
Gmail Will Warn If Message Is Not Authenticated/Encrypted - AdmiralAsshat
http://gmailblog.blogspot.com/2016/02/making-email-safer-for-you-posted-by.html
======
jcoffland
This sounds great but Google has been making it harder and harder to run your
own mail server even for personal use. I think they would be happy of email
servers were only run by a few large companies. They make it sound like they
are doing the right thing but really they are bully the industry to do it
their way. So many people have Gmail accounts that you can't run an email
server that cannot send email to Google.

I've run my own email server for about 15 years. Every now and then I have to
drop everything and implement some new technology that Gmail demands I have.
Granted SPF, DMARC and TLS are all great technologies but I take issue with
Google making the decision that everyone is going to switch, now and with out
sufficient warning.

~~~
emergentcypher
Now I can just get a free cert and turn on TLS. What's the problem, exactly?

Most people are not capable of running their own mail server. The convenience
of services like Google, plus the risk of turning your mail box into a spam
machine, vastly outweighs the downsides for most people.

~~~
elihu
> What's the problem, exactly?

> Most people are not capable of running their own mail server.

I think that is a big part of the problem. It should be relatively
straightforward for someone who isn't a full-time email server administrator
to setup a mail server correctly, but it's not. At least, it wasn't easy last
time I tried it with Postfix and (iirc) Courier on Ubuntu. All the
cryptography options are disabled by default and you have to spend a lot of
time figuring out which ones should be turned on, where to stick the
certificate files and how they should be formatted, how to get Courier and
Postfix to talk to each other, etc...

Maybe there's an easy solution (besides "pay someone a monthly fee to manage
this all for me") that I'm oblivious to, but it seemed like I was on a well-
travelled path and it was a lot harder than it should have been.

~~~
techsupporter
If it helps, I recently rebuilt my mail server and changed from
FreeBSD+qmail+Courier to Ubuntu+Postfix+Dovecot. In doing so, I used this
series from Ars Technica:

[http://arstechnica.com/information-technology/2014/02/how-
to...](http://arstechnica.com/information-technology/2014/02/how-to-run-your-
own-e-mail-server-with-your-own-domain-part-1/)

It shows how to set up SPF, DKIM, TLS, anti-spam filtering, Sieve,
certificate-based authentication (I still haven't figured out how to do this
with an iPhone), and so on. The only bolt-on it references but doesn't explore
and I actually used is the Z-Push package to implement ActiveSync.

~~~
qewrffewqwfqew
are you able to mail folks at google/live without going to spam? Genuinely
curious.

~~~
techsupporter
Yes. I periodically test with various recipients and mail goes through without
a hitch. The only difference I might have versus people starting out fresh is
that the domains I host are relatively aged. The newest is two years old and
the oldest is nineteen. I also made sure that DNS is set up properly, both
forward and reverse, and especially for IPv6.

~~~
qewrffewqwfqew
maybe my sin is hosting at linode - for a new recipient at either of the
behemoths, I seem to have 50% chance of going to spam. Thanks for your
comment.

~~~
jbclements
I host with linode, and have had generally good results sending mail to gmail.
They're definitely not the worst. Granted, I have had SPF enabled for about 10
years.

------
sinatra
I think as HNers, we're focusing too heavily on niche cases (like running your
own email server). But, for general public who is still sharing their own (and
more importantly, their clients') SSNs, passwords, and other very sensitive
information on email, this may be the trigger that educates / trains them to
be more careful. I am definitely looking at this as a positive.

~~~
jacquesm
With SSNs the problem is not in the fact that they are in an email, but the
fact that they are sensitive information at all.

~~~
unprepare
SSNs have become a complete joke.

Like why would I need to give my SSN to register for an account to take the
GRE exam? And why would anyone ever make SSN an optional field? If its not
required why would you ever ask for it?

[https://mygre.ets.org/greweb/createAcct/createAcctMain.jsp](https://mygre.ets.org/greweb/createAcct/createAcctMain.jsp)

~~~
bzbarsky
> And why would anyone ever make SSN an optional field?

