Getting rid of the via at Gmail

There was a question submitted today about the verification process at Gmail.

even though SPF authentication is passed, a via is added to mail sent from a webserver. The return-path is not the same as the visible from field, but there’s no way for me to change it. Does that mean I won’t be able to get rid of the via?

This actually ties in to some research Steve and I did a few months ago about how and when Gmail is displaying the “via” in their interface. We generated 90+ different emails with various From: addresses, Return-Path: addresses and passing and failing with both SPF and DKIM.
After crunching all the numbers down, I created a table with all the conditions.
All of the conditions we measured
As you can see, there were only a very few conditions that generated the “via” display in the Gmail interface. In cases where there was any domain match between the visible from: and the return path, either the exact domain or a subdomain, there was no “via” displayed, even if authentication failed.
But, when we look at the cases where the domain in the Return-Path is unrelated to the visibly displayed From, then we start to see the cases where Gmail displays the “via.”

Matrix looking at when and what via is displayed
Only when there is a domain mis-match and failing authentication is a via displayed.
So the answer to your question is as long as the webserver is a different domain than the visible From: address Gmail will display a via. You may be able to have no via if you provide no authentication, but Gmail does what it calls “best guess” SPF so even that may not work for you.
 

Related Posts

Gmail and the via

I was hoping to have a detailed post up today about the conditions where gmail presents the user with a “via” but time seems to have gotten away from me. But I can give you the conclusions.

Read More

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.
 

Read More

Authentication Cheat Sheet

There are a several approaches to authenticating email, and the different authentication methods have a lot of different settings to choose from (sometimes because they’re useful, other times just because they were designed by committee). It’s nice that they have that flexibility for the complex situations that might benefit from them, but almost all the time you just want to choose a good, default authentication approach.
So here’s some short prescriptive advice in no particular order for “how to do email authentication at an ESP well” without the long discussions of alternative approaches and justification of each piece of advice.

Read More