Does the “Google is rewriting the links in your email” feature also mean that DKIM is hard(er) to verify given a set of messages, or is it easy to get the non-rewritten messages from an account?
Conversation
Replying to
You already had to use the 'Show original' menu action to see the original email for anything like that. The email they show you in the UI has never shown all the headers and even for plain text emails has always deviated from the unmodified text.
1
4
Gmail should really surface whether emails are DKIM signed in the interface, by showing non-DKIM-signed emails as insecure as they do for emails sent without encryption. Most domains don't use a DMARC reject or even quarantine policy, but they do usually DKIM sign their emails.
1
3
Gmail itself has a no-op DMARC policy for gmail.com (TXT record for _dmarc.gmail.com is "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"). That means anyone can sent fake emails as *@gmail.com to other mail providers per the Gmail policies.
1
1
One of several reasons that I get confused when people refer to Gmail as having rock solid security. Google's account security and authentication are rock solid and the Advanced Protection Program is great. Gmail benefits from that, but in terms of mail security, it kinda sucks.