When a message is received from an authenticated client to a Google server:
Principle: Google will always add a DKIM signature to indicate an authenticated SMTP Mail From account:
- If Google has a private key for the authenticated domain, it will add a DKIM signature for that domain.
- If Google does not have a private key, it will add a proxy signature for a subdomain of 20230601.gappssmtp.com. Periods in the SMTP Mail From domain are replaced with hyphens, so that "example.com" is given a proxy signature with "d=example-com.20230601.gappssmtp.com"
- Google will allow a gmail.com account to send messages using a different email address, after the user goes through an approval process to demonstrate common ownership of both accounts. When this is done, the added signature is for the gmail.com account, not the From address account.
A similar rule follows for messages flowing through GoogleGroups.
- It will always add a signature for "d=googlegroups.com"
- If the message originates from an authenticated client on a Google server, Google will add a signature for the SMTP Mail From domain, using either the client domain name or a gappssmtp.com proxy signature based on the client domain. For a post to a mailing list, we expect the SMTP Mail From domain and the message From domain to be the same value, so this signature can be used to authenticate the message From address
- If the message does not originate from a Google server, Google will only add a signature for d=googlegroups.com. When it prepends the list name to the message Subject line, any existing signatures will be invalidated, and the message From address cannot be validated.
Google will also add an ARC set when it is involved in forwarding.
We have an ongoing problem with spam from short-lived
Gmail.com accounts. Spammers seem to have perfected the process of generating new accounts automatically, so that they can spam from a different address ever day. These attacks may be coming from a common source, but the offending IP address cannot be discerned because Google omits that information from the initial Received header.