Yesterday, Google rolled out a new feature in Gmail which warns you when it isn’t sure who the email was sent by. This warning isn’t due to some confusion on the server side, this issue is because Google wants to force more people to use SPF records and DKIM signatures. Both of these are good technologies to use (I personally have them both enabled), but I worry about Google’s move to “force” this… and how it will effect users.
The problem, as with most technology “solutions”, is how the users will react to this. Warning the users on a nearly constant basis that their messages might be phishing/lies, especially when they know them to be valid, will desensitize them to the warnings. This is the exact same issue Microsoft ran across in Vista. The “joke” security in Vista was so bad that Apple used it as a commercial. In Vista the users needed to hit allow so often to do the basic tasks, that when the questionable prompts came up… the user just hit allow again (without reading it), or just turned them off completely.
Now, to be fair, I’m on a number of mailing lists and I could only find one message that had the “This message may not have been sent by…” warning on it. Maybe my concern is overkill and maybe Google’s already thought about this problem. My hope is that Google has implemented this in such a way it won’t burn out users, while simultaneously spurring administrators to setup their SPF and DKIM records properly (seriously, it isn’t that hard). I can dream.
Update ([email protected]): As Mathew points out in the comments: This error seems to be showing up for some/most DKIM enabled email (such as all of @gmail.com) that gets modified by a mailing list. Handy.