Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google

Gmail Is Adding a Blue Checkmark To Better Verify Senders (9to5google.com) 77

Google is giving verified senders a blue check mark to more clearly "help users identify messages from legitimate senders versus impersonators." 9to5Google reports: The existing system is based on the Brand Indicators for Message Identification (BIMI) standard, where brand logos appear in the "avatar slot" next to the sender's name and address. For example, instead of a generic "B" against a plain background, Bank of America can show its official flag logo. It's based on strong authentication with DMARC (Domain-based Message Authentication, Reporting, and Conformance) and logo verification "with a VMC, issued by a Certification Authority such as Entrust or DigiCert."

Google is now making the feature much more explicit by adding a "checkmark icon for senders that have adopted BIMI" to more clearly "help users identify messages from legitimate senders versus impersonators." The company has shared what this will look like on desktop web. The timing of this launch is somewhat amusing, given the rest of the tech landscape. The icon is a blue seal with a white checkmark in the middle, with users able to hover over it on the web. For example, Google's will say: "This sender of this email has verified that they own google.com and the logo in the profile image. Learn more."
The feature is rolling out today and will be available over the coming days and weeks. It'll be available to all Google Workspace customers, legacy G Suite Basic and Business customers, and users with personal Google Accounts.
This discussion has been archived. No new comments can be posted.

Gmail Is Adding a Blue Checkmark To Better Verify Senders

Comments Filter:
  • by memory_register ( 6248354 ) on Wednesday May 03, 2023 @06:26PM (#63495654)
    Maybe it will be free for now, but with a little more mismanagement from Google the next owner will charge me!
    • Re: (Score:3, Insightful)

      by fahrbot-bot ( 874524 )

      Maybe it will be free for now, but with a little more mismanagement from Google the next owner will charge me!

      Don't worry; according to a quick search, Google is valued at about $1.34T, so Elon can't afford that. :-)

    • I wished it was that cheap. Because only a handful CAs controls VMC certs, you will be shelling over a grand. Every year. So more like the yellow checkmark Elon grants to companies than what users like me and you could set on your home running mail servers.

    • by antdude ( 79039 )

      Yeah, Elon Musk will take over! :P

    • I guess they got inspired by all the Musk fuss. Nice that that resulted in something nice.
    • A lot more than $8. The certificate you need to purchase for BIMI is quite expensive and only a few vendors sell it. The last time I checked, it was in the $1000+ range.

    • It is far from free. Google's blue mark requires:
      • BIMI compliance: free beyond the work to set it up
      • Your logo registered as a trade mark: not free, fees depends on the juridiction
      • A Verified Mark Certificate (VMC), available currently from Digicert [digicert.com] for 1499 USD/year (without VAT), or Entrust [entrust.com] for 1258.83 USD/year. Discounts are available for multi-year purchases. Great.
  • Blue Checkmark (Score:4, Insightful)

    by Dwedit ( 232252 ) on Wednesday May 03, 2023 @06:39PM (#63495662) Homepage

    The Blue Checkmark now has a ruined reputation thanks to Twitter. You'd at least need a different color.

    • That's probably why they chose it. (..a subtle jab at Twitter.)

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Wednesday May 03, 2023 @06:54PM (#63495688)
      Comment removed based on user account deletion
    • That's a major project for Google. But maybe a senior UX engineer is already pitching it and getting money to test different colors with focus groups....

      But overall it's a good idea because at the moment, the brand verifications look exactly like a simple profile picture. (actually that IS a reason to do enough research so you don't end up with something that I could simply integrate into my profile pic...)

  • by zenlessyank ( 748553 ) on Wednesday May 03, 2023 @06:41PM (#63495664)

    Fixed!!

  • by Baron_Yam ( 643147 ) on Wednesday May 03, 2023 @06:44PM (#63495670)

    So many issues with spam and phishing could be solved if we switched from push to notify-and-pull.

    A mail server should notify a destination mail server that there is a message for one of its recipients... and then the destination mail server can decide if it cares, look up the advertised sender address, resolve the authorized mail server, then send a pick up request.

    Give the messages nice long serial numbers, use public/private key pairs, etc., and you don't have to worry about much more than your mom forwarding another email chain to you. Switch around the standard order of the sender ID so it's the email address first, then the very insecure display name.

    Suddenly bot nets are useless, joe jobs don't work, etc. And it's just another email protocol - it could be implemented immediately, simply lowering the spam score on servers that use it. Keep the current stuff until the new protocol dominates.

    • by Unpopular Opinions ( 6836218 ) on Wednesday May 03, 2023 @07:08PM (#63495708)

      All good ideas, except they will not be a suitable replacement for a 33 year old protocol that, with all its shortcomings, is the de facto standard for messages transmission in between unrelated parties. Just like ye ole Postal Service cannot be fully replaced and will not for decades to come.

      • It isn't rocket science.

        We already have EHLO that fails back to HELO during mail server connections. We already have other protocols - POP and IMAP that are pull-based.

        Adding another to the mix, especially if it is just another option in the existing SMTP standard and not a completely new protocol, is very possible. It's just there appears to be no will to try it.

        • by Ormy ( 1430821 )

          Adding another to the mix, especially if it is just another option in the existing SMTP standard and not a completely new protocol, is very possible. It's just there appears to be no will to try it.

          You're right, there's no technical reason it couldn't work, and it would solve many problems for many users. But it will never happen for the simple reason that the people who will benefit do not have the power to enact such change, and the people who are able to enact change have a financial incentive to keep email as-is i.e they profit (perhaps indirectly) from the spam.

    • djb, is that you [cr.yp.to]?

    • It would save some data volume, but not much of an actual change if instead of 100 Emails, I need to process 100 Email-Push-Requests.

      Already

      the destination mail server can decide if it cares, look up the advertised sender address, resolve the authorized mail server, then

      deny or discard the email.

      • The difference is it would immediately remove the ability to send spam from random addresses and servers - they could send a message flag and ID, but there would be no corresponding valid domain MX record for the target to call back to pick up a message. And if they tried using someone else's valid domain... no matching message ID.

        • Nothing that can't be done during an SMTP session. As soon as the FROM is received, check if the MX for that domain matches the server that started the session. If not, cancel the session before the mail is even transmitted. That's exactly what SPK/DKIM does.

          • SPF defines authorized servers, DKIM generally tells you if a message header or body has been altered - which means you need to take the whole message (or at least the header if that's all you're checking) prior to your test.

            You also don't want to keep the session open. In my proposed solution, you have to be able to receive a call back - that's the part that makes forgery significantly more difficult. You're going to need a domain and an MX record to get past anything.

            It also makes SPF and DKIM kind of p

            • Well, I agree with you that SPF would be completely replaced by your solution and on most everything you like about good ol'fashioned emails. Except for the attachments on cloud storage. That would be to ease to turn into some kind of unwanted read confirmation

              • I just see far too many people with 50GB of local cached email with a 3 month archive policy. You have to force users to external storage or they use their mailbox for file versioning and complain to IT when their mailbox search has poor response.

                I'm not clear on how a properly secured file storage solution could be turned into a tracker, though. And in line with my earlier suggestions, I'd have that system run on whitelist-only. You'd have to have the recipient agree to receive attachments from you befo

                • I assumed you meant to upload a file to my cloud storage instead of attaching it to an email. Then, as it is my cloud storage, I could monitor when the recipient downloads it from there.

  • Are completely pointless and are proven unwanted by Twitter. WTF are Google copying this BS?
  • by Anonymous Coward

    On the one hand Google removes the padlock icon from Chrome's location bar because "they provide no value," then they add blue checkmarks against verified sender addresses in Gmail because "they add value."

    Go figure!

    • Ok. From your post, I figured out that you didn't bother to read more than a headline on this.

      While the lock icon is going to be removed, it will be replaced by a new indicator [theverge.com]:

      A new tune icon will replace it later this year to avoid misleading users about how ‘trustworthy’ websites are while browsing.

      No idea if that new gizmo will be better or worse, but the lock is not removed without replacement.

  • AOL already did this in the 1990s and are still doing it today.

    Great job, Google, for catching on to the idea of "verified mail" like it's your own idea (it's not).

    SMTP is a sad joke. It's too bad we haven't developed something better after 40 years of SMTP.

    • They never claimed that. The first paragraph of even the /. summary says it's build on the BMI industry standard.

  • by omnichad ( 1198475 ) on Wednesday May 03, 2023 @11:04PM (#63496066) Homepage

    Phishing emails and most of the other most dangerous junk messages all seem to be sent from compromised accounts. They'll drop this feature after they see people getting scammed from a blue checkmark account.

    • ... see people getting scammed ...

      The check-mark verifies the owner of the account, not the messages on it. Yes, there is supposed to be no difference, so Google needs a back-up authentication for times the account is compromised. We have seen that owner authentication can be compromised too (FBI, SIM duping, easy security questions), so a check-mark tells the reader very little.

  • A month or so ago Gmail was spamming everything I sent and bouncing them back telling me to make an SFP entry in my MX record. Is this the same thing?
    • IIRC, correct SPF setting is something you need to get that whole BMI thing.

      But since a short while (2 months?) SPF seems to be required for every domain.

    • So, quick DNS lesson here...

      MX records are for *incoming* mail. You set them so mail going to user@EkriirkE.com has a destination mail server.

      SPF records are for *outgoing* mail, sort of. SPF records define which IP addresses and/or FQDN addresses are valid sources for your e-mail. An SPF record helps recipient e-mail servers check whether an e-mail originated from a valid sender. If you use Microsoft365 and only send from that platform, senders can know that mail sent from the random e-mail server I spun u

  • I thought that means the sender is a Twitter subscriber.

  • If the checkmark actually means that the person you are purportedly receiving mail from has been verified as the actual person it claims to be, then it's a great idea (depending on if that's true).

    It was also a great idea on previous Twitter, as in 'this person who is claiming to be [x] and saying [something controversial] has been verified as [x]'.

    It's not suddenly a bad idea everywhere just because Elmo has completely shit the bed in every direction with his vast incompetence (wildly fountaining), includi

  • It's easy enough to setup but putting it to use is another matter. I wouldn't be surprised if most DMARC implementations have no actual monitoring of the reports received. Insurance companies might require a business to publish DMARC records, but to be of any use the gzipped XML reports need to be processed into something readable. That generally means paying for a service that does so, and a person to review the data and do something with it. Not everyone has the resources for all that, so their DMARC
    • Actually yes.

      The BIMI standard requires that DMARC be set up properly first. In addition, it requires a special certificate similar to OV certificates where you are required to be verified by the certificate vendor. This means that any sender with this blue checkmark (in the case of Gmail) will have, by definition, a properly configured DMARC setup for their domain and the org will have been verified by the certificate vender who is, essentially, vouching for them.

      • Setup properly doesn't mean monitored properly. Or at all really. I've setup DMARC properly and been able to make use of some of the reports, but the hassle of doing so and the company's reluctance to pay for a DMARCIAN (or whoever) subscription meant there wasn't much point to it.

        What's the cert vendor going to do besides check DNS? A robust looking DMARC record doesn't mean anyone reads the emails, and people fudge compliance reporting all the time. Hell, they may not even be asked if anyone ever l

  • read my sig.
    It's like a magic trick... look over here!
    Soon, Big Fruit will add a red checkmark for ONLY $16/month... and you chumps (under 30, I'm guessing, same people who need cryptos, and couldn't breathe without an iPhone18) will climb over each other to pay it.

    I PROUDLY HAVE A RED CHECKMARK !!

    Ha ha, Suckers with Blue checkmarks!!

    Where's the Futurama guy? Recall, theatre worker to Fry:
    "Would you like a small Slurm for $20... or an EXTRA SMALL Slurm for only $30 ??"
  • Wow, a VMC certificate costs 1500 USD! Add this to trademark registration...
  • We configured DMARC for our domain, and enabled opendmarc to reject all mails that fail DMARC.
    There was a silence for one week,then the spammers began sending mails from domains with DMARC configured.
    Only good thing was mails pretending to be from our domain were blocked.
  • https://bimigroup.org/implemen... [bimigroup.org]
    We will have to wait for something like LetsEncrypt to support BIMI.

Aren't you glad you're not getting all the government you pay for now?

Working...