Google is starting to roll out new security messages in the next week or so to help users to be able to detect spam emails and malicious web sites.
For GMail read on the web or on Android devices, any message whose sender cannot be authenticated with Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM) will be marked as potential spam or malicious by replacing the person icon in the from field with a big red question mark inside a stop sign icon (see below). Google says that the presence of the red question mark does not mean that that message is malicious, but you should be suspicious of the mail. It is not clear why Google is not rolling this out for iPhone users.
On the web, if you receive an email and you click on a link that points to a site that Google thinks contains malicious content or is known for phishing or unwanted software, you will receive a full screen message warning message telling you that if you proceed to this web site, you do so at your own risk. Here is the message that you will see if you click on one of these links:
While Google will not STOP you from visiting that web page, they are certainly going to make sure that you cannot say that they did not warn you.
This is part of Google’s plan to up the ante when it comes to email security. Later this year they are going to first warn and later block email from sites that are not DMARC compliant. If you want to find out if your email server is DMARC compliant, you can go to DMARCIAN’s web site at https://dmarcian.com/dmarc-inspector/ .
All of these changes are good. The problem with email is that the protocol is old (over 30 years old) and it does not have any way to authenticate senders of email. SPF, DKIM and DMARC are all efforts to try and layer security on top of an old, insecure protocol.
While these efforts are certainly useful, they are optional. The good news is that the big guys – Google, Microsoft and Yahoo – are all committed to implementing these controls – all in different ways and on different schedules.
It is likely that business senders will be “encouraged” into complying with these standards because they do not want their emails and web pages flagged as malicious by the big three. Google, and likely the other two, will up the campaign to warn users and explain what these warning messages mean.
Once this rollout is complete, at least some users will stop opening emails that are flagged as malicious by Google, Microsoft and Yahoo.
For Google, they say that this is a gradual rollout starting in the next two weeks and that it will take a while to roll it out. It will affect all GMail users.
While this first step is relatively mild, Google has said that they will be ramping up the warnings later this year.
Now is the time to work with your mail administrator or ISP to make your outbound email DMARC compliant, since these changes likely will take some time to implement.
Information for this post came from Google Apps Updates.