Getting rid of the via at Gmail

There was a question submitted today about the verification process at Gmail.

even though SPF authentication is passed, a via is added to mail sent from a webserver. The return-path is not the same as the visible from field, but there’s no way for me to change it. Does that mean I won’t be able to get rid of the via?

This actually ties in to some research Steve and I did a few months ago about how and when Gmail is displaying the “via” in their interface. We generated 90+ different emails with various From: addresses, Return-Path: addresses and passing and failing with both SPF and DKIM.
After crunching all the numbers down, I created a table with all the conditions.
All of the conditions we measured
As you can see, there were only a very few conditions that generated the “via” display in the Gmail interface. In cases where there was any domain match between the visible from: and the return path, either the exact domain or a subdomain, there was no “via” displayed, even if authentication failed.
But, when we look at the cases where the domain in the Return-Path is unrelated to the visibly displayed From, then we start to see the cases where Gmail displays the “via.”

Matrix looking at when and what via is displayed
Only when there is a domain mis-match and failing authentication is a via displayed.
So the answer to your question is as long as the webserver is a different domain than the visible From: address Gmail will display a via. You may be able to have no via if you provide no authentication, but Gmail does what it calls “best guess” SPF so even that may not work for you.
 

Inbox rates and conversion rates
Forcing those opens

Related Posts

Gmail abuse and postmaster addresses

A long time ago, Steve wrote a post about setting up abuse and postmaster addresses for Google hosted domains. Google has gone through a couple iterations of the interface since then, as you can see by the comment stream.
I checked with some people who have Google hosted domains and they have confirmed that abuse@ and postmaster@ addresses can be set up by creating a group. When you create the group you can then add yourself to the group and get the mail that comes into abuse@ and postmaster@.
 

Read More

Gmail reports spear phishing attack

No one, it seems, is immune from account compromise attempts. Today Google reported they had identified a systemic campaign to compromise Gmail accounts belonging to “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Google offers a number of solutions for users, including the ability to add 2 factor authentication to your Gmail account. I strongly recommend anyone who uses Gmail to do this.
This isn’t a security blog, but email is one of the major vectors used to infect machines. We’ve seen numerous break ins targeting email senders and ESPs, resulting in customer and recipient data being stolen and then used for spam. Everyone who uses email needs to be aware of the risks and maintain their email account integrity. Be careful clicking links in emails. Be careful opening webpages. Keep your antivirus software up to date.
Everyone is a target.
 

Read More

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.
 

Read More