Solved

Any concerns with Google's new warning message from SPF and DKIM Signatures?

Posted on 2011-09-27
11
320 Views
Last Modified: 2012-05-12
Hi Experts,

We have noticed when we use reporting applications (event viewer capture, backup reports, etc) to send e-mail reports to and from Gmail accounts (or those controlled by Google Apps) we now get the warning message that “This message may not have been sent by…” even though we are sending on both ends.  We understand why it happens, the reporting applications don't have the ability to use SSL for e-mail so we are stuck using the SMTP server our ISP provides which means Google never gets the DKIM signature they want on the e-mail that shows its coming from them.  We don't have any e-mail accounts with our ISP and and to avoid confusion was just listing our normal Google controlled addresses in the to and from fields.  Is there any concern getting this message from Google?  The messages come through so far but want to make sure it won't eventually become blacklisted or anything.  It seems the message only shows up in the Gmail interface, it doesn't come up in any e-mail clients accessing Google.  

See this link for what we mean: http://mail.google.com/support/bin/answer.py?answer=185812

Thanks
0
Comment
Question by:Jsmply
  • 6
  • 5
11 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36711824
Hi,

So it seems you have several variables here -- reporting app, gmail <-> gmail mails, gapp <-> gmail mails, relaying through your ISP, etc.

Let's take a different approach, paste the headers from one of those suspect emails so we can see the exact flow.
0
 

Author Comment

by:Jsmply
ID: 36711884
I'll try to clarify it to make it easier:

Reporting app (creates e-mail) > ISP SMTP Server sends email out for the reporting app (via Gmail address in to and from fields) > Received at Gmail account via Google (no ISP involvement)

Only issue is because it was sent through the ISP'S SMTP and not Gmail itself, Gmail gives the warning it might not actually be from the intended sender.

Does that make sense?  
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36711917
Yep.
(via Gmail address in to and from fields)

That would be your problem.  Any specific reason you need the from address to be @gmail.com ?  You are basically doing exactly what DKIM attempts to prevent ;)
0
 

Author Comment

by:Jsmply
ID: 36711941
Just that we usually have all reports sent from the same To address (Gmail A) and received at the same From address (Gmail B) and because each site does not have the same ISP, it would take forever to find local ISP accounts for each one.  

Do you have a different recommendation?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36711995
I'm not sure what you mean by other sites and ISP accounts.  If I understood the rest of your last reply correctly, then this should be able to be solved by doing the following:

envelope MAIL FROM = reports@yourdomain.com
body From = reports@yourdomain.com
Reply To = reports@gmail.com

In that scenario, your SPF and DKIM (if applicable) would be based on the envelope MAIL FROM (always is) but in this case it would be yourdomain.com instead of gmail.com.  Without the headers I'm taking a guess at the MAIL FROM being yourdomain.com.  Gmail is still sensitive to only the body From being gmail.com.

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Jsmply
ID: 36712015
What I mean is, we use this software at several locations, the ISP varies from site to site.  We don't have our own domain in use.  Does that make sense?
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36712076
We don't have our own domain in use.
Ahhh I see what you mean now.

So the bottom line here is that you can't have envelope or body From's saying @gmail.com or @google.com etc.

You can either:

A.  Customize the app at each site to make the envelope From (and preferably body From) the same as whatever the ISP is sending it as.  Of course this presumes you can actually relay through each ISP.
B.  Purchase a domain, setup SPF at very least, and make sure envelope From is yourdomain.com, and the body from should match that as well, but at the very least should not be @gmail.com, then the app config across sites can remain consistent.

Personally I would go with B -- the more you rely on each ISP, the more headaches you are going to have.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36712094
I should mention that, if you were to send those mails to some non-google receiver, and if that receiver is validating mails from gmail.com (many are), then you will fail both SPF and DKIM verification.
0
 

Author Comment

by:Jsmply
ID: 36712112
Thanks.  We may have to relay through the ISP for now until we can get the domain setup.  At least as a temporary solution.  That's already what is setup now, but the From address needs to be changed.  

New question then - Does the from address actually have to exist at the ISP?  For example, we already have all the apps configured to send to the appropriate ISPs, that's relatively easy as it's one of three possibilities.  However, the sites don't have ISP e-mails setup or in use.  Does that matter?  For instance, if the ISP is comcast and we use smtp.comcast.com to send the e-mails out and the from Envelope is sitename@comcast.com does that matter if that address actually is setup?  It would become a serious pain to try to manage that.  Thx
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36712169
Nope it sure doesn't, the important part here is the domain -- comcast.com -- That is what SPF and DKIM work from.
0
 

Author Closing Comment

by:Jsmply
ID: 36712366
Thanks.  Assumed as much going in but your answer was still correct.  The last answer was helpful, it's easy to make up a FROM address that matches the domain of the ISP providing the SMTP server, it would be difficult thought to guarantee the address actually exists with that ISP at each site as we rely on the actual account holders, etc.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
The purpose of this video is to demonstrate how to set up Lists in Mailchimp. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchimp account. : Click on Lists. Click on Create List Button : Choose the desi…
The purpose of this video is to demonstrate how to use PicMonkey software to customize images for a Mailchimp campaign. Picmonkey is free and simple online software which can be used by users who don’t have robust editing software such as Photoshop,…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now