Last month Gmail introduced a blue checkmark icon next to senders that they deem are legitimate. This is part of an email authentication program called Brand Indicators for Message Identification (or BIMI for short). It aims to protect email users from brand spoofing and phishing attacks claiming to be from a trusted organisation. Google, like most email providers that support BIMI, do this via email authentication standards like Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC) and Domain Keys Identified Mail (DKIM). BIMI can be implemented by adopted DMARC along with either SPF or DKIM. Up until last week, Google supported both SPF and DKIM. However a security architect found a bug in SPF a few weeks ago that upgraded non-authenticated emails, making them authentic. The bug was actually a long standing and well known issue with SPF. This was reported to Google who eventually updated its blue tick program to no longer support SPF.
https://www.theregister.com/2023/06/09/google_bimi_email_authentication/
This segment was created for the It’s 5:05 podcast