Information Security
email gmail email-spoofing
Updated Tue, 24 May 2022 15:45:09 GMT

How can you use the information from Gmail's "Show Original" feature to check if an email really came from Google?


I received an email saying that someone logged into my Gmail account from an unknown device. How can I verify that this email (security alert) actually came from Google and not from a malicious source? I clicked on "Show Original" and it says:

SPF: PASS
DKIM: PASS
DMARC: PASS

Does that mean that the alert really did come from Google?




Solution

If you are reading in Gmail and use the "Show Original" option, and the from address is from a Google domain (should be no-reply@accounts.google.com), then yes those three indicators are enough.

For a more in-depth review of the mail path, you can copy all the headers (everything above Content-Type: in the block below where you see those pass marks) and use a 3rd party analyzer to see the in-s and out-s. I like MX Toolbox (https://mxtoolbox.com/EmailHeaders.aspx) -- just paste the headers in there and click "Analyze" to receive a full break down of what it all means.

Also, to be "phish proof", even if the message is from Google, you should manually go to your account settings to take remediative action. This is a rule for every web site/service; never ever trust an emailed link that asks you to update security information. Login to your account by hand, then go to your account security and take action from there. It is a super easy rule, and a sure-fire way to avoid being tempted/trapped by a well-crafted spear phishing message. Just head to accounts.google.com and take care of it from there.







External Links

External links referenced by this document: