├── gmail-paypal-spamfilter.png ├── gmail-stripe-spamfilter.png ├── README.md └── stripe-headers.txt /gmail-paypal-spamfilter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nh2/gmail-spamfilters-paypal-security-messages/HEAD/gmail-paypal-spamfilter.png -------------------------------------------------------------------------------- /gmail-stripe-spamfilter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nh2/gmail-spamfilters-paypal-security-messages/HEAD/gmail-stripe-spamfilter.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## If Paypal can't get past Gmail's Spam filter, then who can? 2 | 3 | Using Google GSuite for business and PayPal for business. 4 | 5 | After adding a new user to the account, I got this (the email was expected, but the fact that it's marked as Spam is not): 6 | 7 | --- 8 | 9 | ![Screenshot showing Gmail classifying a PayPal security notification as Spam](gmail-paypal-spamfilter.png) 10 | 11 | --- 12 | 13 | ### Explanation 14 | 15 | I don't trust Gmail's Spam filter, it has created many false positives for me in the past (including putting people's invoices into Spam so they didn't get paid). 16 | 17 | That's why I've disabled it by creating a filter that prevents anything going to Spam. 18 | 19 | In the above we can see that, had I not done that, an important security message from Paypal (connected straight to my bank account) would have gone to Spam. 20 | 21 | **If Paypal's security team can't reliably send email to Gmail users, then who can?** 22 | 23 | ## Update: Google's response 24 | 25 | A few hours after I posted this on [Hacker News](https://news.ycombinator.com/item?id=19099887), I got contacted by a member of Google's G Suite Security team, leading to the eventual explanation: 26 | 27 | > Our analysts are taking a look, it seems there was nothing wrong on Paypal's end or your domain configuration. They have already deployed a short-term fix for this issue, you should not have this issue specifically with paypal again. We're still looking into whether we can use this to improve the quality of our filters in general. 28 | 29 | ### Response timeline 30 | 31 | * 2019-02-07 32 | * I create this repo and [Hacker News](https://news.ycombinator.com/item?id=19099887) post 33 | * a few hours later, I get an email from a member of the G Suite Security team, asking whether I approve investigating this and whether I can provide details (I do) 34 | * 2019-02-08 35 | * I am told that it's an issue on Google's side, and that they have rolled out a short-term fix specific to Paypal 36 | 37 | While the issue is annoying and I don't know what the state of a full solution to this type of problem on their side is, the response time, time-to-workaround, and general communication in this were impressive. 