One reason might be that some states have laws on the books that prohibit
requiring people to give you their SSN (unless you are actually required to
collect it by some other law, of course).

> If its not required why would you ever ask for it?

All the answers to this are depressing. :(

------
Animats
Other mailers should warn about Gmail, with "Your message was scanned for
advertising purposes".

~~~
kbenson
What about "Your message was categorized fir Bayesian spam filtering and may
have contributed to eventual upstream rules" for all those installations that
historically ran SpamAssassin?

If you're using Gmail or sending to a gmail address[1], you know what you are
in for, and if you don't you should at least know that anything you send to
someone else is no longer in your control and you have very little control
over who sees it.

1: Google Apps for business accounts are not scanned for ads.

~~~
necessity
What alternatives do you suggest, besides running your own mail server? I'm in
the invite list for Protonmail and have also used the infamous cock.li for
informal stuff, but I was looking for something a bit more established, that I
can count on long term stability. It's bad enough to switch email addresses
once, to be switching every time a service goes kaput is unacceptable.

~~~
kbenson
What do I suggest in lieu of Gmail or some other large provider that may scan
your email? If it _really_ matters to you, your _only_ choice is to run your
own mail server. If you don't control your endpoint, then I think no matter
what you profess, you don't _really_ care. Personally I just use a combination
of Gmail (because I don't care) and a POP/IMAP account at my local ISP (which
is not free).

If you want free email, expect to pay in some other way. There's no such thing
as a free lunch.

~~~
necessity
Obviously _every_ third-party service is trusted, that doesn't mean one
"doesn't care". By your logic even a private mail server isn't enough, you'd
have to use PGP. If you don't have any recommendations just say so.

~~~
kbenson
> Obviously every third-party service is trusted, that doesn't mean one
> "doesn't care".

No, I'm serious about this. I wasn't trying to be flippant. If you care enough
about the integrity of your email content and it not being used to further a
company's profit, the only way to be _sure_ of that, to the extent that you
can (which may not be much), is to run your own mail server. If that seems
like it's way too much trouble, I think a you should take a close look at your
motives for wanting a gmail alternative. Is it about the integrity of your
email, or sticking it to Google? If it's avoiding Google because they
specifically cause you concern, that's fine, and there likely plenty of
choices, but I'm not sure what they are (as I said, I just use Gmail because I
don't care).

> By your logic even a private mail server isn't enough, you'd have to use
> PGP.

Well, by my logic you have to do enough to make yourself comfortable.
Depending on your reasons for avoiding some other companies that will be
different things.

> If you don't have any recommendations just say so.

I don't have any recommendations for Gmail if you consider a good UI,
responsively web based, and free as major components of that. If you are
willing to give up one or more of those, there are options. The local ISP I
mentioned is Sonic.net. By all accounts (including mine, I've worked there
multiple times in the past), a great company, and with great EFF ratings. An
email account there is not free though.

------
vsviridov
Cool, just spent 20 minutes getting a proper cert from let's encrypt, and
setting postfix to opportunistically encrypt outgoing mail.

Used this service to make sure my setup is correct:
[http://www.checktls.com/index.html](http://www.checktls.com/index.html)

Also, thunderbird apparently does not like Alternate Subject Name for smtp,
but with Let's encrypt I can just issue a mail server-specific key.

------
dcw303
There's a lot of things that I question about Google, but forcing their Gmail
customers to adopt more secure practices is worthy of praise. They are the
biggest free email provider in the world, and they are owning up to a
responsibility to ensure their users can work safely.

Those running their own email servers have a similiar responsibility to their
own users, even if it's only themselves. You had time to set up the server in
the first place, so you have time to make it work with TLS. Now that Let's
Encrypt is here there's no excuse to be running an insecure email (or web)
server.

------
jlgaddis
I have mixed feelings about this.

> _Not all affected email will necessarily be dangerous._

To me, it sounds like they're saying that _most_ of the "affected email"
_WILL_ be dangerous -- just not _ALL_ of it -- and that's highly misleading,
of course.

Overall, though, I think this will be a good thing if it pushes more
organizations ("mail senders") to implement opportunistic encryption for
incoming mail and SPF/DKIM signing for outgoing mail.

That seems to be what they're referring to; that is, sending to an MX host
that doesn't support opportunistic encryption) and/or receiving mail that
doesn't have a valid DKIM signature. Did anyone else understand this
differently?

