Ask HN: How to get through to someone at Google about broken Gmail function?

12 points by jaggs ↗ HN
How can I alert Google to the following broken 'Send Mail As' issue to get it fixed? I've tried their forum option, but that just reaches some nice volunteer enthusiasts.

1. Gmail has a feature called Send Mail As. This feature allows the user to send email from another domain through their Gmail account. From their help page:

================================================ "If you own another email address, you can send mail as that address. For example:

Yahoo, Outlook, or other non-Gmail address Your work, school, or business domain or alias, like @yourschool.edu or youralias@gmail.com Another Gmail address Tip: You can send emails from up to 99 different email addresses." ================================================

2. I have happily been using it for sending and replying to my Hotmail/Outlook account for over a decade.

3. Suddenly Gmail is rejecting sending to these Hotmail addresses via alias. The error message reads:

550 5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or DKIM. For this message, DKIM checks did not pass and SPF check for [hotmail.com] did not pass with ip: 209.85.220.41.

4. On checking it appears that:

a) That IP belongs to Google. So Google is blocking its own feature b) The reason may be that Spamcop (and only Spamcop) has blacklisted that IP.

5. The bottom line is, a service which Google offers for free to its users for convenience is now broken (due to Google inaction?).

6. I'm not going to go down the rabbit hole of wondering whether this has anything to do with a general Google/Microsoft issue.

7. Yes I know I'm the product and I really should just stop using Gmail. But hey...

14 comments

[ 5.1 ms ] story [ 255 ms ] thread
Good luck.

Having a paid enterprise account with Google and working with their "support" now, it's akin to angrily screaming into the void, while a level 1 person with no real situational awareness assures you Google cares and is diligently working on a fix.

It's been a couple months now...

Add an spf record to your domains.
This would be super easy to do, but how do I know what Gmail wants to see?
Update:

I just looked at another record and guessed what it wanted to see. I ended up with

"v=spf1 include:_[my_smtp_server] ~all"

and hey, it worked.

I appreciate this doesn't fix the Hotmail issue, but just wanted to share in case anyone else can use this.

Who is your domain registrar?
It is worth noting that this feature is somewhat a bad idea, but it is strange that it is broken in this case.

The DMARC policy for hotmail.com is p=none. AKA, allow spoofing.

    _dmarc.hotmail.com. 3566 IN TXT "v=DMARC1; p=none; rua=mailto:rua@dmarc.microsoft;ruf=mailto:ruf@dmarc.microsoft;fo=1:s:d"
So GMail shouldn't really be rejecting messages because of SPF and DKIM failure. But maybe GMail has some logic that overrides Hotmail's DMARC policy.

Also IIRC GMail has an option to send from another address via the upstream SMTP server. This will ensure that your message is properly authenticated as it won't be spoofed.

I wonder if this is related to my issue, which also started happening around September 1:

Email forwarding from my Gmail account (workspace) to another Gmail account (gmail.com) fails with a DMARC-related bounce depending on the original sender's configuration.

    <<< 550-5.7.26 Unauthenticated email from aa.com is not accepted due to domain's
    <<< 550-5.7.26 DMARC policy. Please contact the administrator of aa.com domain if
    <<< 550-5.7.26 this was a legitimate mail. Please visit
    <<< 550-5.7.26  https://support.google.com/mail/answer/2451690  to learn about the
    <<< 550 5.7.26 DMARC initiative.
Hi jaggs, I work in Gmail. Yes a lot of lurk on HN. I don't understand your "Send as" flow. Are you sending email to some 3rd party owned account? Usually that sends as SMTP MSA (login/password), so that should work. Is it broken when someone replies?
Also posting the email headers with the appropriate anonymization helps a lot too.
googlers can only pass leetcode, they can’t actually build anything that works, because that requires experience, and that is not what they hire for
From the looks of it, this is not a problem that Google can fix, this is just how email works.

In order to send email on behalf of a domain (the part after the '@' in the sender email address), the domain must authorize the sender to do so. This is done by publishing the sender's public DKIM key as a DNS record, and including the sender in the SPF policy.

If you own the domain you are attempting to send from, then set up the domain correctly. If you don't own the domain (for example, you mention hotmail.com) then you just got lucky in the past if it was delivered.

The description that google gives is a bit misleading though:

> "If you own another email address, you can send mail as that address."

It should say: if you own another domain, you can send mail as that domain.

Hey LeonM,

they apparently changed their security settings recently to reject unauthorised emails. This is new.

I can surely set a DKIM and SPF record for my domain, but I have no way of knowing what I should add as the settings, as Gmail isn't asking for it.

I'm not sure this is correct though: > The description that google gives is a bit misleading though:

> > "If you own another email address, you can send mail as that address."

You can actually send from any third party address, e.g. Yahoo etc. It's literally what their page says. You don't have to own the domain.

See https://support.google.com/mail/answer/22370?hl=en-GB&sjid=2...

I know their previous set up wasn't super safe, but they could have mitigated for this instead of just breaking the feature.

> You can actually send from any third party address, e.g. Yahoo etc. It's literally what their page says.

Any third party _service_, not necessarily any domain.

> You don't have to own the domain.

Nowhere on the page does Google claim that you don't have to own the domain.

If the domain is already using Google for email, this feature will 'just' work. If the domain does _not_ use Google for email already, then it probably won't work, but that depends on the SPF and DMARC settings of that domain. For it to work reliably, Google must be added to the SPF policy, and the DKIM record must be created. If you do not own that domain, then you can't do that.

> I know their previous set up wasn't super safe, but they could have mitigated for this instead of just breaking the feature.

No, they couldn't "mitigate" against this. As explained, this is how email works, there is nothing that Google can change about this. As more and more domains are adopting DMARC (which is good practice), the more this alias feature will break.

This is why I called it a documentation oversight by Google. They should be clear about that the domain must either already be using Gmail, or that you need administrative access to the domain to add Google to the SPF policy and add the DKIM record to the DNS zone.

Same issue here.

Gmail offers this functionality in their own settings. There is no way to add SPF or DKIM records.

So if I use gmail to send using a third-party domain to a gmail address, it bounces.

I guess they forgot that people use the function.

Any hacks found in the meantime?