BLOG

Gmail shows authentication data to the recipient

Yesterday Gmail rolled out some changes to their interface. One of the changes is that they are now showing end users authentication results in the user screen.

It’s really the next step in email authentication, showing the results to the end user.

So how does Google do this? Google is checking both SPF and DKIM. If mail is authenticated and the authentication matches the from address then they display the email as:

mail from steve to me

If we click on “details” for that message, we find more specific information.

full details of message showing signing domain and spf domainIn this case the mail went through our outgoing mailserver to gmail.

Mailed-by indicates that the message passed SPF and that the IP address is a valid source of mail from wordtothewise.com.

Signed-by shows the domain in the DKIM d=. In this case, we signed with the subdomain dt.wordtothewise.com. That’s what happens when you sign using the domain in the From address (or a subdomain of it).

For a lot of bulk senders, though, their mail is signed using their ESP’s domain instead.  In that case Gmail shows who signed the mail as well as the from address.

And when we click on “details” for that message we see:

3rd party signature detailsThis is an email from a sender using Madmimi as an ESP. Madmimi is handling both the SPF authentication and the DKIM authentication.

As an aside, this particular  sender has a high enough reputation that Gmail is offering me an unsubscribe option in their interface.

Gmail is distinguishing between first party and third party signatures in authentication. If the mail is authenticated, but the authentication appears to be handled by a separate entity, then Gmail is alerting recipients to that fact.

What does this mean for bulk senders?

For senders that are signing with a domain that matches their From: domain, there is no change. Recipients will not see any mention of your ESP in the headers.

However, if you are using an ESP that is signing your mail with a domain they own, then your recipients will see that information displayed in the email interface. If you don’t want this to be displayed by Gmail, then you will need to move to first party signing. Talk to your ESP about this. If they’re unsure of how to manage it, you can point them to DKIM Core for an Email Service Provider.

Gmail blogpost about the changes

Gmail help page about authentication results

7 comments

  1. Reinhard says

    more infos at gmail help: http://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=1311182

  2. Joey says

    But if I use a third party ESP and that I change my DNS, I don’t get this “via”thing right ?

    1. laura says

      If you have the ESP sign with your domain in the d= then you don’t get the “via” in the headers, as best I can tell.

  3. Joey says

    OK thanks I’m just starting to deal with these technical issues :)
    I’m going to contact my ESP I hope they will help me configure all this… But it seems OK actually according to what they say
    http://blog.mailjet.com/post/7119948919/gmail-anti-phishing-issues
    thanks again your blog is life saving

  4. Ev says

    Joey, take a look at Mailgun (http://mailgun.net) – we support fully custom DKIM/SPF and your traffic will appear native to your domain. Besides, we support a lot more than just that! :-)

  5. Get Your Email Opened: First Impressions Make an Impact | E-mail Marketing Specialisten says

    […] Gmail tells all If you know that Gmail subscribers make up a significant portion of your audience and you are using a third-party ESP or mailing platform, Gmail may detect that the email was sent via a mail service and display this information to the user: You can manage this by ensuring your emails are authenticated with an SPF record or DKIM signature. More information can be found from Gmail or Laura Atkin’s deliverability blog. […]

  6. Jay says

    Another option is email quality assurance testers. Some can test for DKIM signatures that will or won’t work properly. I’ve worked with a few but my favorite so far is EmailSuccess. It has the largest, most encompassing set of tests for issues in HTML, images and links, content words and phrases most often flagged by the new provider spam/sorting filters – and yes, even issues with domain signatures in the From lines.
    Also, EmailSuccess is free while many of the others are paid services and don’t offer tests as numerous and comprehensive in an all in one package. I set my URL as the EmailSuccess website so you can click on my name to access it if you want to try it.

Comment:

Your email address will not be published. Required fields are marked *

  • HE.net DNS problems

    Hurricane Electric had a significant outage of their authoritative DNS servers this morning, causing them to return valid responses with no results for all(?) queries. This will have caused delivery problems for any mail going to domains using HE.net DNS - which will include some of their colocation customers, as well as users of their free services - but also will have caused reverse DNS to fail for most servers hosted by Hurricane Electric worldwide, so if any of your mail is being sent from HE hosted machines you may have seen problems. (We're HE customers so we noticed. Still happy with them as a vendor.)No Comments


  • 65.0.0.0/8 DNS issues

    If you're sending email from any address beginning with a 65 - in 65.0.0.0/8 - it's possible you'll see some delivery problems. Something appears to be broken with dnssec signatures for the reverse DNS zone, leading queries for reverse DNS to fail for anyone using a dnssec aware DNS resolver (which is almost everyone).1 Comment


  • Our green bar certificate is going away

    Later today we'll be switching from an Extended Validation ("green bar") SSL certificate to a Domain Validation certificate. This isn't exactly a planned change but I'm waiting for responses from Comodo before I go into it too much. I'll share some more details next week.3 Comments


Archives