~~~
semi-extrinsic
This will be popcorn time for those using Gmail for business.

I have a plugin in Thunderbird that shows the DKIM status of incoming email as
gray/red/green, meaning no DKIM/DKIM invalid/DKIM valid. Most of the email I
get from business accounts (usually on Exchange), including those from the
company I work at, have no DKIM. (Yes, I've complained to the ITsec dept. They
don't even have SPF set up...) Of the rest, surprisingly many have invalid
DKIM sigs.

------
finnn
>If you receive a message that can’t be authenticated, you’ll see a question
mark in place of the sender’s profile photo, corporate logo, or avatar.

This makes it sound like I (the sender) can set the image displayed if I am
using DKIM. Is that the case? Or is it only if I have DKIM and have a Google
account with that email?

~~~
lstamour
Gmail uses an associated Google+ profile for authenticated emails, so you need
both for it to work going forward, I presume. To get started, check
[https://www.google.com/business/](https://www.google.com/business/)

Outlook uses Facebook and Twitter, if you have these contacts integrated.
Yahoo does this too: [http://techcrunch.com/2015/03/04/smart-contact-cards-
arrive-...](http://techcrunch.com/2015/03/04/smart-contact-cards-arrive-in-
yahoo-mail-featuring-automatically-updated-contact-info-and-links-to-social-
profiles/)

There really should be some kind of standard or mail header though. :) Come to
think of it, services could support a vcard mime-type attachment, perhaps?
Except that likely wouldn't support URLs to profile photos... Maybe we've
identified a missing feature of DKIM? ;-)

~~~
kps

      > There really should be some kind of standard or mail header though. :)
    

[https://en.wikipedia.org/wiki/X-Face](https://en.wikipedia.org/wiki/X-Face)

~~~
Navarr
X-Image-URL is neat - but how do we trust it? Ensure the header is DKIM
signed?

------
tomputer
Interesting. I'm wondering if they also warn Gmail users if a mailserver has
TLS enabled with a self-signed certificate. Because i think many mailservers
actually support TLS but do ignore certificate verification, because of the
self-signed certificates.

------
jcranmer
Unfortunately, this is the sort of a change that's a red herring for any
actual improvements to email security.

The use of unencrypted or encrypted link to the receiving email provider's MX
server doesn't change all that much in terms of who can read the email: it's
still sitting in plaintext on the recipient's server (as well as the sender's
server), and the group of actors who can sniff traffic on the backbone like
that is probably just as easily able to get it from the servers.

The authentication feature is even worse. The problem of spam and phishing
isn't that email claims to be from important-service@bigbank.com, it's that
email claims to be from "Big Bank" <whoisthis@some.really.shady.ru>. It's been
noted before that spammers tend to be the most aggressive at uptaking new
"anti-spam" technologies like SPF and DKIM, and this sort of validation
feature seems like a prime vehicle for exploitation by spammers.

