If you’re sending Gmail messages from anywhere other than Gmail itself, they may look like they’re phishing attempts. Up until today, whenever I sent messages using my Google Apps account with the From: address set to my vanilla Gmail address, my Gmail-using recipients got an alarming, bright red message at the top which said “This message may not have been sent by [who it appears to be from]. Learn more Report phishing.” Make sure this doesn’t happen to you.
Senders: If messages from your Gmail address look like phishing
If you’re sending email with the From: field set to your Gmail email address (that is, firstname.lastname@example.org or email@example.com) from any client other than Gmail itself, use Gmail’s SMTP servers to send the mail.
The process for setting your email software to use Gmail’s SMTP server will vary depending on what email client you’re using. If you’re like me and using another Gmail or Google Apps account to send custom From: address Gmail, here’s how to set the SMTP server.
In your primary Google Apps/Gmail account where you actually send messages from, in Settings > Accounts > Send mail as, click on “edit info” next to your custom Gmail From: address.
Double-check your name and email address listed there, and click on the “Next Step” button. On the “Send mail through your SMTP server?” step, don’t use the default SMTP server. Instead, check the “Send through gmail.com SMTP servers” option, and enter your Gmail username and password for the account you want to send From.
If you’re using Google’s two-step verification for your Gmail account (and you should be), you’ll need to generate an application-specific password for the SMTP server use. Click on the “Save Changes” and you’re done. Your messages will no longer look like they are phishing attempts.
Senders: If messages from your Google Apps address look like phishing
If messages from your Google Apps domain name are getting the red phishing warning, you’ve got to tweak a DNS setting to fix it. In short, you’ve got to add a Sender Policy Framework (SPF) record to your domain which verifies that Google Apps’ mail servers are authorized to send your messages on your domain’s behalf. The exact process for doing this depends on where you registered and administer your domain, but Google Apps Support runs down the general steps to create an SPF record for a domain:
1. Log in to the administrative console for your domain.
2. Locate the page from which you can update the DNS records. You may need to enable advanced settings.
3. Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all
4. Save your changes. Keep in mind that changes to DNS records may take up to 48 hours to propagate throughout the Internet.
If it’s not clear where or how to add an SPF record for your domain, get in touch with your domain registrar support to find out how.
Recipients: If your friends’ messages look like phishing
Gmail’s phishing alert on messages that look like they came from unauthorized SMTP servers helps recipients identify email scams, but it stinks for senders for using custom From: addresses legitimately, because they don’t know it’s happening. The only way I knew it was happening to my email is because Adam told me it was!
So, if you’re getting this phishing alert on friends’ or co-workers’ messages that you know are legit, send them a link to this article or to Google’s Support page on the subject. They’ll appreciate it.