Stop Looking Like A Phisher In Gmail

If you're sending Gmail messages from anywhere other than Gmail itself, they may look like phishing attempts. Up until today, whenever I sent messages using my Google Apps account with the From: address set to my vanilla Gmail address, my Gmail-using recipients got an alarming, bright red message at the top which said "This message may not have been sent by [who it appears to be from]. Learn more Report phishing." Make sure this doesn't happen to you.

Senders: If messages from your Gmail address look like phishing

If you're sending email with the From: field set to your Gmail email address (that is, [email protected] or [email protected]) from any client other than Gmail itself, use Gmail's SMTP servers to send the mail.

The process for setting your email software to use Gmail's SMTP server will vary depending on what email client you're using. If you're like me and using another Gmail or Google Apps account to send custom From: address Gmail, here's how to set the SMTP server.

In your primary Google Apps/Gmail account where you actually send messages from, in Settings > Accounts > Send mail as, click on "edit info" next to your custom Gmail From: address.

Double-check your name and email address listed there, and click on the "Next Step" button. On the "Send mail through your SMTP server?" step, don't use the default SMTP server. Instead, check the "Send through gmail.com SMTP servers" option, and enter your Gmail username and password for the account you want to send From.

If you're using Google's two-step verification for your Gmail account (and you should be), you'll need to generate an application-specific password for the SMTP server use. Click on "Save Changes" and you're done. Your messages will no longer look like they are phishing attempts.

Senders: If messages from your Google Apps address look like phishing

If messages from your Google Apps domain name are getting the red phishing warning, you've got to tweak a DNS setting to fix it. In short, you've got to add a Sender Policy Framework (SPF) record to your domain which verifies that Google Apps' mail servers are authorised to send your messages on your domain's behalf. The exact process for doing this depends on where you registered and administer your domain, but Google Apps Support runs down the general steps to create an SPF record for a domain:

1. Log in to the administrative console for your domain.

2. Locate the page from which you can update the DNS records. You may need to enable advanced settings.

3. Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all

4. Save your changes. Keep in mind that changes to DNS records may take up to 48 hours to propagate throughout the internet.

If it's not clear where or how to add an SPF record for your domain, get in touch with your domain registrar support to find out how.

Recipients: If your friends' messages look like phishing

Gmail's phishing alert on messages that look like they came from unauthorised SMTP servers helps recipients identify email scams, but it stinks for senders for using custom From: addresses legitimately, because they don't know it's happening. The only way I knew it was happening to my email is because Adam told me it was!

So, if you're getting this phishing alert on friends' or co-workers' messages that you know are legit, send them a link to this article or to Google's Support page on the subject. They'll appreciate it.

Why am I seeing the error "This message may not have been sent by...."? [Gmail Help] Stop Looking Like a Phisher in Gmail [Smarterware]


Comments

    Actually in both GMail and Google Apps when you add a 'send from' address you can specify external SMTP servers to get around this problem. For Google Apps users the ability to use external SMTP features can be turned off/on by the domain admin so if you can't do it, check you have external SMTP servers enabled across the whole domain.

    Even if just sending from other account names within your Google Apps domain (say, [email protected], [email protected] etc) i'd recommend always using the alternative SMTP servers. In fact, I'd only ever use the default GMail server if you're not very techy and don't want to mess around (or you change your 'aliased' accounts password often as it has to be rekeyed in the send as config upon changing).

    SPF records shouldn't cause you much of a problem as not every email account even has SPF. If you have no SPF record you shouldn't be getting flagged as phisihing/spam. It's more a case of if you have an incorrect one you might.

    Gmail also has DKIM baked in (selector=gamma), but Apps users should activate too. This is just another DNS entry to add but includes a key you can generate in your Apps Control Panel. Well worth doing as this guarantees message integrity unlike SPF which just says 'a valid server sent this'.

Join the discussion!

Trending Stories Right Now