1

i am creating a game of sorts where you use and earn credits to accomplish tasks. I am curious if you can effectively use gmail's security features to secure these submissions if the emails are all in one of the major "safe" ESPs - that use SPF and DMARC.

For simplicity let's just say every account except the game_host@myserver is a gmail email account. https://support.google.com/a/topic/4388154?hl=en&ref_topic=29818

you obviously know it is coming from gmail and thereby has to be the correct sender/receiver. no spoofing possible and the whole message should stay https the whole time right? https://support.google.com/a/answer/60764?hl=en

Michael Holt
  • 11
  • 1
  • Did you consider to have your players sign their emails with [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy)? Not very comfortable, but still better than forcing them to use a specific email provider. – Philipp Oct 08 '14 at 15:04

2 Answers2

2

Gmail's spam filter is only concerned with spam. Gmail will deliver email with SPF failures, and an invalid or missing DKIM signature. If you don't believe me, send a spoofed email to your self.

If you are concerned with spoofed email, then it would be better to use a service such like the Sendgrid inbound parse webhook, which will include detailed SPF and DMARC information for all incoming email.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
rook
  • 46,916
  • 10
  • 92
  • 181
  • Absolutely true. I just tried this myself, and Rook is correct. Gmail will most certainly deliver email (into the spam folder) with a clearly faked gmail from address. – Steve Sether Jan 06 '15 at 16:09
0

The basic problem with gmail, even though better with SSL, is that you cannot be sure of the sender. Anyone can make a gmail account -- effectively anonymously, so unless you know the person and were given the email address by that person, you cannot be sure who it was who created it.

Jeff Clayton
  • 932
  • 7
  • 16