How-to: Act on Gmail Forged Mail Warnings
You'll see this warning if a sender is claiming to be from Gmail, but the service can't confirm that the email actually originated from a Gmail sender. Like most third party messaging services, all mails sent through Gmail contain authentication data in the message header that can verify that the message was sent through Gmail.
So if you see this warning, how should you act on it?
This warning usually indicates that the mail is missing some or all the authentication data. To protect against email 'spoofing', Gmail analyses the headers as the traffic flows into the inboxes.
Missing authentication data may suggest that the message is forged - it didn't originate from the named sender; or else it came through a website that did not provide information about the origin of the message. In the case of third party sites where user can opt to email bookmarks to you, most reputable ones will carry some authentication, in which case Gmail will display the sender's name and the service that authenticated the message.
Given the number of scams and phishing attacks, the last thing you should do is ignore the warning. If you see such a warning in your inbox, consider the following:
- treat it as suspicious, don't provide personal information by return, even if it purports to be from someone you know
- if it is from persons unknown, read the message body and decide if it is trivial or meaningful
- if you think any email is an attempt to get your personal information, click the Report phishing link in Gmail
- if it's trivial, you can then simply trash it! There's too much spam in the world for you to go wasting your time on
- if it's not trivial - that is, the content is something in your interest, don't let your guard down
- even if you recognise the sender's name; it may not be from them, treat it as suspicious until you confirm by a trustworthy route it is from them.
If you establish that the message was really sent by the sender, fine, treat it as legitimate; but do point out that these warnings are are appearing and they really need to re-configure their mail or have their mail service provider do it for them;
- missing authentication data may consign the mail to the spam folder of trash of some mail-servers, or simply bounce it back as undeliverable (according to the destination server's authentication rules), so its in their interest to get it right.
- if the message is forwarded and the authentication information is modified in the process, that is another cause for concern the sender needs to know about. There are best practices for forwarding mail through another email account, the forwarding mail server should not attempt to modify or delete message headers to ensure authentication data is preserved.
What Counts as authentic?
Gmail checks whether emails are correctly authenticated either against a complete SPF record1 or a DKIM3 signature both of which should be associated with the sender's domain.
So what does that mean?
- An SPF record is a list of IP addresses that are authorized to send mail for a particular domain. The rules for publishing an SPF record are maintained by the Open SPF organisation, http://www.openspf.org.
- A domain is the plain-text name for an IP address - that's a website or web address to you and me.
- DKIM stands for DomainKeys Identified Mail, a way to digitally sign messages and verify that the messages were sent by a particular domain. Not only a signature in the conventional sense, the key is generated from an algorithm partly based on the content of the message; anyone changes the content of the message envelope, the signature's key value will no longer match that calculated by the algorithm when the message arrives at the destination server.
Above all, in the words of the great Douglas Adams, DON'T PANIC. Messaging across the Internet is a complex, fragile, breakable thing. Not every warning is of malice aforethought. Be alert. Give nothing away. Report what you can, trash the junk. RC
Photo by Andrew*