Google to add sender authentication to Gmail

In a bid to protect its users from phishing and malware, Google has adopted the DMARC protocol and will warn users if it can't authenticate the source of emails.

Gmail to get sender authentication
Gmail to get sender authentication

Google is to roll out a new security feature to combat phishing and malware by warning users if the sender of a message can't be authenticated.

The move should benefit users of the service on the web and on Android devices. If a sender can't be authenticated, Gmail will display a red question mark instead of a profile picture. User authentication is done via either Sender Policy Framework (SPF) records or Domain Keys Identified Mail (DKIM).

The avatar warnings come after Google decided to adopt the DMARC protocol (Domain-based Message Authentication, Reporting and Conformance) in a bid to stop phishing attacks.

Return Path published a report in February that appeared to show that the growing adoption of DMARC had put a massive dent in phishing attacks.

Gmail will also give warnings to users if that receive a message with a link to a dangerous site known for phishing, malware and unwanted software. These warnings will display when a user clicks on a link.

“These warnings are an extension of the Safe Browsing protection available to various web browsers today,” said Google in a blog post.

Google said the new feature would affect all users of Gmail and will be in place fully within the next two weeks.

It announced earlier in the year that it would enhance Gmail security in a bid to protect users from malware, phishing attacks and other threats. Last November, it also said that it would alert users when messages were not encrypted.

Charles Read, regional director, UK, Ireland and Benelux at OneLogin, told SCMagazineUK.com that Google's announcement of its plan to alert email recipients to potentially dangerous links from untrusted senders is almost certainly a positive step in reducing malware and phishing attacks.

“Whilst organisations continue to invest in technologies to help block and filter this kind of content within the work environment, consumers and the general public rarely enjoy the same level of protection. With the increase in programs like BYOD and staff being able to combine work and private email on the same client device, organisations can still be at risk from attacks” he said.

Read added that as this kind of problem continues to grow, “one of the major factors contributing to the success of phishing emails is a lack of user knowledge and ability to recognise suspicious content within emails, yet despite best efforts, even tech savvy consumers still fall foul of these scams. Google's move to highlight potential risks to their customers can only serve to help combat the problem.”

Troy Gill, manager of security research at AppRiver, told SC that while this move will overall be good for security, it will also cause some confusion as well since sender verification is not always a reliable indication of a message's authenticity.

“Also, a message that appears to be authentic could very well be coming from a compromised account and may present an added danger if the user believes that the message has been verified to be valid.”