Gmail improves security for their users

Lock in Gmail showing messages weren't encrypted with TLS
Message that appears when you click the TLS lock in Gmail.

Yesterday was Safer Internet Day, and Gmail celebrated it by making some important updates to the way they show messages to their users. These changes cover two big areas, encryption and authentication. Since 25% of mail sent by our customers goes to Gmail, we wanted to share these changes with you.

TLS encryption #

Most email is sent in the clear, which makes it possible to read messages like a postcard as they're being delivered. Mail servers often use TLS encryption to send messages to protect them while they’re in transit. This makes sure the contents can't be read by taking a peek at a message at it's being delivered between servers.

Google will now show you whether your messages are using TLS encryption. Messages will display a broken lock icon on incoming messages that didn’t use TLS. Gmail will also show when you’re sending messages to services that don’t use TLS when accepting mail.

Postmark has used opportunistic TLS since 2010. This means we try to deliver mail using a TLS handshake first, and only send without TLS if a system refuses the encrypted connection.

TLS data for Inbound Processing #

Slightly related to this, we recently made an update to inbound processing to display if a sending mail server used TLS to connect to our inbound servers. This information can then be used on your side to determine if a message was encrypted in transit. We include this in the original received header, which looks like this:

Received: from mail-yk0-f176.google.com (mail-yk0-f176.google.com [209.85.160.176])
(using TLSv1 with cipher RC4-SHA (128/128 bits))
(No client certificate requested)

Combining this with our SPF and DKIM results, you can now build more trust around the Inbound emails that you process for your application. SPF and DKIM also play an important role in the other Gmail update today, domain authentication and sender images.

Authentication and sender images #

We’ve shared how to add sender images for recipients using Gmail. Today Google is making some changes to how these images are displayed. Your email address will still need a profile image with Google, but the domain you’re sending with will also need to be authenticated with SPF or DKIM.

If you haven’t set up SPF or DKIM for your domain, all mail from your domain will now show up with a question mark in place of any profile image.

How Gmail displays sender images for authenticated domains
Example Gmail team shared of new sender image policy

Authenticating your domain with SPF and DKIM provides value beyond just preserving your sender images. DKIM gives you a delivery history with ISPs, and we’ve done testing with customers that has shown DKIM improves inbox rates too. These changes to how Gmail is displaying authenticated domains is just one more reason to make sure you’ve setup DKIM and SPF.

Better message quality. Better experience for recipients #

Gmail sets the standard for these kind of changes, and you can bet other providers are taking note. Sending authenticated email is only going to continue to grow in importance over time. We make it easy to set up SPF and DKIM for your domain, and these changes are just another reason why we strongly encourage every Postmark customer to put these in place.