38 | 39 | ## Update: Gmail spamfilters Stripe as well 40 | 41 | On 2019-03-31, the same happened to an equally legitimate security notification from Stripe, when I tried to log into my Stripe account. 42 | 43 | Gmail tells me that the only reason the email didn't go to Spam is because I disabled its Spam filter. 44 | 45 | ![Screenshot showing Gmail classifying a Stripe security notification as Spam](gmail-stripe-spamfilter.png) 46 | 47 | You can see the sanitised email headers in [`stripe-headers.txt`](stripe-headers.txt) if you want to analyse them. 48 | -------------------------------------------------------------------------------- /stripe-headers.txt: -------------------------------------------------------------------------------- 1 | Delivered-To: niklas@mydomain.com 2 | Received: by 2002:a17:906:3591:0:0:0:0 with SMTP id o17csp4349900ejb; 3 | Sun, 31 Mar 2019 09:21:21 -0700 (PDT) 4 | X-Received: by 2002:a17:902:801:: with SMTP id 1mr27652527plk.299.1554049281422; 5 | Sun, 31 Mar 2019 09:21:21 -0700 (PDT) 6 | ARC-Seal: i=3; a=rsa-sha256; t=1554049281; cv=pass; 7 | d=google.com; s=arc-20160816; 8 | b=LTUheY240GCnnzOpD94rL2aYcSH1JYIbydMk6WU4D1ZLj7CgaGPInAej6hy0bULUOf 9 | Os7FikO5Y94Y8i2zVUSEae9XZfaYgclFRcg01yUcSHfeKsgBszWJcOyE99zz8ZmCcOhX 10 | KmKDQxbFF3wuCFp7FeXQUPdqYHZe3ZKLK+S2hhdhLBsCKG0tl78aXUC3YOmrXndYbYEh 11 | 86O6p/6Ubw+20aQQdR6BDNi2nDWkfYYHYWUatvWDAbfAqLsLHjFsLppcKOHjHbt2I2Je 12 | 2Q7bd2mcT/OpsYFFKWwHimuKFuhSYOFPPdGOaYkc75BKUpnmBkftMZYfq/+ZLkNPOHNh 13 | E+7w== 14 | ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; 15 | h=list-unsubscribe:list-archive:list-help:list-post:list-id 16 | :mailing-list:precedence:reply-to:feedback-id 17 | :content-transfer-encoding:mime-version:subject:message-id:to:from 18 | :date:dkim-signature; 19 | bh=JEH4saRRMw3+IIgPWg5Db1CfVzLxH5wLX4iaRJmN7BU=; 20 | b=AoyJaz7T+BcHucx7ui7MsM3Mzo4T/9VrWKd06aG6IaVs7u2nC3jLOi5AUkpJKPd7fF 21 | ltrfZVe3oSAhGhRO9B4esRoE8zhO5PzJjKYg2fI0f8MqhseYSSMYJRCgPs2fVI7Pp+dw 22 | xxk3akQOHgTGLBHAxAUB7Cl2SKY3Wn01+DtymagcsHd5QMs/EpxE8/+ztc/r73tZ/h5K 23 | eYt47SUb4jzw4slz5LW5vlA1OZFtwcpjfxY/RoNvAy3/TXxm7J1usvwmVMx7069libAd 24 | 94icFLlN765HxNqLZb7EPe61N7RoRj1vZ/YYWfOo5BzZxXt6v95Hs6+sMT1EBfB5tJul 25 | OCoA== 26 | ARC-Authentication-Results: i=3; mx.google.com; 27 | dkim=pass header.i=@mydomain-com.20150623.gappssmtp.com header.s=20150623 header.b=zLDLay9B; 28 | arc=pass (i=2 spf=pass spfdomain=bounce.stripe.com dkim=pass dkdomain=stripe.com dkim=pass dkdomain=amazonses.com dmarc=pass fromdomain=stripe.com); 29 | spf=neutral (google.com: 209.85.220.69 is neither permitted nor denied by best guess record for domain of services+bncbdqmn3ht7udrbagsqpsqkgqesvvbfoy@mydomain.com) smtp.mailfrom=services+bncBDQMN3HT7UDRBAGSQPSQKGQESVVBFOY@mydomain.com 30 | Return-Path: 31 | Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69]) 32 | by mx.google.com with SMTPS id i10sor6264825pfd.33.2019.03.31.09.21.21 33 | for 34 | (Google Transport Security); 