The Google for Education Community Platform

nkuhl30 · ‎05-01-2024

We have the Gmail -> Safety -> Spoofing and authentication -> Protect against spoofing of employee names setting set to ON and quarantine. Periodically, we send emails from our student information system from employees to groups of students. The domain of SIS is mail.veracross.com. Some of these emails, sent to students, are stopped in quarantine while others are not. There's no rhyme or reason to it.

I've added all emails addresses used by the SIS to communicate with students, as domain shared contacts. These email addresses now show up in user's contact lists. However, emails from our SIS are still being flagged as spoofing of employee names. After a bit of research, the reason why the domain shared contact method won't work in this scenario is because, while the email addresses stay the same, the From name does not.

We can't disable Gmail -> Safety -> Spoofing and authentication -> Protect against spoofing of employee names due to security concerns. This feature stops an incredible amount of bad actors trying to pose as our employees so it's critical that it be in use. However, there needs to be a way to instruct Google Workspace to allow all email from our SIS and not be subject to any type of filter.

I'd like to request a method, or whitelist perhaps, to override Gmail -> Safety -> Spoofing and authentication -> Protect against spoofing of employee names for certain email addresses.

stoodto · ‎05-01-2024

I had to add to my txt file to stop a specific work email from going into the quarantine. Ours had to do with our ITC.

nkuhl30 · ‎05-01-2024

What do you mean you had to add a txt file? Can you elaborate on that?

stoodto · ‎05-01-2024

In our txt file where you have to include your spf for google, we also had to include an spf for our ITC and I believe we adjusted the ip4. Your ITC *might* be able to help with making that adjustment depending on what they provide to you.

nkuhl30 · ‎05-01-2024

Gotcha. This isn't an issue that has to do with SPF/DKIM/DMARC. It's a specific issue with the Spoofing and Authentication feature in Google Workspace.

stoodto · ‎05-01-2024

I think ours were being marked as spoofing as well because they were being thrown into the quarantine. Sorry I couldn't help.

nkuhl30 · ‎05-01-2024

No worries. The Spoofing and Authentication safety feature overrides SPF/DMARC/SKIM and any whitelist that you can configure. It's crazy. All we need is for Google to add a whitelist for Spoofing.

Kim_Nilsson · ‎05-06-2024

Using Domain Shared Contacts (DSC) would work if the system did not send from different users. This is something that the developers of that system can allow as an option. There is no good reason why any external system should spoof your names or addresses.

--
https://wheretofind.me/@NoSubstitute

don_b_nashville · ‎05-06-2024

Also, check to see if Sendgrid makes sense. There's a free level and this was the only way for us to route emails with .wav file voicemails to Gmail from our uncredentialed phone server.

nkuhl30 · ‎05-06-2024

Our SIS creates dynamic distribution lists for students in a particular class, as well as parents of those students in a particular class. It's a really useful feature to have. However, the From name remains that of the teacher and the email server is that of the SIS. All I need is for Google to bypass the spoofing and auth feature for one site. This should be doable and I can't believe it hasn't been implemented yet.

The Google for Education Community Platform

Whitelist domains for Spoofing and authentication