Spam Filtering: May 2007 Archives

I was just playing around with the new interface for Google Analytics and decided to email myself a report. It's a nice little feature, but there is a serious downside to their implementation. Instead of sending the email from a Google domain (it's not as if they have a shortage) they send it from your email address. While this may seem logical at face value it has serious implications for email security, as you are effectively allowing Google to send mail purporting to be from your domain. If you have been avoiding DKIM and SPF, then this probably won't be a problem for you, but if you have actually implemented it using a relatively strict, and therefore useful policy, then you are going to run into problems. Of course this isn't the first instance of a Google implementation flying in the face of common sense. Their Gmail service has been severely criticised in email filtering circles on may occassions since its introduction due to the lack of a vital part of the email header - the source IP. Whereas other services such as Yahoo! mail or Hotmail / MSN include the sender's actual IP in the email header, Google decided not to. If they'd stopped there it wouldn't be too bad, but they've applied the same logic (or lack of it) to their Google Apps services, so you could easily end up discovering that your mails are being blocked due to abuse of the Google SMTP by others.