~~~
skybrian
You're arguing that we shouldn't do anything, instead of taking a step in the
right direction. Email is an old ecosystem, so it's not possible to make big
improvements all at once.

~~~
jcranmer
I'm not arguing that we shouldn't do anything. I'm arguing that the
presentation of the data is at best meaningless and at worst downright
harmful.

DKIM authentication is in no way an attestation that it was sent by its
sender. Furthermore, from what I can tell, more damage is caused by spoofing
that works on the "I use a very similar name which is hard to see the
difference" level (e.g., animenewsnetwork.com versus animenewssnetwork.com).
Finding and testing solutions to that problem is something that doesn't
require changing or deploying anything to new to the ecosystem, and it would
arguably bring more benefit than deploying end-to-end encryption.

~~~
jcrites
> I'm not arguing that we shouldn't do anything. I'm arguing that the
> presentation of the data is at best meaningless and at worst downright
> harmful.

What do you think should be done to make progress that's better than Google's
proposal? Personally I think encouraging all senders to adopt DKIM, transport
layer TLS, DMARC, SPF, etc. by displaying auth results from those protocols in
the UI is a good first step. It's similar to the push for HTTPS on the web.

> DKIM authentication is in no way an attestation that it was sent by its
> sender.

Google didn't mention DKIM in the blog post we're discussing. Are you
referring to a related effort? The blog post was about encryption in transit
with TLS.

> I'm arguing that the presentation of the data is at best meaningless and at
> worst downright harmful.

Google's DKIM solution is as close as one can reasonably get given modern
technology. If I send a DKIM-signed email from example.com that passes
validation, then it means the following is true: I sent an email through a
server managed by the domain owner, that had access to the DKIM key and chose
to sign my email. It's not authenticating a person, but it's authenticating
that the domain's mail servers sent the message. The attestation is at the
domain level, not the sender level. This attestation is still useful though:
if the domain owner did not want to allow you to send email from
jcranmer@example.com, then it would not accept that email from you or DKIM
sign it.

------
Bino
Good initiative. Question is; what does the TLS icon indicate; is it just
opportunistic TLS, or do they do any verification? What, if so? Some private
consortium where only members can get a "green lock"?

What's the next step? Do they have DANE [https://en.wikipedia.org/wiki/DNS-
based_Authentication_of_Na...](https://en.wikipedia.org/wiki/DNS-
based_Authentication_of_Named_Entities) in mind, or some other initiative to
get verified encryption such as "TES" [https://openbit.eu/projekte/trusted-
internet-services/](https://openbit.eu/projekte/trusted-internet-services/)

~~~
talideon
DANE comes with its own complications: it means you need DNSSEC, and that's a
bit of a pain to set up at the best of times, especially with there being no
way to currently automating DS/DNSKEY record updates to maintain the trust
chain.

There have been some mutterings in the IETF ProvReg WG on ways of allowing
registrants some ability to automate the process, but it's still early days.

------
MicroBerto
In my opinion, you should just behave like your emails are public record.

This is the best way of approaching that technology.

~~~
Esau
That's what I do as email is more akin to a postcard than a letter. If that
makes someone uncomfortable, then they should choose another medium.

~~~
mgbmtl
This is what GMail is doing: making sure that sending an email is like sending
a letter (instead of a postcard). TLS email is not 100% secure (private,
authenticated, etc), but not 100% insecure either.

Verifying TLS for email is an easy step in making email a bit less insecure,
and it requires no intervention from users. If you need something secure, then
yes, go for GnuPG or other forms of end-to-end encryption (if only I could
name a few).

~~~
dhimes
When I saw the HN headline, I thought they were going to start enforcing the
PGP encryption. I think I had a small medical event...

------
ecthiender
There are really good, albeit few, alternatives:

Fastmail ([https://www.fastmail.com/](https://www.fastmail.com/))

Tutanota ([https://tutanota.com/](https://tutanota.com/))

Riseup ([https://help.riseup.net/](https://help.riseup.net/))

~~~
Diederich
+1 for fastmail. I've been using them for the past few years to host my
'other' main e-mail (the one I've had since 1994) and it's been a delight.

