How Gmail's Blue Checkmarks Could Protect You From Phishing Emails

MakeUseOf

By David Rutland

Published May 6, 2023

Everyone knows phishing is a major security risk. Google's blue checkmark initiative aims to tackle this problem, but it's not fool-proof.

Authenticity is hard to come by on the internet, and nowhere is that more apparent than with emails. A message which appears to come from your bank, your healthcare provider, or your ISP often turns out to be an attempt to steal your money and your identity. Google is introducing blue checkmarks to emails from certain senders, indicating that they're safe, trustworthy, and from who they say they are.

How Google's Blue Checkmarks Verify Business Emails

In May 2023, Google announced that certain emails sent to Gmail accounts will have blue checkmarks next to the sender name.

The blue checkmark indicates that the entity that sent the email is a company which has adopted and complies with Google's Brand Indicators for Message Identification (BIMI) initiative.

As detailed in a Google Workspace Blog post, Google introduced BIMI in 2020 in an effort to improve email security. To be BIMI compliant, a sender must have validated their logo with a trusted third party certificate authority, such as DigiCert, and have implemented Domain-based Message Authentication, Reporting, and Conformance (DMARC).

To successfully implement DMARC, the company must have also deployed DomainKeys Identified Mail (DKIM), which demonstrates that the user owns the domain, and a Sender Policy Framework (SPF), which specifies mail servers authorized to send out emails from the domain.

Most non-Google email servers will reject mail without DMARC anyway.

While you should always check if an email is real or fake before loading images or clicking on any links, if an email in your Gmail inbox carries a blue checkmark, this means the sender is significantly more likely to be genuine and trustworthy.

Gmail's Blue Checkmarks Don't Protect You Completely

While Google's business verification seems like a good idea, you still shouldn't automatically trust senders with the blue checkmark

It's trivially easy to buy a domain name, and simple to set up an email server, complete with SPF, DKIM, and DMARC.

And according to DigiCert, the requirements for logo verification are simple but costly. You need to register your logo as a trademark—a process which takes mere weeks in some jurisdictions—have DMARC set up, and pay a fee of $1,499 (at the time of writing).

While this does increase the barriers to criminals, it's still possible to get a blue Gmail checkmark for a spoof domain.

Don't Take Your Online Security for Granted

Google's BIMI and blue checkmark schemes aren't perfect, but they're likely to make your inbox considerably more resilient to phishing scams.

You shouldn't relax just yet though: there are plenty of other online scams out there that can result in identity theft, malware infection, and financial losses.