A few days ago, Google started notifying (some) Google Workspace customers of updated spam filter/blocking changes coming to the Gmail email service. They're moving to more proactively block emails that have headers violating RFC 5322, and it is believed that this is an attempt to help prevent DKIM replay attacks. Read on to learn more about what this means and how it could impact email senders.
In the notification below, they indicate that they've sent this only to Workspace users they think may be impacted by this change, but truth be told, it affects the entire internet, as it could impact anyone sending email messages to any user at a Google-hosted mailbox.
The notification: We're writing to let you know about an upcoming change to your Gmail services. Gmail will start rejecting messages that are non-compliant with Internet Message Format standards and contain more than one single-instance email header as of April 24, 2023.
You are receiving this message because during February 2023, your organization has either sent or received more than 10 emails with duplicate headers.
What does this mean for your organization?
If your users are currently sending messages with multiple headers, the messages will start being rejected with the error message: "This message is not RFC 5322 compliant," starting April 24, 2023.
For context, email headers are a set of lines that precede the body of an email message. They contain information about the sender, recipient, subject, the message's route to the recipient's inbox, and how to interpret the body (text, html, image). They also provide information that can be used to verify the authenticity of a message. Therefore, rejecting messages that contain more than one single-instance email header proactively prevents malicious duplicate header exploitation, and email spam.
The Internet Official Protocol Standards: Internet Message Formats [Request For Comments (RFC) 5322] states that a message must have at most one instance of each of the following headers:
- To
- Cc
- Subject
- Date
- From
- Sender
- Reply-To
- Bcc
- Message-ID
- In-Reply-To
- Reference
Note: Please see RFC Editor's Internet Message Format RFC 5322 document for additional information on the headers that are standards compliant.
Why are they doing this: To impede DKIM replay attacks, where a malicious actor takes a signed email message, and re-sends it, "replaying" it to other internet users. Bad actors do this to hijack domain reputation of a good sender, usually to sneak bad things past filtering. Some of those bad actors like to add additional headers to the "replayed" version of the email message, allowing them to include additional messaging geared toward their bad acts. This new filtering by Gmail reduces their chances of success.
How does this affect senders: Email platforms can be buggy, and even good senders can sometimes send email messages that may unintentionally violate RFC 5322. Previously, this wasn't necessarily enough to see your messages blocked. But like I talked about previously, Google has apparently observed bad activity exploiting this to the point where they're willing to more actively reject email messages in an attempt to prevent bad things from landing in the inbox (or even in the spam folder).
Oh no, I'm seeing RFC 5322 bounces: If you're a sender, if you're NOT engaging in DKIM replay attacks, and just sending your plain old marketing email messages and you're running into "RFC 5322" bounces when sending to Gmail users, don't panic! It's not an email death penalty. It just means something is misconfigured with your email sending platform, and you'll need to work with them to find out what headers are possibly being duplicated, and fix the platform to stop that from happening.
It can be very frustrating, but once fixed, you'll be able to send mail again successfully.
And if you're building an email sending platform, be careful to make sure that you're not allowing duplicate headers. Of course, multiple "received" headers tracing the travel of an email message across the internet, are to be expected. (Though even then, a given server only adds one of them at each hop.) For almost all other headers, there really should only be one.
Looks like Google is taking proactive measures to prevent DKIM replay attacks and improve email security by rejecting messages that violate Internet Message Format standards. While this may cause some inconvenience for senders, it's a necessary step to prevent malicious activities and ensure the authenticity of email messages. Let's hope other email providers follow suit to make the internet a safer place for everyone!
ReplyDelete