~~~
keehun
+1 for fastmail, here, too. Amazing service, really good communication during
rare downtime, contributes heavily to open-source/community, decent prices,
can heavily customize filters/etc, and as far as I'm aware, probably the most
mainstream email provider that won't give into the NSA.

~~~
linkregister
I'm sure that Australian Federal Police and Victoria law enforcement would be
able to exercise search warrants on Fastmail's servers if they needed to.

Since you're in Tennessee (and thus a U.S. Person), you're actually ineligible
for collection under FAA 702. Gmail/Hotmail/Yahoo, etc. would actually be the
safest place for your information.

Of course that assumes that you believe the NSA follows U.S. law. If you don't
have that assumption, that also implies that the NSA wouldn't respect
Australian sovereignty enough to keep it from infiltrating Fastmail's servers.

I'm saying this to illustrate that there's no silver bullet for secure
transmission and storage of information.

~~~
NeutronBoy
> I'm sure that Australian Federal Police and Victoria law enforcement would
> be able to exercise search warrants on Fastmail's servers if they needed to.

Nobody is arguing against search warrants. People are concerned about
_warrantless_ searches.

~~~
linkregister
Nobody in this thread mentioned warrants. It appears that all the posters here
care about the disclosure of their information, full stop.

------
more_corn
meh. This doesn't seem very interesting. What would be really interesting is
gmail support for public key encryption. They're perfectly positioned to roll
out a user-friendly key management system.

~~~
andygambles
Yep surprised they haven't rolled one out yet. Ideally placed.

~~~
josteink
And by ideally placed, you mean for the NSA, right?

I'd never put any GPG keys of mine in an American cloud provider. That sort of
voids the entire point of it.

~~~
superuser2
Why do you believe non-American cloud providers aren't compromised?

~~~
fixermark
In the short run, they're simply a smaller and more diverse attack surface.
There's pretty valid "security through obscurity" reasoning to apply here
(though that is, of course, not a train of thought one should bet the whole
farm upon).

------
michaelmior
For anyone wishing to run their own mail server, check out Mail-in-a-Box[0].
It's relatively easy to set up, comes with a nice Web GUI and they recently
added support for automatic provisioning of TLS certificates with Let's
Encrypt.

[0] [https://mailinabox.email/](https://mailinabox.email/)

------
jbclements
I'll tell you what I want: I want Google to help identify non-DKIM-compliant
forwarders. As the operator of (yes, I know) a vanity e-mail domain with DKIM,
SPF, and DMARC records, I have no problem sending mail to gmail directly; in
fact, my outgoing mail uses postmark, so I'm not even directly responsible for
my sending reputation.

BUT! It drives me crazy that many of my recipients get e-mail at hosts
(schools, mostly) that forward the e-mail with differences (encoding changes,
subject changes, etc.) that invalidate the DKIM signature. Since they're
forwards, the SPF check is going to fail, too, so the end result is that
google shoves it into a spam folder.

I claim that google definitely has the data to be able to identify these bad
forwarders--heck, even mail sent _from gmail_ to these hosts will presumably
fail DKIM checks on the way back into google--and I'd love to see them contact
these domains, or even publish a list of known bad forwarders, so that I can
push them to make changes.

------
kevincox
I'm glad that companies are starting to display warnings about insecurity. It
used to be that the insecurity was only advertised if something that was
supposed to be secure was broken. However not having any security in the first
place is often worse. I would like to see this trend continue and start
warning everyone about systems that aren't secure.

------
ck2
I like this idea but worry novices won't understand what a red flag (lock)
really means and only assume the worst.

~~~
fixermark
I think that's the point---they should assume the worst.

It's part of a general trend of moving the needle from "Internet services are
insecure and if you really want to send something secure, you should be sure
your channel is encrypted" to "These channels should always be secure; if
they're not, here's a big red flag to warn you that they are not."