35 | Sun, 31 Mar 2019 09:21:21 -0700 (PDT) 36 | Received-SPF: neutral (google.com: 209.85.220.69 is neither permitted nor denied by best guess record for domain of services+bncbdqmn3ht7udrbagsqpsqkgqesvvbfoy@mydomain.com) client-ip=209.85.220.69; 37 | Authentication-Results: mx.google.com; 38 | dkim=pass header.i=@mydomain-com.20150623.gappssmtp.com header.s=20150623 header.b=zLDLay9B; 39 | arc=pass (i=2 spf=pass spfdomain=bounce.stripe.com dkim=pass dkdomain=stripe.com dkim=pass dkdomain=amazonses.com dmarc=pass fromdomain=stripe.com); 40 | spf=neutral (google.com: 209.85.220.69 is neither permitted nor denied by best guess record for domain of services+bncbdqmn3ht7udrbagsqpsqkgqesvvbfoy@mydomain.com) smtp.mailfrom=services+bncBDQMN3HT7UDRBAGSQPSQKGQESVVBFOY@mydomain.com 41 | ARC-Seal: i=2; a=rsa-sha256; t=1554049281; cv=pass; 42 | d=google.com; s=arc-20160816; 43 | b=yNkJNbxjv1A6MAh/IbBauYarKcfq2Fw5Z5b04x9SCAYjuJ0WpqIOJsjVT3gMK8eIcV 44 | Czxib2IY/P0viL9/F4hhGx/qWWMzm4Nnvwbu8+tl0jSmhfG9kSi8iu3RUBfkrFT3sqTI 45 | lPSmUslwdvGkOAVpUpjwbLZO7GVCTdwEwg66uv0HgF1jPqQR9ufJ+J/1fA8SjFXsejnc 46 | 1XWbK8CJb2nospOsr9vu45gEnM4Sc1348KGzruD5IUz4dfpR5YHuo1Xp9HKREgopee29 47 | y+CGEcKTNu8iJO2ZU+5xzx5t8AnBMGseJlKN5y5/+Tg/H1N6vgq+2v6sFVSXVTyM2El3 48 | 7Q1w== 49 | ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; 50 | h=list-unsubscribe:list-archive:list-help:list-post:list-id 51 | :mailing-list:precedence:reply-to:feedback-id 52 | :content-transfer-encoding:mime-version:subject:message-id:to:from 53 | :date:dkim-signature; 54 | bh=JEH4saRRMw3+IIgPWg5Db1CfVzLxH5wLX4iaRJmN7BU=; 55 | b=etTjx5LdKc46wuXxcKsWKkRcqHfe0qoVQif68ek84YX7NaGMFZF5wKgnTn9Qw6FtHt 56 | KCbWCdYLi/l+o7A3aN5RYi6Fn3IetD/5VzcwNPj24i7xByv9ukcmy2xw8l00CnIN+Anp 57 | Q0TTavrgeYAC7sY2Lvy3lhjDhZySQv7+STYVckqJM/thcU/iMyWjYGv3CBLZoGiHMAY4 58 | h8ttGcBIqcGWYkXgJnC/4yHnd+Ra/YWeS0T1SRVh6QVSGnL6xbA9uzxt5sTD5mexSziL 59 | 5Tjy2zjbaPn6az78bZ70UoM7ZDaXzHBeZ6W0yERDm3RNILao8IJMSHYDW0RKW0aAH+y8 60 | UfOg== 61 | ARC-Authentication-Results: i=2; mx.google.com; 62 | dkim=pass header.i=@stripe.com header.s=dqcliwr4mswnxa6jg7ggxrsirzjczj3t header.b=WYZrSFDk; 63 | dkim=pass header.i=@amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=Co33kM5z; 64 | spf=pass (google.com: domain of 0101010101010101-abababab-1234-abab-1234-abababababab-000000@bounce.stripe.com designates 54.240.62.28 as permitted sender) smtp.mailfrom=0101010101010101-abababab-1234-abab-1234-abababababab-000000@bounce.stripe.com; 65 | dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=stripe.com 66 | DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 67 | d=mydomain-com.20150623.gappssmtp.com; s=20150623; 68 | h=date:from:to:message-id:subject:mime-version 69 | :content-transfer-encoding:feedback-id:x-original-sender 70 | :x-original-authentication-results:reply-to:precedence:mailing-list 71 | :list-id:list-post:list-help:list-archive:list-unsubscribe; 72 | bh=JEH4saRRMw3+IIgPWg5Db1CfVzLxH5wLX4iaRJmN7BU=; 73 | b=zLDLay9B132O7jbu0MGzEFgScYe8wmTOsr9o0hZWTeMSuTQUyG8dwSr/dRxkpI6VtF 74 | kuxfXhIjR/UYWkEIn5FbQKMVgiS4R9tLr6AIAooJO9zENptrcQ79/KRF+8djA5SgyhuE 75 | BISDjrydwEcsSnJumZN4Ub0pC7fYUKhfJLm4/qEC1p2FA6xkpUI1gLJe6CaKtPH6Tv3m 76 | ma8Azx9hjLrlj+R+wyWI5hDik2KsoNI991oBHax0FNY2XyXEOc9JrToXNmo+Yk/FmI5J 77 | kKbhV3Q6laYS+SKsB6EuESL1xZVrEZkk9XirhktPpUILQ3nyV/mJfyoGYbHCimSpXIJi 78 | yIbA== 79 | X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 80 | d=1e100.net; s=20161025; 81 | h=x-gm-message-state:date:from:to:message-id:subject:mime-version 82 | :content-transfer-encoding:feedback-id:x-original-sender 83 | :x-original-authentication-results:reply-to:precedence:mailing-list 84 | :list-id:x-spam-checked-in-group:list-post:list-help:list-archive 85 | :list-unsubscribe; 86 | bh=JEH4saRRMw3+IIgPWg5Db1CfVzLxH5wLX4iaRJmN7BU=; 87 | b=VV8gSyPZ+Om8p7fo5BJTnX3RINUuk2b0cdbwOtdmdlJ9gGq7iFBpGgYHrI6CzyfbHb 88 | cguILPZL9Zm1HXtDjAXHHZIID5u1zweDKgc0RK+bSmQdHqV81BCTKh0gFFDDdLa6iydV 89 | Yl+v8to+R2/6CZXc8f/6ZD98nAcSGHB6w14ncKlWn+Joy/pAKdom0uwFsoIhnKcY3a/f 90 | 5wplg78nL9L5Ns171yyYCa9Iyoadtb5gtuQKlRmZpMntuF0NgoXjru3/VfkV3xwcI3a6 91 | tOISLURrz5qhIpKLKdvJyjmxHzYg/n8jPmMFbgVWo8pIlL5nCmXjVaVQjF0PPu5DvYC6 92 | qKUg== 93 | X-Gm-Message-State: APjAAAUt8d+dfgUFAG+A98jLScle9aOh4wCicfR093dbnUxvpG0QS9sH /CRErzApEgyuQaj6eofniO/E 94 | X-Google-Smtp-Source: APXvYqym8gvBuLnMOe49oBrHQ0cQSXmVEXoZB6zOtMIDc4yoAIMR3ayp/79ibzUeP3LAn2gDQuAE7g== 95 | X-Received: by 2002:aa7:83d6:: with SMTP id j22mr982068pfn.104.1554049280871; 96 | Sun, 31 Mar 2019 09:21:20 -0700 (PDT) 97 | X-BeenThere: services@mydomain.com 98 | Received: by 2002:aa7:8085:: with SMTP id v5ls2990554pff.5.gmail; Sun, 31 Mar 2019 09:21:20 -0700 (PDT) 99 | X-Received: by 2002:a63:be02:: with SMTP id l2mr34489446pgf.48.1554049280516; 100 | Sun, 31 Mar 2019 09:21:20 -0700 (PDT) 101 | ARC-Seal: i=1; a=rsa-sha256; t=1554049280; cv=none; 102 | d=google.com; s=arc-20160816; 103 | b=R7I/HikAOkOIdAGccAHI1JONQ2vS3Yz72c3FS+/2B1KZXFpBrJQKkXI5RYGwGEo80R 104 | SZsBnFu3k8LxSOKkTmestWy7QNInsmG33DAekyUof7vaqpPqN9eLlAtIobtGwibL1dS2 105 | 70QSZzkpKb1PBVEQUauUTwr4OtJ3FHTki6dTcgnqjIELDlyNu1yWtsNJ/zwdvEAkIujI 106 | hQjnJuxmY4j5R6EZW37OrqgYuD9lyJ7s29uOdW+ghDWn9bYS1jYCV2fEePeA9z3PfPYD 107 | vShhk0vgPRLHM9XarxlmjF/CzwEOMMcEFnYitOWMQ9/8grN1bo22pybmCzkNuRBT8CWK 108 | HCCQ== 109 | ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; 110 | h=feedback-id:content-transfer-encoding:mime-version:subject 111 | :message-id:to:from:date:dkim-signature:dkim-signature; 112 | bh=JEH4saRRMw3+IIgPWg5Db1CfVzLxH5wLX4iaRJmN7BU=; 113 | b=x5nMjY7QfV7p9e2yKdGPXRpOpGposmm6omS9ckBTLtR82c6iHduMl01MHEM2XWd48j 114 | 4/AYFf72rs5uMIS9IQ0ZRWNAvHcDFUlvJNx6S74cU4q6nGRyJws8UornELz/iVvvrpoK 115 | UKe0mO0fRVaRe3JqQinPVfln9o0pw9ZN9t5vv7gWeQth/u4JzbFYs23yGvZhmsROZS6j 