On 14 June 2017 at 18:04, Ken O'Driscoll via mailop <mailop@mailop.org> wrote:
> Hi Stefano, > > Are you spoofing a Gmail From address so that it matches the To address of > the Gmail user and then wondering why a security alert appears in Gmail? > I have a good understanding about what is spoofing and what is DMARC alignment (i also developed java implementations of SPF and DKIM and an SMTP server, just to le you know I know the whys and whats of spoofing). My question is WHY gmail alert me when from and to are equals and received from an external server but at the same time doesn't care to alert me if the from is another gmail address or if the to doesn't contain my address (because I was in CCN). Spoof emails usually try to make you believe the sender is a friend/customer/coworker/supplier, not yourself: that's why this message surprised me (Google preferred to deal with a minor use case before the bigger use case). I should have made more clear that I'm not complaining at all about Gmail: I just wrote here to discuss the quality and "rationale" behind this "new message" and to know what other mailoppers thinks about it and if this created issues to them. You know, there are a lot of WRONG/BAD/LEGACY "web forms" that will send you a notification using your email in From and To: this is of course wrong and it won't work when the domain is protected through DMARC, but in this case gmail.com is not protected by DMARC and if it was a DMARC evaluation it should trigger also for different gmail senders, instead they decided to trigger only this specific case. I mean: if I get an email "from myself" I already know if I was the author or not .. I know what I wrote. So it sounds "useless" compared to warning me when I get an email to another gmail user from an external server (that currently are not flagged in any way). I thought that other mail admins here have customers using outdated websites and creating similar emails with from and to being the same address being submitted in a website form, so, if this is a new message it will start being noticed. Searching google for that specific message found only 1 page result in the google product forum from a few weeks ago, but the answer is about DKIM or SPF failing (that is not the case). I'm not trying to do anything, just trying to understand why google decided to add this specific message with a so limited scope. I also found it is "buggy" because it doesn't happen if the email have dots in the local part. It only happens if the to uses the "canonical" version of the localpart (without dots). So name.surn...@gmail.com won't see that warning, while namesurn...@gmail.com will see the warning. I thought it was just some limited test about a bigger feature, but I saw the message has been correctly translated to multiple language and it refers to "your account" so the message scope itself is very narrow. Stefano PS: maybe this list is used to "complaints" and "how to get a contact at a given provider", so I don't know if this generic discussion about Google approach to user spam/spoofing warnings is an interesting/appropriate topic. > > Apologies if I misunderstand what you are trying to do. > > Ken. > > -- > Ken O'Driscoll / We Monitor Email > t: +353 1 254 9400 | w: www.wemonitoremail.com > > Need to understand deliverability? Now there's a book: > www.wemonitoremail.com/book > > > On Wed, 2017-06-14 at 17:29 +0200, Stefano Bagnara wrote: > > Recently (few weeks) we started having reports about this warning on > > Gmail on some notification email: > > > > "This may be a spoofed message. Gmail couldn't verify that it was > > actually sent from your account." > > > > After a few tests we identified the pattern enabling this error: > > > > From: <acco...@gmail.com> > > To: <acco...@gmail.com> > > > > with > > > > SPF: PASS > > DKIM: PASS > > DMARC: FAIL (but gmail.com still publishes p=none) > > > > The message has been sent from our server with our own "mail > > from"/"return-path" (so SPF and DKIM pass but of course do not align to > > the gmail domain). > > > > If you change the From or the To header to another gmail address (not > > related to the account) the warning disappear. > > > > This doesn't look like a DMARC check because the message explicity say > > "from your account" so it seems a specific message to catch messages with > > "From" corresponding to the account itself and I checked that it appears > > only if the "To" header contains the same account. > > > > What do you think is the point of this kind of message, so "narrow" in > > scope (email from and to the same account, failing DMARC)? This doesn't > > happen if the From is any other gmail account (while DMARC still fails, > > of course). > > > > Is this just a sign Gmail is testing getting ready to enable dmarc with > > p=quarantine on its own domain? (like news are announcing since a couple > > of years ;-) ). > > > > Also, this is differente from the "spoofing warning" that will be shown > > if the sender is similar to your address like substituting a zero with an > > o letter or viceversa: > > > > "Be careful with this message. Our systems couldn't verify that this > > message was really sent by gmail.com. You might want to avoid clicking > > links or replying with personal information." > > > > The former doesn't end in spam folder, while the latter also result in > > spam classification (and it is also more understandable) > > > > Stefano > > > > PS: I'm not looking for solutions like "change the From so your DMARC > > align", i'm mainly trying to understand the rationale of a similar > > message instead of simply enabling DMARC for the gmail domain and use a > > more generic message about "sender authentication" instead of "your > > account". > > > > -- > > Stefano Bagnara > > Apache James/jDKIM/jSPF > > VOXmail/Mosaico.io/VoidLabs > > > > > > > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
