Dmarc as a Service

Marketers take note: Gmail might turn you into a question mark

Getting email authentication right just got a lot more important.

Google’s Gmail team announced this week that it would be rolling out two changes in the way that Gmail displays email messages to its web users. The first change: If you’re reading email from (or sending email to) someone whose servers don’t support TLS encryption, you’ll see a broken lock icon.

But the second change is a much bigger deal: If you receive a message whose sender can’t be authenticated, you’ll see a question mark in place of the sender’s photo, logo, or avatar.

It’s that second change that should have anyone who relies on email for marketing or customer communications sitting bolt upright and paying close attention. Never mind how much work you’ve done building trust with your customers and prospects. Never mind how many opt-ins they’ve given you, or how much care you put into crafting your email messages and making sure that their formatting is on-brand. If those messages don’t authenticate, they’ll have a big, bold question mark right next to them in Gmail.

Authenticated vs unauthenticated email – Gmail

Google’s illustration of how authenticated and unauthenticated emails will look.
Google is careful not to say that this means every message with a question mark is suspect. “Not all affected email will necessarily be dangerous,” Google writes. “But we encourage you to be extra careful about replying to, or clicking on links in messages that you’re not sure about.”

But there’s no question that Google is injecting a note of doubt into recipients’ minds. (Not to mention blocking out the more customer-friendly logo or avatar that ordinarily represents your company in people’s inboxes.) Not exactly the move you want to make when you’re trying to establish a relationship of trust with the people to whom you’re selling.

Google is making this move now because phishing attacks have reached epidemic proportions. Just this week, for instance, we learned that a single gang of cybercriminals successfully used phishing attacks against about 670 victims, getting them to install malware and then pay to have it removed. That one attack cost the victims $330,000 in Bitcoins.

The phishing problem is so bad that the FTC even recently put out a warning to U.S. citizens to be alert for fake emails from the Social Security Administration.

Unfortunately, the usual warnings to watch out for fake emails don’t solve the problem. In fact, they make it worse, because they teach users to be suspicious of your emails.

Authentication is quite simply the most effective and authoritative way to stop email phishing, because it prevents fraudsters from sending messages that appear to be from other sources. It puts an end to scammers impersonating the Social Security Administration, or Target, or Walmart, or anyone else. With authentication, you know that the sender really is who the email says it is.

Showing question marks for non-authenticated email senders is just the latest in a series of steps Google has been taking to support and enforce email authentication. It’s not the only one: Yahoo! Mail, AOL Mail, and Microsoft’s Hotmail all support authentication too.

And Microsoft has announced it will begin flagging non-authenticated email soon.

For now, Google’s authentication effort is focused on two core authentication standards, SPF and DKIM. Eventually, it will likely move to support a more modern standard, DMARC, that incorporates both SPF and DKIM and ties them together in a way that’s even harder to spoof.

The problem for marketers is that most IT departments have struggled to implement email authentication correctly. It’s not enough to implement SPF and DKIM: You have to implement them correctly, or Gmail will flag your messages as non-authenticated. It’s not easy: Read our blog post on the four most frequent email authentication mistakes, and our post on two common problems people have with SPF.

How does your domain measure up? Use our easy tool to check whether authentication is working for your domain.

How Valimail can help

With its innovative approach, Valimail can automate — and maintain— email authentication for you. With our system:

Marketers will be happy because their emails will get get better deliverability, brand protection, and consumer protection. And there will be no scary question marks next to their messages in Gmail.

Messaging teams will benefit from Valimail because our system gives them visibility and control over not just email authentication, but who is actually authorized to send messages on the organization’s behalf.

Security executives will be pleased with Valimail because authentication makes it much harder for scammers to spoof emails, thus increasing protection both customers and employees.

Find out more about Valimail at or write to us at