Posted: 16 Feb 2016 02:38 PM PST
On February 9th, Safe Internet Day, we announced two new security features to Gmail that will roll out to Google Apps customers in the coming weeks.
First, users who receive a message from―or are composing a message to―someone whose email service doesn’t support an encrypted connection (TLS) will soon see an open lock icon in the message. Users won’t see this icon when sending mail from one Google-hosted domain to any other, including gmail.com, since those emails are always sent over an encrypted connection. Gmail will always send and receive messages over TLS, unless the connecting service doesn’t support it.
Second, users who receive messages that aren’t properly authenticated with either Sender Policy Framework (SPF) or DKIM will see a question mark in place of their profile photo, corporate logo or avatar.
Change Management
It is important to note that both of these features are warnings only. They will not affect email sending or delivery. Unauthenticated emails, as well as those sent over an unencrypted connection, have always existed (though on a steady decline). The only thing that has changed is that Gmail will now warn the user when the security of a particular email is less than standard.
The two Gmail Help Center articles below outline the expected behavior and can be used to help effectively communicate this change to users.
To see what percentage of traffic is received or sent from your domain that is either encrypted with TLS or authenticated with DKIM, SPF, or DMARC, the following tools are available for domain administrators:
Limitations for senders using custom ‘From:’ to send mail
If your users use custom ‘From:’ to send mail through a different domain’s mail servers, Gmail will only indicate the encryption status for the the receiving domain’s reputation. At this time, Gmail will not indicate the encryption status of the user’s custom ‘From:’ address.
Launch Details
Release track:
Launching to Rapid release in the coming weeks, with Scheduled release coming 2 weeks later.
Please monitor the launch release calendar for details.
Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)
Impact:
All end users
Action:
Change management strongly suggested. The Help Center articles below outline the expected behavior, and can be used to help effectively communicate these changes to users.
More Information
Help Center: Email encryption in transit (TLS)
Help Center: Email Authentication
Google for Work blog post
Gmail blog post
First, users who receive a message from―or are composing a message to―someone whose email service doesn’t support an encrypted connection (TLS) will soon see an open lock icon in the message. Users won’t see this icon when sending mail from one Google-hosted domain to any other, including gmail.com, since those emails are always sent over an encrypted connection. Gmail will always send and receive messages over TLS, unless the connecting service doesn’t support it.
Second, users who receive messages that aren’t properly authenticated with either Sender Policy Framework (SPF) or DKIM will see a question mark in place of their profile photo, corporate logo or avatar.
Change Management
It is important to note that both of these features are warnings only. They will not affect email sending or delivery. Unauthenticated emails, as well as those sent over an unencrypted connection, have always existed (though on a steady decline). The only thing that has changed is that Gmail will now warn the user when the security of a particular email is less than standard.
The two Gmail Help Center articles below outline the expected behavior and can be used to help effectively communicate this change to users.
To see what percentage of traffic is received or sent from your domain that is either encrypted with TLS or authenticated with DKIM, SPF, or DMARC, the following tools are available for domain administrators:
- Postmaster Tools provides both encryption and authentication dashboards for domains which receive a sizable daily volume of email traffic (up to the order of hundreds). Learn more in the Postmaster Tools Help Center.
- The Admin console contains aggregate reports for your domain, including Gmail Inbound Email: Encryption and Outbound Email: Encryption reporting. Learn more in the Admin console Help Center.
Limitations for senders using custom ‘From:’ to send mail
If your users use custom ‘From:’ to send mail through a different domain’s mail servers, Gmail will only indicate the encryption status for the the receiving domain’s reputation. At this time, Gmail will not indicate the encryption status of the user’s custom ‘From:’ address.
Launch Details
Release track:
Launching to Rapid release in the coming weeks, with Scheduled release coming 2 weeks later.
Please monitor the launch release calendar for details.
Rollout pace:
Gradual rollout (potentially longer than 3 days for feature visibility)
Impact:
All end users
Action:
Change management strongly suggested. The Help Center articles below outline the expected behavior, and can be used to help effectively communicate these changes to users.
More Information
Help Center: Email encryption in transit (TLS)
Help Center: Email Authentication
Google for Work blog post
Gmail blog post