It looks to me that Paypal is not sending the emails in a secure and verifiable method. Emails that are sent from a domain that's different than the from address are legitimately suspicious, especially when they contain financial keywords.
I recently received an email claiming to be from paypal (the SPF+DKIM passed) but inviting me to click on links in "epl.paypal-communication.com". How do I know this is not phishing? It certainly looks like phishing, and I certainly wouldn't click on those. But if it is not, how stupid must these guys be to use "paypal-communication.com"?
Which is why I think it was rather a moronic choice of domain on the part of paypal. But I know how to look for spf/dkim validation. A normal user (or a user using a mobile/tablet) will make a decision purely on the domain of a link.
Whois says it's owned by Paypal on MarkMonitor, but that can be faked, right? Or does MarkMonitor require email address validation? (hostmaster@paypal.com in this case)
MarkMonitor specifically is pretty picky about only taking on large-scale corporations (google.com, amazon.com, microsoft.com to name a few) so just the fact that it's registered there is usually a reliable way to confirm legitimacy, but checking whois is still way more research than an average PayPal user should need to do to avoid being phished.
I'd really like to see a customizable threshhold on what is and isn't spam. I've noticed a lot of mailing lists and things I did sign up for getting passed to junk, though periodically I try to mark them as "not spam" presumably enough other people mark similar messages as spam that my suggestions are overridden when new messages arrive. Something as simple as a slider to control how zealously the filter culls messages from the inbox might go a long way to making users feel more in control of the situation (whether such a control could be effective enough not to annoy users and have a real effect on the false positive rate is another question, so I admit there's no easy answer).
Never gonna happen, the big G knows the best for all. Even G Suite business users have to deal with the lack of controls here, even if we whitelist our own domain, things can get flagged by the larger Gmail spam filters that G Suite users are still subject to.
> “Emails that are sent from a domain that's different than the from address are legitimately suspicious”
That’s not how this works. The “from” email header has nothing to do with the actual sender due to the email standard. The actual sender is specified in the SMTP command.
This is why SPF and DKIM for example have nothing to do with “from” either. SPF refers to the sender in the SMTP command and DKIM signing can use the keys of a domain unrelated to “from” and it’s all legal.
It’s very easy actually to spoof the “From” header and Gmail won’t complain.
That “via” information you’re seeing is just another header that doesn’t have much to do with Gmail. If you’re seeing it, that’s because the sender wants you to see it.
Nobody said it wasn't legal according to specs, but that it's suspicious. And it is. Having a "From" header in the email that doesn't match the sender used for SMTP _is_ suspicious, and certainly should be an input signal for any spam filter.
Not suspicious at all. It's how mailing lists work.
From on the envelope will be address of the mailing list, and from in the headers will be the original sender. Perfectly legitimate and extremely annoying if anythig uses this as a SPAM signal.
Why? They simply want bounces delivered to a differnt address than the real replies from customers. Seems reasonable if it's a from address used for a mass/automated mailing. (it is)
Sure there are alternatives, but it's still not suspicious. I just went through my "shopping" folder and more than a few comapnies have different From header domain and envelope From domain, including some big american ones like Airbnb who presumably know what they're doing.
Also PayPal was a contributor to DMARC RFC, so they presumably know what they're doing too around e-mail, wouldn't you say?
I get confirmations of flight reservations where env-From is mandrill app and From is kiwi.com. DMARC passes. Some of my banks do this, too. Registrar of my domains does this. Many others too.
It's just not suspicious and these are very important senders to me (I mean I'd hate to fail to renew my domain, or miss that one-in-a-lifetime e-mail that someone is withdrawing money from my bank account other than me, because of a braindead SPAM policy) and google should not care.
Note that DMARC modifies the meaning of SPF. SPF without DMARC protects the envelope-sender and not the From header.
With DMARC SPF protects the From header as well.
SPF, DKIM, and DMARC maybe useful against fishing. In the long run it doesn't do anything against spam. So it is rather unfortunate that gmail (certainly on IPv6) is so eager to classify mail without those headers as spam.
Also, every website asks you to check the spam folder if the verification mail hasn't shown after a couple of minutes, it's not like you lost it forever.
> every website asks you to check the spam folder if the verification mail
This is not a registration email that you expect to receive after clicking somewhere on a website.
This is the kind of email that says "something important happened to your account you may not be aware of, you should really know this; if it wasn't you, you are now in danger".
(Of course in this case it was me, but the whole purpose of this type of email is to alert you promptly in case it wasn't you.)
Does it make sense to send such vital notifications via a channel that can silently hide them? This is ideal for mobile push notifications, and if you want reliable notifications, you should install the PayPal app.
I use a redirection service and use a unique address for paypal. And I have to change that periodically because it leaks on to spam lists. In $current_year there's absolutely no reason for them to be sending your actual email address to anyone outside their company.
