Gmail has some pretty strong spam filters and it has always been one of their strong points. Google manage to keep out most of the spam from hitting your inbox, but still, it cannot keep out everything. Especially when it comes from a spoofed @gmail.com address.
According to researcher Renato Marinho, from a Brazilian security firm named Morphus Labs, Gmail does not filter or warn users about sketchy messages from another spoofed @gmail.com address.
Marinho also writes that while an email appears to have come from another valid Gmail account, but it actually comes from a server which is not Gmail related. This is something that spammers or even hackers who are looking to harm you can certainly take advantage of this.
It seems that only clue left to indicate something is not right with this is that spoofed email is, in the sender field, you will see the Gmail address was sent from another server. This information is not available, however, if you’re checking your mails on Android or iOS apps.
Marinho also explains that for scheme to work, spoofed Gmail address that the sends the message needs to pretend to be valid because if that doesn’t happen, that message goes straight into the spam folder.
According to this researcher, in order for all this to happen, the email of spammer’s server must first connect to Gmail saying it wants to deliver a message from his domain, even if it’s not a legitimate one. Instead, the address is switched to a fake Gmail address to fool Google.
While this loophole can be potentially problematic, Google does not believe the issue needs to be tracked as a security bug because it doesn’t really affect the confidentiality or integrity of the Gmail users’ data, says Marinho who contacted Google with this issue.