Emails sent using Gmail API are being flagged as phishy by Gmail

3
votes

When I send an email using the Gmail API, recipients that are using the Gmail web interface are getting a phishing warning when they open the email.

However, when I send the exact same email content through the same Gmail account but using the web UI, the recipients do not get the phishing warning.

The only difference I can find between the two received emails, is that the one sent using the API has this additional header:

Received: from 114692869688 named unknown by gmailapi.google.com with HTTPREST; Tue, 11 Jun 2019 11:37:51 -0500

Does anyone know how to resolve this problem?

3
gmail-api

3 Answers

2
votes

I have the same problem. When defining your message does not define the from parameter :

def create_message(sender, to, subject, message_text):
  message = MIMEText(message_text)
  message['to'] = to
  #message['from'] = sender
  message['subject'] = subject
  encoded_message = urlsafe_b64encode(message.as_bytes())
  return {'raw': encoded_message.decode()}

In fact, this parameter is also defined when giving the user_id to the send method.

message = (service.users().messages().send(userId=user_id, body=message)
                .execute())
1
votes

There are two options:

  1. Send an email through Gmail SMTP (Simple Mail Transfer Protocol, a protocol for sending e-mail messages between servers)
  2. Authorizing Your App with Gmail - All requests to the Gmail API must be authorized by an authenticated user. Gmail uses the OAuth 2.0 protocol for authenticating a Google account and authorizing access to user data.

When you get an email that looks suspicious, here are a few things to check for:

  • Check that the email address and the sender name match.
  • Check if the email is authenticated.
  • Hover over any links before you click on them. If the URL of the link doesn't match the description of the link, it might be leading you to a phishing site.
  • Check the message headers to make sure the "from" header isn't showing an incorrect name.**

Yes, the message header is important when sending an email using Gmail API. You will need to trace an email with its full headers.

0
votes

In my case recipients get the emails ok, but senders got their own messages flagged as phishing in their sent messages tray.

After some time struggling with this, it seems a case-sensitive issue.

Once I capitalized the f in the "from" header the problem went away.

So:

# sender something like "John Doe <[email protected]>"
message['From'] = sender