Ask HN: How to get through to someone at Google about broken Gmail function?
1. Gmail has a feature called Send Mail As. This feature allows the user to send email from another domain through their Gmail account. From their help page:
================================================ "If you own another email address, you can send mail as that address. For example:
Yahoo, Outlook, or other non-Gmail address Your work, school, or business domain or alias, like @yourschool.edu or youralias@gmail.com Another Gmail address Tip: You can send emails from up to 99 different email addresses." ================================================
2. I have happily been using it for sending and replying to my Hotmail/Outlook account for over a decade.
3. Suddenly Gmail is rejecting sending to these Hotmail addresses via alias. The error message reads:
550 5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for [hotmail.com] did not pass with ip: 209.85.220.41.
4. On checking it appears that:
a) That IP belongs to Google. So Google is blocking its own feature b) The reason may be that Spamcop (and only Spamcop) has blacklisted that IP.
5. The bottom line is, a service which Google offers for free to its users for convenience is now broken (due to Google inaction?).
6. I'm not going to go down the rabbit hole of wondering whether this has anything to do with a general Google/Microsoft issue.
7. Yes I know I'm the product and I really should just stop using Gmail. But hey...
14 comments
[ 5.1 ms ] story [ 255 ms ] threadHaving a paid enterprise account with Google and working with their "support" now, it's akin to angrily screaming into the void, while a level 1 person with no real situational awareness assures you Google cares and is diligently working on a fix.
It's been a couple months now...
I just looked at another record and guessed what it wanted to see. I ended up with
"v=spf1 include:_[my_smtp_server] ~all"
and hey, it worked.
I appreciate this doesn't fix the Hotmail issue, but just wanted to share in case anyone else can use this.
The DMARC policy for hotmail.com is p=none. AKA, allow spoofing.
So GMail shouldn't really be rejecting messages because of SPF and DKIM failure. But maybe GMail has some logic that overrides Hotmail's DMARC policy.Also IIRC GMail has an option to send from another address via the upstream SMTP server. This will ensure that your message is properly authenticated as it won't be spoofed.
Email forwarding from my Gmail account (workspace) to another Gmail account (gmail.com) fails with a DMARC-related bounce depending on the original sender's configuration.
In order to send email on behalf of a domain (the part after the '@' in the sender email address), the domain must authorize the sender to do so. This is done by publishing the sender's public DKIM key as a DNS record, and including the sender in the SPF policy.
If you own the domain you are attempting to send from, then set up the domain correctly. If you don't own the domain (for example, you mention hotmail.com) then you just got lucky in the past if it was delivered.
The description that google gives is a bit misleading though:
> "If you own another email address, you can send mail as that address."
It should say: if you own another domain, you can send mail as that domain.
they apparently changed their security settings recently to reject unauthorised emails. This is new.
I can surely set a DKIM and SPF record for my domain, but I have no way of knowing what I should add as the settings, as Gmail isn't asking for it.
I'm not sure this is correct though: > The description that google gives is a bit misleading though:
> > "If you own another email address, you can send mail as that address."
You can actually send from any third party address, e.g. Yahoo etc. It's literally what their page says. You don't have to own the domain.
See https://support.google.com/mail/answer/22370?hl=en-GB&sjid=2...
I know their previous set up wasn't super safe, but they could have mitigated for this instead of just breaking the feature.
Any third party _service_, not necessarily any domain.
> You don't have to own the domain.
Nowhere on the page does Google claim that you don't have to own the domain.
If the domain is already using Google for email, this feature will 'just' work. If the domain does _not_ use Google for email already, then it probably won't work, but that depends on the SPF and DMARC settings of that domain. For it to work reliably, Google must be added to the SPF policy, and the DKIM record must be created. If you do not own that domain, then you can't do that.
> I know their previous set up wasn't super safe, but they could have mitigated for this instead of just breaking the feature.
No, they couldn't "mitigate" against this. As explained, this is how email works, there is nothing that Google can change about this. As more and more domains are adopting DMARC (which is good practice), the more this alias feature will break.
This is why I called it a documentation oversight by Google. They should be clear about that the domain must either already be using Gmail, or that you need administrative access to the domain to add Google to the SPF policy and add the DKIM record to the DNS zone.
Gmail offers this functionality in their own settings. There is no way to add SPF or DKIM records.
So if I use gmail to send using a third-party domain to a gmail address, it bounces.
I guess they forgot that people use the function.
Any hacks found in the meantime?