I received an email saying that someone logged into my Gmail account from an unknown device. How can I verify that this email (security alert) actually came from Google and not from a malicious source? I clicked on "Show Original" and it says:
SPF: PASS DKIM: PASS DMARC: PASS
Does that mean that the alert really did come from Google?
If you are reading in Gmail and use the "Show Original" option, and the from address is from a Google domain (should be
email@example.com), then yes those three indicators are enough.
For a more in-depth review of the mail path, you can copy all the headers (everything above
Content-Type: in the block below where you see those pass marks) and use a 3rd party analyzer to see the in-s and out-s. I like MX Toolbox (https://mxtoolbox.com/EmailHeaders.aspx) -- just paste the headers in there and click "Analyze" to receive a full break down of what it all means.
Also, to be "phish proof", even if the message is from Google, you should manually go to your account settings to take remediative action. This is a rule for every web site/service; never ever trust an emailed link that asks you to update security information. Login to your account by hand, then go to your account security and take action from there. It is a super easy rule, and a sure-fire way to avoid being tempted/trapped by a well-crafted spear phishing message. Just head to
accounts.google.com and take care of it from there.
External links referenced by this document: