Gmail Is Adding a Blue Checkmark To Better Verify Senders

Google is giving verified senders a blue check mark to more clearly "help users identify messages from legitimate senders versus impersonators." 9to5Google reports: The existing system is based on the Brand Indicators for Message Identification (BIMI) standard, where brand logos appear in the "avatar slot" next to the sender's name and address. For example, instead of a generic "B" against a plain background, Bank of America can show its official flag logo. It's based on strong authentication with DMARC (Domain-based Message Authentication, Reporting, and Conformance) and logo verification "with a VMC, issued by a Certification Authority such as Entrust or DigiCert."

Google is now making the feature much more explicit by adding a "checkmark icon for senders that have adopted BIMI" to more clearly "help users identify messages from legitimate senders versus impersonators." The company has shared what this will look like on desktop web. The timing of this launch is somewhat amusing, given the rest of the tech landscape. The icon is a blue seal with a white checkmark in the middle, with users able to hover over it on the web. For example, Google's will say: "This sender of this email has verified that they own google.com and the logo in the profile image. Learn more." The feature is rolling out today and will be available over the coming days and weeks. It'll be available to all Google Workspace customers, legacy G Suite Basic and Business customers, and users with personal Google Accounts.

Will it cost $8?

[memory_register]

Maybe it will be free for now, but with a little more mismanagement from Google the next owner will charge me!

Re:

[fahrbot-bot]

Maybe it will be free for now, but with a little more mismanagement from Google the next owner will charge me!

Don't worry; according to a quick search, Google is valued at about $1.34T, so Elon can't afford that. :-)

Re:

[Darinbob]

He'll leverage it. With 4D chess!

Re:

[shankarunni]

Are you kidding? The amount of data that Google farms from the Email is tremendous, and tremendously valuable to them. Don't overestimate their generosity.

Re: Will it cost $8?

[Unpopular Opinions]

I wished it was that cheap. Because only a handful CAs controls VMC certs, you will be shelling over a grand. Every year. So more like the yellow checkmark Elon grants to companies than what users like me and you could set on your home running mail servers.

Re:

[antdude]

Yeah, Elon Musk will take over! :P

Re:

[Fons_de_spons]

I guess they got inspired by all the Musk fuss. Nice that that resulted in something nice.

Re:

[The-Ixian]

A lot more than $8. The certificate you need to purchase for BIMI is quite expensive and only a few vendors sell it. The last time I checked, it was in the $1000+ range.

Re:

[manu0601]

It is far from free. Google's blue mark requires:

• BIMI compliance: free beyond the work to set it up
• Your logo registered as a trade mark: not free, fees depends on the juridiction
• A Verified Mark Certificate (VMC), available currently from Digicert [digicert.com] for 1499 USD/year (without VAT), or Entrust [entrust.com] for 1258.83 USD/year. Discounts are available for multi-year purchases. Great.

Blue Checkmark

[Dwedit]

The Blue Checkmark now has a ruined reputation thanks to Twitter. You'd at least need a different color.

Re:

[Local ID10T]

That's probably why they chose it. (..a subtle jab at Twitter.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[bickerdyke]

That's a major project for Google. But maybe a senior UX engineer is already pitching it and getting money to test different colors with focus groups....

But overall it's a good idea because at the moment, the brand verifications look exactly like a simple profile picture. (actually that IS a reason to do enough research so you don't end up with something that I could simply integrate into my profile pic...)

Bluecheck.jpg

[zenlessyank]

Fixed!!

Email is wrong from the ground up

[Baron_Yam]

So many issues with spam and phishing could be solved if we switched from push to notify-and-pull.

A mail server should notify a destination mail server that there is a message for one of its recipients... and then the destination mail server can decide if it cares, look up the advertised sender address, resolve the authorized mail server, then send a pick up request.

Give the messages nice long serial numbers, use public/private key pairs, etc., and you don't have to worry about much more than your mom forwarding another email chain to you. Switch around the standard order of the sender ID so it's the email address first, then the very insecure display name.

Suddenly bot nets are useless, joe jobs don't work, etc. And it's just another email protocol - it could be implemented immediately, simply lowering the spam score on servers that use it. Keep the current stuff until the new protocol dominates.

Re: Email is wrong from the ground up

[Unpopular Opinions]

All good ideas, except they will not be a suitable replacement for a 33 year old protocol that, with all its shortcomings, is the de facto standard for messages transmission in between unrelated parties. Just like ye ole Postal Service cannot be fully replaced and will not for decades to come.

Re:

[Baron_Yam]

It isn't rocket science.

We already have EHLO that fails back to HELO during mail server connections. We already have other protocols - POP and IMAP that are pull-based.

Adding another to the mix, especially if it is just another option in the existing SMTP standard and not a completely new protocol, is very possible. It's just there appears to be no will to try it.

Re:

[Ormy]

Adding another to the mix, especially if it is just another option in the existing SMTP standard and not a completely new protocol, is very possible. It's just there appears to be no will to try it.

You're right, there's no technical reason it couldn't work, and it would solve many problems for many users. But it will never happen for the simple reason that the people who will benefit do not have the power to enact such change, and the people who are able to enact change have a financial incentive to keep email as-is i.e they profit (perhaps indirectly) from the spam.

Re:

[Brymouse]

djb, is that you [cr.yp.to]?

Re:

[bickerdyke]

It would save some data volume, but not much of an actual change if instead of 100 Emails, I need to process 100 Email-Push-Requests.

Already

the destination mail server can decide if it cares, look up the advertised sender address, resolve the authorized mail server, then

deny or discard the email.

Re:

[Baron_Yam]

The difference is it would immediately remove the ability to send spam from random addresses and servers - they could send a message flag and ID, but there would be no corresponding valid domain MX record for the target to call back to pick up a message. And if they tried using someone else's valid domain... no matching message ID.

Re:

[bickerdyke]

Nothing that can't be done during an SMTP session. As soon as the FROM is received, check if the MX for that domain matches the server that started the session. If not, cancel the session before the mail is even transmitted. That's exactly what SPK/DKIM does.

Re:

[Baron_Yam]

SPF defines authorized servers, DKIM generally tells you if a message header or body has been altered - which means you need to take the whole message (or at least the header if that's all you're checking) prior to your test.

You also don't want to keep the session open. In my proposed solution, you have to be able to receive a call back - that's the part that makes forgery significantly more difficult. You're going to need a domain and an MX record to get past anything.

It also makes SPF and DKIM kind of p

Re:

[bickerdyke]

Well, I agree with you that SPF would be completely replaced by your solution and on most everything you like about good ol'fashioned emails. Except for the attachments on cloud storage. That would be to ease to turn into some kind of unwanted read confirmation

Re:

[Baron_Yam]

I just see far too many people with 50GB of local cached email with a 3 month archive policy. You have to force users to external storage or they use their mailbox for file versioning and complain to IT when their mailbox search has poor response.

I'm not clear on how a properly secured file storage solution could be turned into a tracker, though. And in line with my earlier suggestions, I'd have that system run on whitelist-only. You'd have to have the recipient agree to receive attachments from you befo

Re:

[bickerdyke]

I assumed you meant to upload a file to my cloud storage instead of attaching it to an email. Then, as it is my cloud storage, I could monitor when the recipient downloads it from there.

Re:

[zenlessyank]

I don't get spam on my Gmail account. I believe poor browsing habits is the scourge on humanity. You don't get spam unless you go to questionable sites or join flaky mailing lists. Mostly porn based.

And Google like I do not.

Re: spam from gmail

[todmanic]

I have poor browsing habits, lots o' pr0n etc. And I never get spam on any of my 3 Gmail accounts. Or rather the small spam I get is in the Spam folder. I must be lucky. Otoh I never subscribe to anything.

Re:

[taustin]

I get tons of spam on both the Gmail accounts I use daily.

And 99.999% of it ends up in the spam folder, where I am never even aware of it.

False positives are even more rare.

Re:

[belg4mit]

I rarely use GMail, but when I do I almost always encounter a false positive. It thinks messages I resend [rfc-editor.org] from another account are spam because it's not aware of all the ways email can be used and because the receiving account does not match the original recipient it misfiles it... even though the original recipient is configured in GMail as an alias of the account (grandfathered in from back before they removed the ability to do so), and will accept messages sen from that account just fine.

Re: spam from gmail

[Unpopular Opinions]

I get more stuff destined to others than towards me. People enroll them on their own mailing lists for party D or R, gym memberships, insurance and real state services, but use my email address. I have maybe four names, addresses and other PII from them I have to keep deleting.

Re: spam from gmail

[trogdor8667]

Someone keeps giving out my email (similar real name). I seriously thought about canceling their Hawaiian vacation that I got the confirmation forâ¦

Re:

[awwshit]

I'm talking about spam outbound from gmail, genius. Free spam accounts, all you can eat buffet, gmail fuck yeah.

Re:

[Tony Isaac]

No email provider does a better job of filtering out spam, than GMail. I've tried many other spam-filtering systems and other email providers, nobody comes close. I even route my own domain's email through GMail just to get its first-rate spam filtering. I have no idea what you're talking about.

Re:

[awwshit]

No provider does a better job of providing free accounts to spammers, does no outbound filtering, and is so huge no one can effectively block them. Plus they do not have support or listen to feedback of any kind. Gmail is absolute garage for the world, even if you happen to find it useful (the rest of us suffer daily).

Re:

[Tony Isaac]

You should check your sources.

GMail places strict limits on outbound emails sent via API. No more than 100 can be sent per day, far too few to be an effective spam platform.
https://developers.google.com/... [google.com]

I know their throttling works, because I've run into the limits sending emails to my web site's 400 or so users.

Go ahead, check your spam folder. You won't find many sent from GMail accounts.

Re:

[awwshit]

> You should check your sources.

All I need to do is check my inbox. Endless gmail accounts offering me t-shirts, email lists, trade show supplies, toenail clippers, SEO, web site work, you name it. Every single day, all day long. Filling out Google's form to report these seems to create even more of a problem, volume increases when I do that.

Seriously, Fuck Gmail, Fuck Google. Google ruined email, unless you use theirs and they get to spy on you.

Re:spam from gmail

[Tony Isaac]

Filling out Google's form to report these

You're doing it wrong. To report an email as spam, you click the "Mark as Spam" button at the top of your GMail inbox. There's no form to fill out. Each day, I get from 50-100 spam messages. GMail correctly moves 99.9% of them to the spam folder, I never see them. The filter is so good I don't even have to bother to look in the spam folder to see if messages were incorrectly tagged. Once in a while I do check, just to be sure, and invariably come up with zero mistakes.

I get it, you're not using GMail, so you have to fill out the form. AND clearly you're using an email service that has crappy spam filtering. That's *why* all that spam lands in your inbox.

You do realize that spammers can put whatever "from" address they want, right? Just because it has a "from" address of something@gmail.com, doesn't mean it actually comes from GMail. You can verify this by looking at the raw MIME text of the email, to see the history of email servers that it went through to get to you.

Re:

[awwshit]

Does it hurt to be so stupid?

Re:

[awwshit]

Well, if you read what I wrote here then you know that I've used Google's form to report spam from gmail to Google. That form requires that one obtain and paste the email header - I'm forced to reveal the header before I report to Google. So, yes, I've checked that the spam I'm complaining about actually came from Google IP addresses.

My provider has pretty good blocking, if someone was spoofing Gmail then things like SPF, DMARC, and DKIM would fail and the spam would not be delivered to my Inbox. Since t

Re:

[Ormy]

All I need to do is check my inbox. Endless gmail accounts offering me t-shirts, email lists, trade show supplies, toenail clippers, SEO, web site work, you name it. Every single day, all day long

I have 3 email addresses in regular use from different providers, including one gmail. Some of those accounts get more spam than others, but hardly any of the spam comes from @gmail senders, even the spam to my gmail account. What are you doing that's causing/allowing you to receive so much spam from other gmail accounts? Do you have discoverability/privacy settings in google set correctly?

Re:

[NoWayNoShapeNoForm]

No provider does a better job of providing free accounts to spammers, does no outbound filtering, and is so huge no one can effectively block them. Plus they do not have support or listen to feedback of any kind. Gmail is absolute garage for the world, even if you happen to find it useful (the rest of us suffer daily).

And Gmail does an incredible job at blocking legitimate emails from legitimate email hosting services.

In my case it's been a 2 year fight with Gmail & Google to stop blocking the service that I use and no progress has been made by Gmail & Google to remove the block. Always 1 excuse after another, 1 more hoop to jump through, endless back-and-forth emails.

Google don't care about services smaller than them.

Re:

[awwshit]

Reading comprehension: I am NOT a gmail user. I'm complaining about asshole spammer creating gmail accounts and sending email OUTBOUND FROM GMAIL. Gmail does not filter outbound spam, or does a really shitty job. Since so many idiots use gmail, no one can effectively block gmail - which makes gmail a perfect platform to send spam from.

Re:

[PPH]

Outbound is the problem. GMail might protect its own users from spam from other GMail accounts. But the stuff that comes out of their system has little to no value as being legitimate. As a result, my ISP puts all of the GMail sourced messages in the Junk folder.

It seems like a reasonable approach if what they are trying to do is move their users into what is effectively a Google walled garden.

Re:

[AmiMoJo]

Are you sure those emails are really coming from Gmail? The only ones I see are not sent by Gmail servers, they just have some Gmail headers to try to get through poorly configured spam filters.

It costs spammers real money to create Gmail accounts. You need a phone number to sign up, and all the free SMS receiver services are blocked or already associated with accounts. Gmail rate limits outgoing email, and detects accounts that spam. Most spammers can't afford a new SIM card per few hundred emails they mig

Re:

[awwshit]

If the spam was not coming from Gmail then SPF, DMARC, and DKIM would fail, and the spam would not go to my Inbox. But since the spam really does come from Gmail, SPF, DMARC, and DKIM are correct, which leaves my provider pretty much only content based filtering. We lots of job applicants with Gmail accounts, I can't just block Gmail altogether. Training the content filter is super slow, there is always something that will get through.

Re:

[NoWayNoShapeNoForm]

Gmail is a scourge on humanity.

It sure is. The source of most of the SPAM (and much of that is email forging attempts) that gets through the email filters used by my service provider.

Blue Checkmarks

[bimbo69]

Are completely pointless and are proven unwanted by Twitter. WTF are Google copying this BS?

Giveth and taketh away

[Anonymous Coward]

On the one hand Google removes the padlock icon from Chrome's location bar because "they provide no value," then they add blue checkmarks against verified sender addresses in Gmail because "they add value."

Go figure!

Re:

[bickerdyke]

Ok. From your post, I figured out that you didn't bother to read more than a headline on this.

While the lock icon is going to be removed, it will be replaced by a new indicator [theverge.com]:

A new tune icon will replace it later this year to avoid misleading users about how ‘trustworthy’ websites are while browsing.

No idea if that new gizmo will be better or worse, but the lock is not removed without replacement.

Re:

[bickerdyke]

even if I put quotes around every single word I am interested in

Quotes are for phrases. Quotes around single words do nothing. Try the plus sign to force a keyword into the search.

Re:

[rlwinm]

I've tried both as well in many different approaches. Google's search engine has become useless. It now wants to offer me popular answers instead of things that match what I'm looking for. This is not an unheard of phenomenon. I tend to search for very specific technical things and Google is all but useless for that. Many people have the same complaint as I do.

Re:

[bickerdyke]

Probably.

But to be fair: Including the popularity of a site as "page Rank" was what Google put ahead of Altavista in the beginning. Search engines going only by keywords (as you suggest) were useless and killed of pretty early by keyword stuffing.

So it may work for your specific technical terms as long as everyone plays nice and no one tries to SEO their crappy page in front of what you are looking for.

AOL did this in the 1990s

[kriston]

AOL already did this in the 1990s and are still doing it today.

Great job, Google, for catching on to the idea of "verified mail" like it's your own idea (it's not).

SMTP is a sad joke. It's too bad we haven't developed something better after 40 years of SMTP.

Re:

[bickerdyke]

They never claimed that. The first paragraph of even the /. summary says it's build on the BMI industry standard.

Spam maybe, phishing no.

[omnichad]

Phishing emails and most of the other most dangerous junk messages all seem to be sent from compromised accounts. They'll drop this feature after they see people getting scammed from a blue checkmark account.

Re:

[NotEmmanuelGoldstein]

... see people getting scammed ...

The check-mark verifies the owner of the account, not the messages on it. Yes, there is supposed to be no difference, so Google needs a back-up authentication for times the account is compromised. We have seen that owner authentication can be compromised too (FBI, SIM duping, easy security questions), so a check-mark tells the reader very little.

is this related to the recent SFP requirements?

[EkriirkE]

A month or so ago Gmail was spamming everything I sent and bouncing them back telling me to make an SFP entry in my MX record. Is this the same thing?

Re:

[bickerdyke]

IIRC, correct SPF setting is something you need to get that whole BMI thing.

But since a short while (2 months?) SPF seems to be required for every domain.

Re:

[Voyager529]

So, quick DNS lesson here...

MX records are for *incoming* mail. You set them so mail going to user@EkriirkE.com has a destination mail server.

SPF records are for *outgoing* mail, sort of. SPF records define which IP addresses and/or FQDN addresses are valid sources for your e-mail. An SPF record helps recipient e-mail servers check whether an e-mail originated from a valid sender. If you use Microsoft365 and only send from that platform, senders can know that mail sent from the random e-mail server I spun u

Blue checkmark?

[Bu11etmagnet]

I thought that means the sender is a Twitter subscriber.

Checkmarks are good if implemented competently

[Sarusa]

If the checkmark actually means that the person you are purportedly receiving mail from has been verified as the actual person it claims to be, then it's a great idea (depending on if that's true).

It was also a great idea on previous Twitter, as in 'this person who is claiming to be [x] and saying [something controversial] has been verified as [x]'.

It's not suddenly a bad idea everywhere just because Elmo has completely shit the bed in every direction with his vast incompetence (wildly fountaining), includi

Are they going to help make DMARC useful?

[sabbede]

It's easy enough to setup but putting it to use is another matter. I wouldn't be surprised if most DMARC implementations have no actual monitoring of the reports received. Insurance companies might require a business to publish DMARC records, but to be of any use the gzipped XML reports need to be processed into something readable. That generally means paying for a service that does so, and a person to review the data and do something with it. Not everyone has the resources for all that, so their DMARC

Re:

[The-Ixian]

Actually yes.

The BIMI standard requires that DMARC be set up properly first. In addition, it requires a special certificate similar to OV certificates where you are required to be verified by the certificate vendor. This means that any sender with this blue checkmark (in the case of Gmail) will have, by definition, a properly configured DMARC setup for their domain and the org will have been verified by the certificate vender who is, essentially, vouching for them.

Re:

[sabbede]

Setup properly doesn't mean monitored properly. Or at all really. I've setup DMARC properly and been able to make use of some of the reports, but the hassle of doing so and the company's reluctance to pay for a DMARCIAN (or whoever) subscription meant there wasn't much point to it.

What's the cert vendor going to do besides check DNS? A robust looking DMARC record doesn't mean anyone reads the emails, and people fudge compliance reporting all the time. Hell, they may not even be asked if anyone ever l

Damn... late to the party again

[Big Hairy Gorilla]

read my sig.
It's like a magic trick... look over here!
Soon, Big Fruit will add a red checkmark for ONLY $16/month... and you chumps (under 30, I'm guessing, same people who need cryptos, and couldn't breathe without an iPhone18) will climb over each other to pay it.

I PROUDLY HAVE A RED CHECKMARK !!

Ha ha, Suckers with Blue checkmarks!!

Where's the Futurama guy? Recall, theatre worker to Fry:
"Would you like a small Slurm for $20... or an EXTRA SMALL Slurm for only $30 ??"

Price

[manu0601]

Wow, a VMC certificate costs 1500 USD! Add this to trademark registration...

Verified Spammers

[leets]

We configured DMARC for our domain, and enabled opendmarc to reject all mails that fail DMARC.
There was a silence for one week,then the spammers began sending mails from domains with DMARC configured.
Only good thing was mails pretending to be from our domain were blocked.

BIMI Costs Money

[leets]

https://bimigroup.org/implemen... [bimigroup.org]
We will have to wait for something like LetsEncrypt to support BIMI.