I don't think this is from Google. Note how the from address is "via" something? None of the official Google Security Alerts I have received have that.
Yeah, it’s to my recovery account. But DKIM is set up on that account and fetched via google. Probably some kind of weird back emf somewhere.
Does it actually show DKIM failing in the headers? I find it hard to believe that Google would allow their DKIM to be misconfigured, and if they did there would be thousands of people experiencing this behavior and posting about it.
Yes—this is what I see. But I don't work in this area, so still not sure if it's google or my domain that's borked, and quite frankly... All I used to test my domain was MXToolbox, and that reported everything configured correctly.
Or it actually isn't from them.
True, but in this case it was. And I usually get two of them—one to my main account and one to my ‘recovery’ account and one of them ends up in spam.
From the google ‘Meh, it kinda works’ School of Design.
What does that via say? That looks like it was forwarded or something. IDK, it looks like Google correctly identified something fishy about that email, and they don’t exempt their own emails from the rules (which is good).
It probably isn't them.
Software Gore
A community for posting software malfunctions
Deliberately bad software or bad design is not software gore, it must be something unintentional
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient and shear it