Skip to content

Attention all Gmail users! You NEED to see this new security warning from Google!

Attention all Gmail users! You NEED to see this new security warning from Google!


Google’s Gmail Verification System is Being Exploited by Hackers

Google’s new security feature aimed at verifying the authenticity of emails sent to Gmail users has become a tool in the hands of hackers who use it for scamming. Launched just a month ago, the system features a blue checkmark that highlights verified companies and organizations, thus allowing users to differentiate between legitimate and suspicious emails. However, cybercriminals have found a way to deceive the system and use it to trick Gmail users.

The Problem with the Verification System

Scammers have discovered how to fool Gmail into recognizing their fake brands as legitimate. The checkmark system was supposed to instill confidence in users, so scammers are using its exact purpose against them. Cybersecurity engineer Chris Plummer discovered the issue, and after sharing his findings with Google, the tech giant acknowledged the situation and identified it as a top-priority issue.

Google’s Response to the Issue

Initially, Google dismissed the problem, considering it the intended behavior of the system. However, Plummer’s tweets about the issue soon went viral. Eventually, Google took notice and issued a statement apologizing for overlooking the flaw and promising to fix it.

How the System Works

The Gmail verification system, also known as the blue checkmark sender verification, attempts to distinguish between legitimate and illegitimate email senders by verifying each company’s authenticity. The checkmark is added to the sender’s email address to signal its legitimacy to users. However, as scammers have shown, the verification system is not entirely foolproof and requires further improvement.

Update on the Issue

06/05 Update: Security experts have been identifying how hackers managed to trick the Gmail verification system and how the problem applies to other email services. Jonathan Rudenberg is a debugger who sought to replicate the hack on Gmail. He found out that Gmail’s BIMI implementation only requires SPF to match, whereas the DKIM signature can be from any domain. This means that any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records can be used to send spoofed messages with the full BIMI treatment in Gmail.

What This Means for Other Email Services

Rudenberg has identified how other email services implement BIMI. iCloud properly checks whether DKIM matches the From domain; Yahoo attaches a BIMI treatment to bulk sends with high reputation only; and Fastmail is vulnerable but supports Gravatar and uses the same treatment for both. However, Apple Mail and Fastmail are still vulnerable and require increased vigilance.

The Security Community’s Response

The Gmail verification system issue has caused outrage among the security community, which has called out Google for the weak implementation and questioned how it was allowed to happen. Google has yet to offer a permanent solution, and until then, users must remain vigilant against potential phishing attempts.


What is the Gmail verification system?

The Gmail verification system aims to verify the authenticity of emails sent to Gmail users by assigning a blue checkmark to the sender’s email address.

Why is the verification system flawed?

Hackers have found a way to trick the system by causing Gmail to recognize fake brands as legitimate.

What is BIMI implementation?

BIMI is a technique used to display a sender logo alongside an email’s subject line. It’s a part of Gmail’s verification system that aligns with recommended practices to prevent sender fraud.

Which email services are affected by the problem?

Gmail is the primary service impacted by the system’s vulnerability. However, Apple Mail and Fastmail users need to remain vigilant because they’re vulnerable to similar risks.

What is Google doing about the issue?

Google has acknowledged the issue and tagged it as a top-priority problem. However, it has yet to develop a permanent fix for the problem.

What can Gmail users do to stay safe from phishing scams?

Gmail users must remain vigilant and refrain from opening any suspicious or unknown emails. Additionally, users should enable two-step verification to enhance their account’s level of security.


Google’s Gmail verification system is supposed to protect users from spam and phishing scams. However, hackers have found a way to trick the system and exploit its vulnerabilities. Google is aware of the situation and plans to address the issue and rectify the problem. In the meantime, users need to remain vigilant and cautious when opening unknown emails.


For more information, please refer this link