See also the process of bypassing the "This site is insecure" alarm
interstitials in Chrome and Firefox these days for sites with bad secure TLS
credentials. The frog has been boiling from "We warn the user with a tiny icon
they'll probably ignore" to "Users have to know secret words or convoluted
config flows to bypass this inescapable error panel."

------
mayerzahid
Agari is on a mission to eliminate email as a channel for cyber attacks and
enable businesses and consumers to interact safely.

Create your free DMARC record here:
[https://app.agari.com/dmarc/record_creator](https://app.agari.com/dmarc/record_creator)

Here is a webinar with Steve Jones, Executive Director of DMARC.org, John Rae-
Grant of Google and Mike Jones, Agari Director of Product Management talking
about email authentication. [https://www.agari.com/project/webinar-the-
authenticated-emai...](https://www.agari.com/project/webinar-the-
authenticated-email-world/)

------
euske
I wish someone made a better (non-SMTP) messaging standard which is secure,
efficient, easier to understand/implement and without a clutter of all legacy
stuff (and hopefully with a decent reference implementation!). Spams would
still remain, but at least that would free us from worrying about the
transportation layer security. (But then we might need to reinvent something
like DNS on the way, so maybe that's why that no one is trying this.)

------
Nux
Will encryption via self-signed certs be accepted?

------
Johnny555
How disappointing, when I read the headline I thought Google was supporting
PGP signing and encryption of emails. They could easily do so in their web and
mobile clients, keeping emails safe from prying eyes.

Though that would also prevent analysis of emails for ad targeting, so they'd
have to do it as some sort of paid project.

------
ksk
Its great that Google wants all the lines carrying data from their servers to
be secure and tamper proof. It would be interesting to see if they ever
support end to end encryption which would lock them out of scanning the data
as well.

~~~
lern_too_spel
Then how would searching your mail work? That breaks the product on a
fundamental level and makes it worse than all competing products for all but a
few users with specific needs. The existing end-to-end browser extension is a
reasonable compromise.

~~~
ksk
It would work in the same way as opening any encrypted mailbox works. Your
password is used as the key to decrypt your mailbox when you login. The same
key could also be used to search the email.

Right now they're already telling you that they scan every email. So yeah, you
would have to trust them that they do in-fact discard they keys and don't
allow decryption in other scenarios. But large companies with tons of cash to
lose if they're sued, will rarely blatantly lie about what they're doing.

------
Tepix
Want to run your own mail server with TLS, SPF and DKIM? Check out sovereign
on github. Makes it easier and includes a lot of other useful stuff such as
your own calendar and contacts server.

------
nchelluri
question about this: if i send mail to my IMAP or POP server over TLS, it may
still travel to various spots on the journey to its final destination
unencrypted using SMTP, right?

~~~
jcoffland
It's what the email server that you are making the IMAP or POP connection to
does next that matters. If you send mail to a Gmail account it should make a
TLS connection to Google's servers directly.

------
tsmarsh
Support PGP already!

~~~
fixermark
How? ;)

------
wizkkidd
Great news!

------
pmlnr
I'm gettin tired of seeing 'mail is hard'. No, it's not. You need to learn it,
and there are a lot of knobs and buttons, indeed, but it's not hard,
especially not with the plethora of tutorials around.

Sysadmining was never that easy and was never intended to be done by the
general public by clicking on a few 'continue' buttons and as the web is
evolving, so is mail. Deal with it.

------
a3_nm
This is interesting but as pointed out by other comments there is great danger
of Gmail abusing their position to make life harder for small email providers.

I would be more positive towards this if they gave precise, technical details
of their notion of "supporting TLS" and "being authenticated", ideally with a
service allowing me to test easily whether my mail server is fine according to
them (rather than having to sign up for Gmail to test it).

------
stock_toaster
I wonder how long it will be before Google fully cuts Gmail off from the
outside world, much like how they turned gchat from a member of the federated
xmpp/jabber ecosystem into hangouts and cut it off from the everyone else.

I guess if nothing else, it would probably reduce spam!