116 | zB1/+IDpsn9lcNw2Q7nLNGB0x89RUY0Y4J3eJ4Q7h//LC0J0EGJ7IRy8OdCGR9sDcQfx 117 | ew2dF927FnyYgvFPGOusyLGmL57FzXp3MTWJFrMVE8M881UpLeDrlbaY19ly0IIGIB+m 118 | 2XTw== 119 | ARC-Authentication-Results: i=1; mx.google.com; 120 | dkim=pass header.i=@stripe.com header.s=dqcliwr4mswnxa6jg7ggxrsirzjczj3t header.b=WYZrSFDk; 121 | dkim=pass header.i=@amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=Co33kM5z; 122 | spf=pass (google.com: domain of 0101010101010101-abababab-1234-abab-1234-abababababab-000000@bounce.stripe.com designates 54.240.62.28 as permitted sender) smtp.mailfrom=0101010101010101-abababab-1234-abab-1234-abababababab-000000@bounce.stripe.com; 123 | dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=stripe.com 124 | Received: from a62-28.smtp-out.us-west-2.amazonses.com (a62-28.smtp-out.us-west-2.amazonses.com. [54.240.62.28]) 125 | by mx.google.com with ESMTPS id b38si7192246plb.249.2019.03.31.09.21.20 126 | for 127 | (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); 128 | Sun, 31 Mar 2019 09:21:20 -0700 (PDT) 129 | Received-SPF: pass (google.com: domain of 0101010101010101-abababab-1234-abab-1234-abababababab-000000@bounce.stripe.com designates 54.240.62.28 as permitted sender) client-ip=54.240.62.28; 130 | Date: Sun, 31 Mar 2019 16:21:20 +0000 131 | From: "'Stripe' via Services" 132 | To: services+stripe@mydomain.com 133 | Message-ID: <0101010101010101-abababab-1234-abab-1234-abababababab-000000@us-west-2.amazonses.com> 134 | Subject: Confirm your login 135 | Mime-Version: 1.0 136 | Content-Type: text/html; charset=UTF-8 137 | Content-Transfer-Encoding: quoted-printable 138 | X-Stripe-EID: em_i8hdgig2cc9ohwox0emr2dfvx83f9o 139 | X-SES-Outgoing: 2019.03.31-54.240.62.28 140 | Feedback-ID: 1.us-west-2.U9efwdPDLNZNk/S34uMIpcrlbDF6b3rs/s41tFWSWJ8=:AmazonSES 141 | X-Original-Sender: support@stripe.com 142 | X-Original-Authentication-Results: mx.google.com; 143 | dkim=pass header.i=@stripe.com header.s=dqcliwr4mswnxa6jg7ggxrsirzjczj3t header.b=WYZrSFDk; 144 | dkim=pass header.i=@amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=Co33kM5z; 145 | spf=pass (google.com: domain of 0101010101010101-abababab-1234-abab-1234-abababababab-000000@bounce.stripe.com designates 54.240.62.28 as permitted sender) smtp.mailfrom=0101010101010101-abababab-1234-abab-1234-abababababab-000000@bounce.stripe.com; 146 | dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=stripe.com 147 | X-Original-From: Stripe 148 | Reply-To: Stripe 149 | Precedence: list 150 | Mailing-list: list services@mydomain.com; contact services+owners@mydomain.com 151 | List-ID: 152 | X-Spam-Checked-In-Group: services@mydomain.com 153 | X-Google-Group-Id: 12345678912 154 | List-Post: , 155 | List-Help: , 156 | List-Archive: 157 | List-Unsubscribe: , 158 | --------------------------------------------------------------------------------