GMail guesses at your emails’ provenance – which is bad

Posted on Posted in Virtual CTO

There is a basic sniff test for email provenance on the internet called Sender Policy Framework (‘SPF’).  It’s designed to prevent email forgery and is relatively easy to set up as it is just a TXT record in the DNS. Here is ours:

v=spf1 include:_netblocks.mimecast.com include:_spf.xero.com include:servers.mcsv.net -all

Decoded that means that an email from the IP-Sentinel.com domain is valid if it is delivered by Mimecast, Xero or MailChimp.  the -All means reject email from everywhere else claiming to be ip-sentinel.com.

Most email systems will look for the SPF and if an email is being sent from where it shouldn’t be (spoofing) or if the SPF record isn’t there then the system will

  • Reject the email
  • Mark the email as Junk or spam
  • Mark the email as suspicious

Not Gmail.  

It uses SPF depreciated “best-guess” functionality.  According to the standard this “… should generally be avoided. […] results of guessing SPF like records should not be referred to as SPF results.

These are the Gmail raw MIME where, in fairness, it says that Gmail is guessing the SPF but you have to dig hard to find these

However if you were a user without the detailed knowledge what would this summary say to you?

Pretty sure the standard says “results of guessing SPF like records should not be referred to as SPF results.”


In summary the provenance of email received & trusted by Gmail can be subject to a best-guess basis, which given the Malware doing the rounds at the moment is pretty much no protection at all!