Back to Resources

Google switches to DKIM for Email Authentication

By Samuel ChenardAugust 9, 20232 min read
Google switches to DKIM for Email Authentication

Introduction

Google's email authentication system has recently undergone significant changes following the discovery of a flaw that allowed scammers to impersonate brands. This article delves into the details of these changes, the implications for users and brands, and the broader context of email security.

There is a flaw in Google's BIMI Implementation

Google's Brand Indicators for Message Identification (BIMI) program was designed to protect email users from brand spoofing and phishing attacks. It also aimed to protect the reputations of brands whose names and logos might be used in cyber attacks. BIMI worked by displaying a blue checkmark alongside the logos of verified senders in Gmail, a feature that was rolled out in July 2021.

However, a flaw in this system was discovered by security architect Chris Plummer in late May 2023. Plummer noticed that an email appearing to be from a verified UPS sender, complete with the logistics giant's logo and Google's blue checkmark, was actually a scam. The flaw lay in a vulnerability in the Sender Policy Framework (SPF), one of the email authentication standards used by BIMI, which upgraded non-authenticated emails, making them appear authentic.

Google's Response and Changes to BIMI

Following the discovery of the flaw, Google announced that it was tightening its BIMI verification process. The company switched from using either SPF or DomainKeys Identified Mail (DKIM) for BIMI's requirements for senders to using DKIM exclusively. This change was in response to the bug found in SPF that allowed non-authenticated emails to be upgraded to appear authentic.

A Google spokesperson stated, "This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status."

The Implications for Email Security

The discovery of the flaw in Google's BIMI implementation and the subsequent changes to the system highlights the complexity and challenges of email security. Despite the various protocols that have been adopted to address email sender verification, such as SPF, DMARC, and DKIM, these are incomplete solutions that address different aspects of a complex problem.

Security researchers argue that the way BIMI is being implemented means that malicious actors could abuse the system to more effectively impersonate well-known brands, making it much more likely end users would click on a malicious link or open a dodgy attachment as part of a phishing attack.

The Role of Third Parties in Email Security

The flaw in Google's BIMI implementation also underscores the role of third parties in email security. In this case, Google blamed an unnamed "third-party" for allowing its services to be used in ways that bypassed its security controls and delivered spoofed messages to inboxes.

The incident serves as a reminder that email security is not just the responsibility of email providers like Google, but also of the third parties that interact with

Share this article