Now, that shouldn't be something Google takes into account, but given that Paypal is inexcusably lax in how they manage customer privacy, my inclination is they're not sticking to best practices as a mass sender and are running afoul of Google's spam filters as a result.
BTW, if you use a redirection service and thus have unique emails for all companies you correspond with, you know those emails are private and won't get spam. (Or you turn them off.) It works well enough that I have a gmail rule that blanket prevents them from being filtered.
Gmail also inappropriately spam-filters Stripe emails. I have received thousands of these messages and have a rule set up to file them away (skip inbox, apply a label). I don't want them in my inbox, but I like to know how many are coming in each day because it gives me a sense of payment flow for our most popular product.
You would think that gmail would be smart enough to realize that if I've received thousands of emails from an address and NEVER marked as spam/deleted, it probably isn't spam. Also, if I have a rule set up to file these messages (and keep unread), that should also throw a flag that it's not spam. But I've had to go in and create another special rule to never have this mail marked as spam.
I then had to broaden that rule because the Stripe customer service emails started getting marked as spam...
I'm sorry to hear that your Stripe emails are being spam-filtered. I work for Stripe as part of their engineering team responsible for email deliverability and would love to see some examples of email that has been incorrectly classified so we can try to prevent this from happening in the future. Would you be able to forward a few examples with full headers[0] to zack [at] stripe [dot] com?
Will do. For weeks, every single payment notification was spam-filtered. Then a conversation with support@stripe.com was spam-filtered. I can't recall for certain, but I think the conversation was about the spam-filtering of the payment notifications.
Spam classification by email service providers is generally quite opaque but we can at least check that we're doing everything in our power to prove that the email is legitimate. Like ensuring it passes SPF, DKIM and DMARC, and that it is being sent from an IP that is only used for transactional emails. Beyond that we would need to try to work with individual providers.
I've noticed in the past if I delete emails without reading (as is often the case when the subject and first line is enough, i.e. transactional emails) Gmail will start classifying them as spam. I'm very careful now to 'mark as read' instead.
It is because of the DMARC setup that Paypal has put in place which is doing exactly what they want it to do which is put any non verified and in alignment (not coming from the paypal.com domain) - this is why you see the via in the from.
The current DMARC policy for Paypal.com is
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
This doesn't sound perfectly accurate for my case (since the DMARC policy seems to be for paypal.co.uk, not .com), but quite related / perhaps the other way around?
I see in the headers:
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@paypal.co.uk header.s=pp-dkim1 header.b=UsIpWUs9;
spf=pass (google.com: domain of service@paypal.co.uk designates 173.0.84.226 as permitted sender) smtp.mailfrom=service@paypal.co.uk;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.co.uk
Received: from mx0.slc.paypal.com (mx1.slc.paypal.com. [173.0.84.226])
by mx.google.com with ESMTPS id q195si2496022ita.120.2019.02.05.13.10.37
You'd think so, but no even internal G Suite emails that never leave the domain, still subject to GMail's generic all users spam filters. And even as a paying user, you can't get out of them.
It be really great if they allowed G Suite admins to have fine grained control over what is and isn't SPAM in their own domain. Alas even that's subject to consumer Gmail spam filters.
There are orgs with thousands of corporate G Suite accounts. I mean if you are in the 10k or larger size, running your services internally might make sense but for the rest of us, G Suite should work well enough for corporate email.
The gmail filters have been wonky for the last week or so. I keep getting messages marked as "potentially unsafe". Messages I've been getting daily for years and have marked as high priority.
So either the introduced a bug or flipped a switch to make it a lot more restrictive.
This happens even in the best families. Yesterday Outlook365 informed me that there's a suspicious and blocked message coming from Github. And yep, that was the email confirmation I should've received from the real Github. I would assume that whitelisting bought services could be a thing within Microsoft...
SPF and DKIM test the "Envelope-From" address that is part of the SMTP conversation, and separate from the "From" that is typically displayed in the message. If you examine the full "Return-Path:" header you will see that it was not sent from your friends address after all.
Everyone is receiving those (bogus) phishing emails.
It is crowdsourced; the best thing you can do is mark it as not spam. The most likely explanation for what happened here is PayPal are a bunch of filthy spammers, lots of users marked their mail as spam, and they use the same IPs or envelope senders to send service messages. Always use gold-plated IPs and return addresses for critical service messages.
While the tone of this post was a little tongue in check, it is certainly the most likely answer. PayPal does send marketing/sales traffic on the same pipe as their transactional traffic, which as expected ends up with lots of spam flags. ie I didn't ask for a line of credit.
Side note:
There are only 3 major webmail/freemail services left, so running afoul can be a very serious issue. Speaking about the postmaster level.
GMail, Verizon, Microsoft
Verizon might be bigger than Gmail at this point with acquisitions.
It looks to me that Paypal is not sending the emails in a secure and verifiable method. Emails that are sent from a domain that's different than the from address are legitimately suspicious, especially when they contain financial keywords.
https://support.google.com/mail/answer/1311182?hl=en