Getting rid of the via at Gmail

There was a question submitted today about the verification process at Gmail.

even though SPF authentication is passed, a via is added to mail sent from a webserver. The return-path is not the same as the visible from field, but there’s no way for me to change it. Does that mean I won’t be able to get rid of the via?

This actually ties in to some research Steve and I did a few months ago about how and when Gmail is displaying the “via” in their interface. We generated 90+ different emails with various From: addresses, Return-Path: addresses and passing and failing with both SPF and DKIM.
After crunching all the numbers down, I created a table with all the conditions.
All of the conditions we measured
As you can see, there were only a very few conditions that generated the “via” display in the Gmail interface. In cases where there was any domain match between the visible from: and the return path, either the exact domain or a subdomain, there was no “via” displayed, even if authentication failed.
But, when we look at the cases where the domain in the Return-Path is unrelated to the visibly displayed From, then we start to see the cases where Gmail displays the “via.”

Matrix looking at when and what via is displayed
Only when there is a domain mis-match and failing authentication is a via displayed.
So the answer to your question is as long as the webserver is a different domain than the visible From: address Gmail will display a via. You may be able to have no via if you provide no authentication, but Gmail does what it calls “best guess” SPF so even that may not work for you.
 

Related Posts

Spammers and Google+

I have a google+ account, but don’t check it very often. There seems to be a significant amount of noise on the feeds and trying to keep up with all the people who added me to circles was driving all the real mail out of my gmail inbox.
This morning I realized the noise just got louder. It seems spammers are buying very, very old lists scraped from usenet and inviting everyone on those lists to join them on Google+. Yup, an address of mine that has not been used in 7 or 8 years and is not very publicly associated with me got a Google+ invite from someone I’ve never heard of before.
I know there have been a lot of complaints about spammers abusing Google+. I thought it was possible, but I didn’t realize they were actually purchasing email lists to load into Google and spam people.

Read More

Gmail abuse and postmaster addresses

A long time ago, Steve wrote a post about setting up abuse and postmaster addresses for Google hosted domains. Google has gone through a couple iterations of the interface since then, as you can see by the comment stream.
I checked with some people who have Google hosted domains and they have confirmed that abuse@ and postmaster@ addresses can be set up by creating a group. When you create the group you can then add yourself to the group and get the mail that comes into abuse@ and postmaster@.
 

Read More

Gmail reports spear phishing attack

No one, it seems, is immune from account compromise attempts. Today Google reported they had identified a systemic campaign to compromise Gmail accounts belonging to “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Google offers a number of solutions for users, including the ability to add 2 factor authentication to your Gmail account. I strongly recommend anyone who uses Gmail to do this.
This isn’t a security blog, but email is one of the major vectors used to infect machines. We’ve seen numerous break ins targeting email senders and ESPs, resulting in customer and recipient data being stolen and then used for spam. Everyone who uses email needs to be aware of the risks and maintain their email account integrity. Be careful clicking links in emails. Be careful opening webpages. Keep your antivirus software up to date.
Everyone is a target.
 

Read More