link to a dangerous site known for phishing, malware, and Unwanted Software, you’ll begin to see warnings when you click on the link… The full-page warning will [say]: Warning – visiting this web site may harm your computer!
That’s pretty clear!
You might not see these changes instantly. According to Google’s 10 August message, its “launching to rapid release, with scheduled release coming in 2 weeks,” and will be rolled out gradually to Gmail’s massive user base.
The new features have been publicized as a boon for companies using Google Apps for Business, but they’re intended for every Gmail user, business or otherwise.
Cloudless
If you download your Gmail into another mail client will the results of these new checks be in the header information – and therefore detectable by the client software?
Industrial Computers
I am glad that the internet is becoming more secure. I think that it was becoming a place in which people were being far too cautious. I think most ecommerce companies were feeling the pinch in that respect and generally people would hold their card closer to their chest. Its still far from being a secure internet but as long as we are on the right track I am happy with that.
Wilderness
SPF is a fantastic idea and should be implemented wherever possible. Depending on your environment it can be absurdly simple to set up.
Art Zamora
Too bad as email freeloading consumers that we don’t have the option to block overseas domains or limit those that don’t have SPF – I think worth paying for.
Bryan
This is good news; thanks for sharing. The early days of email couldn’t possibly have foreseen the hordes of spammers as an established industry, but would’ve been nice. Recovery has been (will be) arduous.
PS: I myself have been making more spacebar typos lately with errant thumbs–odd. Anyway: 7th paragraph: detailsvor
Paul Ducklin
Thanks, typo fixed.