Email authentication

Email authentication is a way to ensure that an email provider will be able to recognize the sender of an incoming message and fight spam and abuse. You can use authentication data to verify the source of any message that you receive. For example, if you receive a message from a big sender (like a financial institution, or a major email provider, like Google, Yahoo or Hotmail) that isn’t authenticated, this message is most likely forged and you should be careful about replying to it or opening any attachments.

More on authentication methods
SPF specifies which hosts are allowed to send messages from a given domain by creating an SPF record. You can publish an SPF record here.

DKIM allows the sender to electronically sign legitimate emails in a way that can be verified by recipients using a public-key.

If you're receiving mail

Recipients can use authentication to verify the source of an incoming message and avoid phishing scams. For example, if you see messages claiming to be from google.com, but are not properly authenticated as coming from google.com, these are phishing messages. You should not enter or send any personal information. Remember, Google will never ask you to send personal information.

You can view the authentication information by opening a message and clicking on the 'show details' icon below the sender's name .

  • If a message was correctly DKIM signed, a 'signed-by' header with the sending domain will appear.
  • If a message was SPF authenticated, a 'mailed-by' header with the domain name will appear.
  • If no authentication information exists, there will be no signed-by or mailed-by headers.
If you don't use the web interface to read Gmail...

You can still view authentication information by looking at the authentication header in the message headers. Learn how to access your message headers.

Once you obtain the message headers, look for the ‘Authentication-Results’ header. If the message was successfully authenticated by SPF or DKIM, it will say ‘spf=pass’ and ‘dkim=pass’

For example:

Authentication-Results: mr.google.com; spf=pass (google.com: domain of sender@gmail.com designates 10.90.20.10 as permitted sender) smtp.mail=sender@gmail.com; dkim=pass header.i=sender@gmail.com



If you’re a sending domain

Messages with DKIM signatures use a key to sign messages. Messages signed with short keys can be easily spoofed (see http://www.kb.cert.org/vuls/id/268267), so a message signed with a short key is no longer an indication that the message is properly authenticated. To best protect our users, Gmail will begin treating emails signed with less than 1024-bit keys as unsigned, starting in January 2013. We highly recommend that all senders using short keys switch to RSA keys that are at least 1024-bits long.

Authentication is highly recommended for every mail sender to ensure that your messages are correctly classified. For other recommendations see our Bulk Senders Guidelines.

Authentication by itself is not enough to guarantee your messages can be delivered, as spammers can also authenticate mail. Gmail combines user reports and other signals, with authentication information, when classifying messages.

Similarly, the fact that a message is unauthenticated isn’t enough to classify it as spam, because some senders don’t authenticate their mail or because authentication breaks in some cases (for example, when messages are sent to mailing lists).

Learn more about how you can create a policy to help control unauthenticated mail from your domain.