> On Jun 14, 2017, at 12:52 PM, Stefano Bagnara <mai...@bago.org > <mailto:mai...@bago.org>> wrote: > > On 14 June 2017 at 20:51, Laura Atkins <la...@wordtothewise.com > <mailto:la...@wordtothewise.com>> wrote: > Gmail doesn’t say it’s spam. Gmail says: This message may not have been sent > by: <email address> > > Isn't this what DMARC/SPF/DKIM are intended for and at a very larger scale? > > BTW please note that the message is "sent from your account." not "by <email > address>", so a very specific case.
Interesting. When I did it (to myself, from myself from this SMTP server) the message was exactly what I copied and pasted above. > I would have been less surprised if they showed this message for EVERY dmarc > failing message (not for that specific use case). It’s not a DMARC failure, though. It has nothing do to with DMARC. They just recorded the DMARC failure in the headers because they record DMARC status of EVERY message going into Gmail. > Do you really see a lot of spam (not already filtered by a spamhaus check) > using the same from and to? Is there a recent spike? (this would explain the > google move). I hardly can find some occourence in a million spam messages. I do see a lot, yes. But we run a (mostly) unfiltered SMTP server (for reasons). I suspect Gmail sees it as well as they’re not ones to use IP level blocking on incoming mail. > I thought it could have been related to their "recent" ARC implementations, > but it doesn't seem to be related. It’s not. Nothing to do with authentication. Nothing to do with SPF, DKIM, DMARC or ARC. It’s all about the 5322.from and the To: address are identical. > In my test it did place the mail in the spam folder, but I’m not willing to > say that every message so marked will end up in spam. Gmail’s filters are way > more complex than that. > > I can confirm in my test this kind of email ends in the priority tab, but > with a warning, even in a "virgin" gmail inbox, sending the email from a > "good reputation IP/domain" (according to GPT). Maybe that’s the difference in our messages - yours is going to priority and mine is going to bulk. > Just to be sure I'm not being misunderstood I'm not saying this from=to > doesn't have correlation with phishing. It simply feels to me a very shy > target in 2017 where SPF/DKIM/DMARC are available (unless I'm missing a big > thing, and I've opened this discussion because I never exclude it). I’m not sure why you think it has something to do with authentication. I don’t believe it does. It’s solely about the To: and From: being the same and the message coming from a non Google source. > This doesn't harm me, I trust google and I try to understand what's behind > their moves because I think there's always something to learn from others :-) Far be it from me to make up motives, but I think this is simply low hanging fruit with a low chance of screwing up mail. They have the data to implement it - so … why not? laura -- Having an Email Crisis? 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com <mailto:la...@wordtothewise.com> (650) 437-0741 Email Delivery Blog: http://wordtothewise.com/blog <http://wordtothewise.com/blog>
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
