Comment by mike-cardwell

Spoofing is trivially easy for gmail and yahoo. Here's me spoofing an email from fakeaddress@ycombinator.com to my gmail address:

  mike@blob:~$ telnet gmail-smtp-in.l.google.com 25
  Trying 66.102.1.26...
  Connected to gmail-smtp-in.l.google.com.
  Escape character is '^]'.
  220 mx.google.com ESMTP 19si14686133wmr.1 - gsmtp
  EHLO whatever
  250-mx.google.com at your service, [164.132.228.175]
  250-SIZE 157286400
  250-8BITMIME
  250-STARTTLS
  250-ENHANCEDSTATUSCODES
  250-PIPELINING
  250-CHUNKING
  250 SMTPUTF8
  MAIL FROM:<fakeaddress@ycombinator.com>
  250 2.1.0 OK 19si14686133wmr.1 - gsmtp
  RCPT TO:<*****@gmail.com>
  250 2.1.5 OK 19si14686133wmr.1 - gsmtp
  DATA
  354  Go ahead 19si14686133wmr.1 - gsmtp
  From: "Fake Address" <fakeaddress@ycombinator.com>
  To: *****@gmail.com
  Subject: This is a spoofed email

  Spoof spoof spoof

  --
  Spoofy McSpoof
  .
  250 2.0.0 OK 1492497764 19si14686133wmr.1 - gsmtp

Email was delivered fine. Straight into the Inbox (not the spam folder). Even though ycombinator.com has strict SPF records which don't include my IP.

The only clue is, in the web interface Google displays a grey octagon with a red question mark inside it next to the sender address. And when you hover over that a tooltip says:

"Gmail couldn't verify that ycombinator.com actually sent this message (and not a spammer)"

So yeah. I would dispute "Spoofing isnt so easy for gmail and yahoo inboxes" - They're as shit as everyone else.

A lot of email clients give a warning "this email might be spoofed". The good ones are more likely to send you straight to spam.

Still, most people are unable to confirm the origin of an email. The warning, if any, is likely to be ignored.